Carrier-grade NAT

Users can control concurrent TCP/UDP connections through a connection quota in the per-IP shaper, and can control the port quota in the fixed port range IP pool.

config firewall shaper per-ip-shaper
    edit <name>
        set max-concurrent-tcp-session <integer>
        set max-concurrent-udp-session <integer>
    next
end

max-concurrent-tcp-session <integer>	Maximum number of concurrent TCP sessions allowed by this shaper (0 - 2097000, 0 = no limit).
max-concurrent-udp-session <integer>	Maximum number of concurrent UDP sessions allowed by this shaper (0 - 2097000, 0 = no limit).

config firewall ippool
    edit <name>
        set type fixed-port-range
        set port-per-user <integer>
    next
end

set port-per-user <integer>

Number of ports for each user (32 - 60416, 0 = default).

To configure a connection quota in the GUI:

Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.
For Type, select Per IP Shaper.
Enable Max concurrent TCP connections and enter a value.
Enable Max concurrent UDP connections and enter a value.
Configure the other settings as needed.
Click OK.

To configure a connection quota in the CLI:

config firewall shaper per-ip-shaper
    edit "per-ip-shaper256kbps"
        set max-bandwidth 256
        set max-concurrent-session 10
        set max-concurrent-tcp-session 5
        set max-concurrent-udp-session 5
    next
end

To configure a port quota in the GUI:

Go to Policy & Objects > IP Pools and click Create New.
For Type, select Fixed Port Range.
Enter the external and internal IP ranges.
Enable Ports Per User and enter a value.
Configure the other settings as needed.
Click OK.

To configure a port quota in the GUI:

config firewall ippool
    edit "test-ippool-fpr-1"
        set type fixed-port-range
        set startip 172.16.200.125
        set endip 172.16.200.125
        set source-startip 10.1.100.41
        set source-endip 10.1.100.42
        set port-per-user 30208
    next
end

To verify the fixed range IP pool:

# diagnose firewall ippool-fixed-range list natip 172.16.200.125
ippool name=test-ippool-fpr-1, ip shared num=2, port num=30208
internal ip=10.1.100.41, nat ip=172.16.200.125, range=5117~35324
internal ip=10.1.100.42, nat ip=172.16.200.125, range=35325~65532

To verify the SNAT behavior when the IP pool is used in a policy:

# diagnose sniffer packet any 'host 172.16.200.55'
Using Original Sniffing Mode
interfaces=[any]
filters=[host 172.16.200.55]
32.204955 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: syn 797929945
32.205027 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: syn 797929945
32.205328 wan1 in 172.16.200.55.80 -> 172.16.200.125.51209: syn 4191137758 ack 797929946
32.205568 wan2 out 172.16.200.55.80 -> 10.1.100.42.21001: syn 4191137758 ack 797929946
32.205766 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: ack 4191137759
32.205770 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: ack 4191137759

Carrier-grade NAT

Users can control concurrent TCP/UDP connections through a connection quota in the per-IP shaper, and can control the port quota in the fixed port range IP pool.

config firewall shaper per-ip-shaper
    edit <name>
        set max-concurrent-tcp-session <integer>
        set max-concurrent-udp-session <integer>
    next
end

max-concurrent-tcp-session <integer>	Maximum number of concurrent TCP sessions allowed by this shaper (0 - 2097000, 0 = no limit).
max-concurrent-udp-session <integer>	Maximum number of concurrent UDP sessions allowed by this shaper (0 - 2097000, 0 = no limit).

config firewall ippool
    edit <name>
        set type fixed-port-range
        set port-per-user <integer>
    next
end

set port-per-user <integer>

Number of ports for each user (32 - 60416, 0 = default).

To configure a connection quota in the GUI:

Go to Policy & Objects > Traffic Shaping, select the Traffic Shapers tab, and click Create New.
For Type, select Per IP Shaper.
Enable Max concurrent TCP connections and enter a value.
Enable Max concurrent UDP connections and enter a value.
Configure the other settings as needed.
Click OK.

To configure a connection quota in the CLI:

config firewall shaper per-ip-shaper
    edit "per-ip-shaper256kbps"
        set max-bandwidth 256
        set max-concurrent-session 10
        set max-concurrent-tcp-session 5
        set max-concurrent-udp-session 5
    next
end

To configure a port quota in the GUI:

Go to Policy & Objects > IP Pools and click Create New.
For Type, select Fixed Port Range.
Enter the external and internal IP ranges.
Enable Ports Per User and enter a value.
Configure the other settings as needed.
Click OK.

To configure a port quota in the GUI:

config firewall ippool
    edit "test-ippool-fpr-1"
        set type fixed-port-range
        set startip 172.16.200.125
        set endip 172.16.200.125
        set source-startip 10.1.100.41
        set source-endip 10.1.100.42
        set port-per-user 30208
    next
end

To verify the fixed range IP pool:

# diagnose firewall ippool-fixed-range list natip 172.16.200.125
ippool name=test-ippool-fpr-1, ip shared num=2, port num=30208
internal ip=10.1.100.41, nat ip=172.16.200.125, range=5117~35324
internal ip=10.1.100.42, nat ip=172.16.200.125, range=35325~65532

To verify the SNAT behavior when the IP pool is used in a policy:

# diagnose sniffer packet any 'host 172.16.200.55'
Using Original Sniffing Mode
interfaces=[any]
filters=[host 172.16.200.55]
32.204955 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: syn 797929945
32.205027 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: syn 797929945
32.205328 wan1 in 172.16.200.55.80 -> 172.16.200.125.51209: syn 4191137758 ack 797929946
32.205568 wan2 out 172.16.200.55.80 -> 10.1.100.42.21001: syn 4191137758 ack 797929946
32.205766 wan2 in 10.1.100.42.21001 -> 172.16.200.55.80: ack 4191137759
32.205770 wan1 out 172.16.200.125.51209 -> 172.16.200.55.80: ack 4191137759