Skip to content

Too many NAT domains at unmanaged router with multiple bind_nat #22

New issue
New issue
Closed
Closed
Too many NAT domains at unmanaged router with multiple bind_nat#22
Assignees
hknutzen
@hknutzen

Description

@hknutzen
hknutzen
opened on May 7, 2025

Netspoc divides its topology into different NAT domains.
That are contigous parts where same NAT rules apply.
For each NAT domain Netspoc determines the 'contains' and 'equal' relation between all networks.
With a large number of networks and a large number of NAT domains this needs significant runtime.
Hence it is desirable to reduce the actual number of NAT domains.

The current version of Netspoc doesn't combine NAT domains in an optimal way.
Example:

network:n1 = {
ip = 10.1.1.0/24;
nat:n1 = { ip = 10.8.1.0/24; }
}
network:n2 = { ip = 10.1.2.0/24; }
network:n3 = { ip = 10.1.3.0/24; }
network:n4 = { ip = 10.1.4.0/24; }
network:n5 = { ip = 10.1.5.0/24; }

router:r1 = {
interface:n1;
interface:n2 = { bind_nat = n1; }
interface:n3 = { bind_nat = n1; }
interface:n4 = { bind_nat = n1; }
interface:n5 = { bind_nat = n1; }
}

Here Netspoc finds two NAT domains, ok.
But if we delete that bind_nat behind interface:n2, we get 4 NAT domains although we still expect 2 NAT domains.

Reason is function splitSemiManagedRouters.
It modifies the topology in a way that minimizes the number of zones at semi-managed routers.
But an accidental side effect is, that the number of NAT domains may be increased.

Currently splitSemiManagedRouters adds a separate router at each interface that has a pathrestriction or a bind_nat.
This separate router is required for pathrestrictions because of this comment in function removeRestrictedIntfsInWrongOrNoLoop:

		// If a pathrestricted interface is applied to an umanaged
		// router, the router is split into an unmanaged and a managed
		// router. The managed part has exactly two non secondary
		// interfaces. Move pathrestriction to the interface that is
		// located at border of loop.

But after this modification, interfaces with same values of bind_nat are no longer part of the same router and hence are no longer recognized as part of the same NAT domain.

Solution idea:
Collect all interface with only bind_nat into one separate router.
It is acceptable to add at most one interface with pathrestriction to this router.
All other interfaces with pathrestriction are moved to separate routers, one router for each interface.

Metadata

Metadata

Assignees

Labels

No labels
No labels

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions