NAT overflow

Michael Powell nightrecon at hotmail.com
Thu Mar 18 18:10:54 UTC 2010 

Anton wrote:

> 
>    Hello everyone,
> 
>    I'm kind of noob in FreeBSD particularily, and in Unix systems at all
>    :- ). But, I've already mastered an router on freebsd 7.2, which
>    worked fine u ntil I installed their MySQL with huge database.
> 
>    Now, once a day, I have a problem - users do not have internet on
>    their  computers, and I could not connect to Microsoft Windows server
>    with RDP fro m outside, but I could login via ssh on router. After
>    rebbot - everything b ecome  fine, everything works good and I have
>    no problems, until next  overflow.
> 
[snip]

It is unclear whether or how MySQL is involved with NAT. If it is somehow 
being used to store NAT session data it might be a possibility. If such is 
the case all recent MySQL versions by default time out an idle connection, 
and unless the client detects this and reconnects automatically it is a 
problem. You can extend the idle delay window to its maximum by placing 
wait_timeout = 31536000 after the other contents of the global section (will 
have [mysqld] at the top) of your my.cnf. Even this will eventually drop a 
connection if idle for longer than this period, but it is as long as you can 
configure so you hope something pings the database before this expires.

As far as the NAT is concerned itself, an overflow can happen from not 
enough memory in the pool to contain all the session data for the volume of 
traffic you experience through the router. This should result in dropped 
connections which then become automatically reestablished very soon after. 
It should not necessarily cause all traffic to cease once a day.

The NAT pool and memory resources, as well as session time out values are 
tunable. However, it is not clear which NAT and firewall solution you are 
using, so it is difficult to provide any insight until we know the solution 
we are discussing. I have used all three over the years, but have used pf 
long enough now that what I recall from ipfw and ipfilter days is rusty. 
Others on this list are more informed than myself as well, so when we know 
specifically what NAT you are using and more details of the problem maybe 
more help will pop up.

-Mike

More information about the freebsd-questions mailing list