Carrier-grade NAT
Users can control concurrent TCP/UDP connections through a connection quota in the per-IP shaper, and can control the port quota in the fixed port range IP pool.
config firewall shaper per-ip-shaper edit <name> set max-concurrent-tcp-session <integer> set max-concurrent-udp-session <integer> next end
max-concurrent-tcp-session <integer> |
Maximum number of concurrent TCP sessions allowed by this shaper (0 - 2097000, 0 = no limit). |
max-concurrent-udp-session <integer> |
Maximum number of concurrent UDP sessions allowed by this shaper (0 - 2097000, 0 = no limit). |
config firewall ippool edit <name> set type fixed-port-range set port-per-user <integer> next end
set port-per-user <integer> |
Number of ports for each user (32 - 60416, 0 = default). |
To configure a connection quota in the GUI:
- Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.
- For Type, select Per IP Shaper.
- Enable Max concurrent TCP connections and enter a value.
- Enable Max concurrent UDP connections and enter a value.
- Configure the other settings as needed.
- Click OK.
To configure a connection quota in the CLI:
config firewall shaper per-ip-shaper edit "per-ip-shaper256kbps" set max-bandwidth 256 set max-concurrent-session 10 set max-concurrent-tcp-session 5 set max-concurrent-udp-session 5 next end
To configure a port quota in the GUI:
- Go to Policy & Objects > IP Pools and click Create New.
- For Type, select Fixed Port Range.
- Enter the external and internal IP ranges.
- Enable Ports Per User and enter a value.
- Configure the other settings as needed.
- Click OK.
To configure a port quota in the GUI:
config firewall ippool edit "test-ippool-fpr-1" set type fixed-port-range set startip 172.16.200.125 set endip 172.16.200.125 set source-startip 10.1.100.41 set source-endip 10.1.100.42 set port-per-user 30208 next end
To verify the fixed range IP pool:
# diagnose firewall ippool-fixed-range list natip 172.16.200.125 ippool name=test-ippool-fpr-1, ip shared num=2, port num=30208 internal ip=10.1.100.41, nat ip=172.16.200.125, range=5117~35324 internal ip=10.1.100.42, nat ip=172.16.200.125, range=35325~65532
To verify the SNAT behavior when the IP pool is used in a policy:
# diagnose sniffer packet any 'host 172.16.200.55' Using Original Sniffing Mode interfaces=[any] filters=[host 172.16.200.55] 32.204955 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: syn 797929945 32.205027 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: syn 797929945 32.205328 wan1 in 172.16.200.55.80 -> 172.16.200.125.51209: syn 4191137758 ack 797929946 32.205568 wan2 out 172.16.200.55.80 -> 10.1.100.42.21001: syn 4191137758 ack 797929946 32.205766 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: ack 4191137759 32.205770 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: ack 4191137759