NAT with Port-block Allocation in FreeBSD?

[Hao Bryan Cheng]

Hello,

I apologize in advance if this is the wrong place for this posting.

I am a developer on the circe captive portal system (net-mgmt/circe).
Our system currently uses either netgraph or FreeBSD's in-kernel NAT
(configurable) as a one-to-one NAT facility to provide access control
for wireless clients.

IP address pressure has pushed us towards implementing many-to-one NAT.
However, the primary deployment of our software here at UC Berkeley
requires us to be able to track bandwidth usage, security notices, and
copyright takedown requests on a per-client basis. Traditional
many-to-one NAT generates an unreasonable amount of logging data for our
clients, which we expect to number in the low thousands.

To mitigate the logging/accounting burden, we're investigating port
block allocation, described in
http://tools.ietf.org/html/draft-tsou-behave-natx4-log-reduction-02. By
allocating a block of ports for each client, we can drastically reduce
the amount of logging that we have to do to be able to uniquely trace a
copyright infringement notice back to the individual user. 

Preliminary investigation of both IPFW's NAT facility and netgraph's
ng_nat node did not uncover any trivial method of performing port-block
allocation in many-to-one NAT. 

Has anybody here had any experience implementing a many-to-one NAT box
with FreeBSD that made use of port-block allocation? Alternatively, is
there any documentation or resources that somebody could point me
towards to get started?

Thanks in advance for your help.


-- 
Hao "Bryan" Cheng

Lead Unix Systems Administrator for Network Access Control
Student Affairs- IT
UC Berkeley