NAT Gateway - Maximum connection limit
I know just enough networking to be dangerous. The nitty gritty low level
details of NAT are not something I am particularly knowledgeable about.
I accidentally found myself in a discussion earlier today about placing a
bunch of our nodes behind a NAT Gateway. (1 public IP address and X
private LAN addresses). I called up the 16 bit limit to source and
destination port fields in the TCP protocol,
(http://www.ietf.org/rfc/rfc793.txt - page 15) and mentioned that it would
limit us to some 65,000 connections (65536). -- I am not so confident
about that answer anymore. Can you help me with some details?
I understand that an incoming port (server port) on our side can accept as
many connections as there are sourceIP x SourcePort combinations. Let's
discount those for the time being and focus on connections originating in
the LAN, traveling through the NAT Gateway, and ending on a random host at
a random port.
On a normal [Linux] system, outgoing connections I believe are limited to
1 per port per Source IP. If we pretend that we live in a simple world
where each system only has 1 IP address, then a 'normal system' would be
limited to an absolute maximum of 65536 connections.
1) In TCP is a single source IP limited to 65536 MAX theoretical outgoing
connections?
2) Or is the limit actually 65536 connections for each Remote Host?
2) [Written another way]: Can the same source port be used for a different
remoteHostIP:RemotePort combination?
For example: (Is the following OK?)
Source IP |Source Port |Remote IP|Remote Port
192.168.0.20:36500 --> 8.8.8.8:23
192.168.0.20:36500 --> 8.8.4.4:23
3) Are the answers to questions 1 and 2 different for a ...'not normal
system' [Cisco router acting as a NAT Gateway]?
Ex: A specialized networking device that has one public facing IP and up
to ~65,000 Lan IPs [or more] behind it? Is there magic at place or is the
answer to question 2 just always: yes? (or no)
4) The above questions all assume a stateful TCP connection. Is the story
any different with a stateless conection like UDP?
And Ultimately:
5) Will our LAN be limited to 65536 (or some other theoretical limit)
concurrent connections to the outside world through a single public IP
address?
Thank you! :)
For purposes of this question, we are behind very BEEFY AND BRAND NEW
Cisco Nexus gear (7000 series I think). It may be better to ignore
memory/etc limitations unless they can be specifically quantified.
No comments:
Post a Comment