Nat Pools - D-Link DFL-260E User Manual

7.3. NAT Pools

7.3. NAT Pools
Overview
Network Address Translation (NAT) provides a way to have multiple internal clients and hosts with
unique private internal IP addresses communicate to remote hosts through a single external public
IP address (this is discussed in depth in Section 7.2, "NAT"). When multiple public external IP
addresses are available then a NAT Pool object can be used to allocate new connections across these
public IP addresses.
NAT Pools are usually employed when there is a requirement for huge numbers of unique port
connections. The NetDefendOS Port Manager has a limit of approximately 65,000 connections for a
unique combination of source and destination IP addresses. Where large number of internal clients
are using applications such as file sharing software, very large numbers of ports can be required for
each client. The situation can be similarly demanding if a large number of clients are accessing the
Internet through a proxy-server. The port number limitation is overcome by allocating extra external
IP addresses for Internet access and using NAT Pools to allocate new connections across them.
Types of NAT Pools
A NAT Pool can be one of the following three types with each allocating new connections in a
different way:
• Stateful
• Stateless
• Fixed
The details of these three types are discussed next.
Stateful NAT Pools
When the Stateful option is selected, NetDefendOS allocates a new connection to the external IP
address that currently has the least number of connections routed through it with the assumption that
it is the least loaded. NetDefendOS keeps a record in memory of all such connections. Subsequent
connections involving the same internal client/host will then use the same external IP address.
The advantage of the stateful approach is that it can balance connections across several external ISP
links while ensuring that an external host will always communicate back to the same IP address
which will be essential with protocols such as HTTP when cookies are involved. The disadvantage
is the extra memory required by NetDefendOS to track the usage in its state table and the small
processing overhead involved in processing a new connection.
To make sure that the state table does not contain dead entries for communications that are no
longer active, a State Keepalive time can be specified. This time is the number of seconds of
inactivity that must occur before a state in the state table is removed. After this period NetDefendOS
assumes no more communication will originate from the associated internal host. Once the state is
removed then subsequent communication from the host will result in a new state table entry and
may be allocated to a different external IP address in the NAT Pool.
The state table itself takes up memory so it is possible to limit its size using the Max States value in
a NAT Pool object. The state table is not allocated all at once but is incremented in size as needed.
One entry in the state table tracks all the connections for a single host behind the NetDefend
Firewall no matter which external host the connection concerns. If Max States is reached then an
existing state with the longest idle time is replaced. If all states in the table is active then the new
connection is dropped. As a rule of thumb, the Max States value should be at least the number of
local hosts or clients that will connect to the Internet.
346
Chapter 7. Address Translation