StarOS simple interface NAT will lead to some problems with Google, Yahoo, MSN and others. These services recognize the 2000 users we have in our network as one IP and blocked them, limited their connection or presented CAPTCHA. To resolve this problem we added 32 IP addresses to the Internet side of the StarOS NAT router and added individual statements to the fire wall dividing our internal network into smaller slices only exposing 1024 host per external IP. This should be sufficient for quite some time.
<!--more-->The standard NAT under StarOS (at least the way it was setup here) was implemented in Advanced > Scripts > NAT as
masq from 192.168.0.0/16 to dev $net
I added additional statements to Advanced > Firewall as follows
iptables -t nat -I POSTROUTING -o eth2 -s XXX.XXX.XXX.X/XX -j SNAT --to XXX.XXX.XXX.XXX
This simply source NATs the networks as various IP addresses towards the Internet. Be sure to INSERT them not append or they will be added in the incorrect order and the Interface NAT will take precedence over your SNAT statements i.e. it will not work as expected. This setup is operational with Policy routing as well for 2 different Internet feeds.
After 72 hours the problem blocking sites have been resolved and there appears to be no bad effect for this solution.
