Thank you for another great video. A quick follow-up question on SNAT and outgoing connection limit. You mentioned that the number of simultaneous outgoing connections from a single IP is limited by the number of available source ports, which is 2^16. But theoretically, that limitation should only apply to a given (destIP, destPort) tuple. I.e. the limit of 2^16 outgoing connections is only "applied" in the scope of a given remote IP and port, so it's 2^16 of connections to the same destination. Which in total should yield a greater number of simultaneous outgoing connections possible. Is that reasoning correct? How do I check/make sure that the gateway indeed uses that schema and not the more simplistic one (i.e., 2^16 of outgoing connections per IP) ?
Hi there! First of all very good catch! Thank you! You are absolutely right! You can have much more outgoing connections than 65k assuming that the remote IP is different. I did listen to my video one more time and indeed it's misleading. The message I was trying to convey is - in NAT scenario you have multiple internal devices (PCs, VMs, phones, tablets, etc). Every device tries to connect to Google DNS or youtube.com or any other popular host. Now the firewall performing NAT eats up one port per every connection to Google DNS (or any other host). Hence you may run out of ports much faster. As you can only establish 65k connection to youtube, another 65k to google dns etc. I may need to re-record the video and explain in better.
Sorry for late reply. Client has a static route to server network 192.168.12.0/24 via FW and the other way around, server has a static route to client network 192.168.10.0/24 via FW. FW: network: version: 2 renderer: networkd ethernets: eth0: addresses: [192.168.12.230/24] eth1: addresses: [192.168.10.230/24] routes: - to: 0.0.0.0/0 via: 192.168.10.200 SRV: network: version: 2 renderer: networkd ethernets: eth0: addresses: [192.168.12.231/24] nameservers: addresses: [8.8.8.8, 8.8.4.4] routes: - to: 0.0.0.0/0 via: 192.168.12.254 - to: 192.168.10.0/24 via: 192.168.12.230 CLI: network: version: 2 renderer: networkd ethernets: eth0: addresses: [192.168.10.231/24] nameservers: addresses: [8.8.8.8, 8.8.4.4] routes: - to: 0.0.0.0/0 via: 192.168.10.200 - to: 192.168.12.0/24 via: 192.168.10.230
Your videos are amazing!
Thank you so much!
Excellent explanations. Glad UA-cam recommended this channel. Thank you for your time and effort in creating and sharing these videos.
Welcome aboard!
Great tutorial. You deserve thousands more subscribers
I appreciate that! Hope someday I'll get there :)
this was such a good guide to SNAT, you really understand these topics to their core!
Thanks! Glad you liked it!
Thank you for another great video. A quick follow-up question on SNAT and outgoing connection limit. You mentioned that the number of simultaneous outgoing connections from a single IP is limited by the number of available source ports, which is 2^16. But theoretically, that limitation should only apply to a given (destIP, destPort) tuple. I.e. the limit of 2^16 outgoing connections is only "applied" in the scope of a given remote IP and port, so it's 2^16 of connections to the same destination. Which in total should yield a greater number of simultaneous outgoing connections possible. Is that reasoning correct? How do I check/make sure that the gateway indeed uses that schema and not the more simplistic one (i.e., 2^16 of outgoing connections per IP) ?
Hi there! First of all very good catch! Thank you! You are absolutely right! You can have much more outgoing connections than 65k assuming that the remote IP is different. I did listen to my video one more time and indeed it's misleading.
The message I was trying to convey is - in NAT scenario you have multiple internal devices (PCs, VMs, phones, tablets, etc). Every device tries to connect to Google DNS or youtube.com or any other popular host. Now the firewall performing NAT eats up one port per every connection to Google DNS (or any other host). Hence you may run out of ports much faster. As you can only establish 65k connection to youtube, another 65k to google dns etc.
I may need to re-record the video and explain in better.
@@LinuxCloudHacks Got it! Thanks for the clarification!
Thanks for the tutorial, it is possible you share the netplan network configuration of the firewall, clients and server ?
Sorry for late reply. Client has a static route to server network 192.168.12.0/24 via FW and the other way around, server has a static route to client network 192.168.10.0/24 via FW.
FW:
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses: [192.168.12.230/24]
eth1:
addresses: [192.168.10.230/24]
routes:
- to: 0.0.0.0/0
via: 192.168.10.200
SRV:
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses: [192.168.12.231/24]
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
routes:
- to: 0.0.0.0/0
via: 192.168.12.254
- to: 192.168.10.0/24
via: 192.168.12.230
CLI:
network:
version: 2
renderer: networkd
ethernets:
eth0:
addresses: [192.168.10.231/24]
nameservers:
addresses: [8.8.8.8, 8.8.4.4]
routes:
- to: 0.0.0.0/0
via: 192.168.10.200
- to: 192.168.12.0/24
via: 192.168.10.230