| Next revision | Previous revision |
| en:dpi:faq:cgnat [2024/09/26 15:29] – created - external edit 127.0.0.1 | en:dpi:faq:cgnat [2024/12/06 10:56] (current) – elena.krasnobryzh |
|---|
| |
| <accordion-item title="3. Inactive SSH Sessions are Closed After Enabling NAT"> | <accordion-item title="3. Inactive SSH Sessions are Closed After Enabling NAT"> |
| <note>Parameter descriptions [[dpi:opt_cgnat:сgnat_settings#параметры_и_возможные_значения|at this link]]</note> | <note>Parameter descriptions [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|at this link]]</note> |
| Indeed, the session lifetime in NAT is limited because the number of sessions per subscriber is a limited resource, and a large number of inactive sessions in the pool reduces NAT and overall performance. | Indeed, the session lifetime in NAT is limited because the number of sessions per subscriber is a limited resource, and a large number of inactive sessions in the pool reduces NAT and overall performance. |
| |
| |
| Also, consider the feature of port release mechanism in the NAT Pool: | Also, consider the feature of port release mechanism in the NAT Pool: |
| - When Service 11 is enabled for a subscriber, [[dpi:faq:cgnat#how_to_determine_which_public_address_from_the_pool_a_subscriber_will_get|a Public IP is assigned based on the distribution algorithm]] | - When Service 11 is enabled for a subscriber, [[en:dpi:faq:cgnat#how_to_determine_which_public_address_from_the_pool_a_subscriber_will_get|a Public IP is assigned based on the distribution algorithm]] |
| - When a subscriber starts establishing sessions, ports are taken from the common SSG DPI queue and [[dpi:faq:cgnat#inactive_ssh_sessions_are_closed_after_enabling_nat|assigned with certain timeouts]] | - When a subscriber starts establishing sessions, ports are taken from the common SSG DPI queue and [[en:dpi:faq:cgnat#inactive_ssh_sessions_are_closed_after_enabling_nat|assigned with certain timeouts]] |
| - If a specific Public IP has many subscribers competing for free ports, subscribers may experience access issues. | - If a specific Public IP has many subscribers competing for free ports, subscribers may experience access issues. |
| |
| - Subscribers under blocking (Service 5 + policing) should be placed in a separate NAT Pool to avoid impacting active subscribers. For instance, an iPhone may establish many sessions searching for an active service. | - Subscribers under blocking (Service 5 + policing) should be placed in a separate NAT Pool to avoid impacting active subscribers. For instance, an iPhone may establish many sessions searching for an active service. |
| - Create sparse pools and separate clients into different NAT Pools by type: individuals and corporate users. | - Create sparse pools and separate clients into different NAT Pools by type: individuals and corporate users. |
| - Monitor clients generating high load and work with them. For receiving, processing, and storing NetFlow from DPI, we suggest using the [[dpi:dpi_components:qoestor|QoE Store software product for statistics collection]] and the [[dpi:dpi_components:dpiui|DPIUI2 graphical interface]]. You can analyze subscriber traffic and conclude that their PC is infected. | - Monitor clients generating high load and work with them. For receiving, processing, and storing NetFlow from DPI, we suggest using the [[en:dpi:dpi_components:qoestor|QoE Store software product for statistics collection]] and the [[en:dpi:dpi_components:dpiui|DPIUI2 graphical interface]]. You can analyze subscriber traffic and conclude that their PC is infected. |
| </accordion-item> | </accordion-item> |
| |
| <accordion-item title="5. How to Change the Parameters of an Existing and Used Pool?"> | <accordion-item title="5. How to Change the Parameters of an Existing and Used Pool?"> |
| <note>Parameter descriptions [[dpi:opt_cgnat:сgnat_settings#параметры_и_возможные_значения|at this link]]</note> | <note>Parameter descriptions [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|at this link]]</note> |
| - Changing the session limit:<code bash>fdpi_ctrl load profile --service 11 --profile.name test_nat_2000 --profile.json '{ "nat_ip_pool" : "111.111.111.0/24", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000, "nat_type" : 0 }'</code>Use the pool creation command identical to the previous one but with different ''nat_tcp_max_sessions'' and ''nat_udp_max_sessions'' settings. | - Changing the session limit:<code bash>fdpi_ctrl load profile --service 11 --profile.name test_nat_2000 --profile.json '{ "nat_ip_pool" : "111.111.111.0/24", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000, "nat_type" : 0 }'</code>Use the pool creation command identical to the previous one but with different ''nat_tcp_max_sessions'' and ''nat_udp_max_sessions'' settings. |
| - Adding additional addresses to the pool:<code bash>fdpi_ctrl load profile --service 11 --profile.name test_nat_2000 --profile.json '{ "nat_ip_pool" : "111.111.111.0/24,222.222.222.0/25", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000, "nat_type" : 0 }'</code>Use the pool creation command identical to the previous one but with an additional pool specified by a comma. | - Adding additional addresses to the pool:<code bash>fdpi_ctrl load profile --service 11 --profile.name test_nat_2000 --profile.json '{ "nat_ip_pool" : "111.111.111.0/24,222.222.222.0/25", "nat_tcp_max_sessions" : 2000, "nat_udp_max_sessions" : 2000, "nat_type" : 0 }'</code>Use the pool creation command identical to the previous one but with an additional pool specified by a comma. |
| |
| <accordion-item title="6. How to Assign a Specific Address to a Subscriber with NAT 1:1?"> | <accordion-item title="6. How to Assign a Specific Address to a Subscriber with NAT 1:1?"> |
| | <note warning>The method described below is inactive when ''rx_dispatcher=1''</note> |
| If a subscriber has only one private address and it is necessary to assign a specific public address to the subscriber, the dependency between the private and public addresses must be considered, which is imposed by the non-blocking address dispatching algorithm in DPI. | If a subscriber has only one private address and it is necessary to assign a specific public address to the subscriber, the dependency between the private and public addresses must be considered, which is imposed by the non-blocking address dispatching algorithm in DPI. |
| |
| <code>fdpi_ctrl load profile --ip 10.0.0.15 --service 11 --profile.json '{ "nat_ip_pool" : "188.99.99.27/32", "nat_type" : 1 }'</code> | <code>fdpi_ctrl load profile --ip 10.0.0.15 --service 11 --profile.json '{ "nat_ip_pool" : "188.99.99.27/32", "nat_type" : 1 }'</code> |
| |
| <note>Parameter description [[dpi:opt_cgnat:cgnat_settings#parameters_and_possible_values|via this link]]</note> | <note>Parameter description [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|via this link]]</note> |
| </accordion-item> | </accordion-item> |
| |
| <accordion-item title="7. NAT Diagnostics"> | <accordion-item title="7. NAT Diagnostics"> |
| <note>Parameter description [[dpi:opt_cgnat:cgnat_settings#parameters_and_possible_values|via this link]]</note> | <note>Parameter description [[en:dpi:opt_cgnat:сgnat_settings#parameters_and_possible_values|via this link]]</note> |
| |
| 1. The pools in the profile must be of the same size ((The requirement is not relevant if ''rx_dispatcher=1'' or ''rx_dispatcher=2'')). | 1. The pools in the profile must be of the same size ((The requirement is not relevant if ''rx_dispatcher=1'' or ''rx_dispatcher=2'')). |
