Hi All, I have been tasked with implementing NAT444 on a 1072 does anybody have any idea what the expected throughput would be with 65025 NAT rules. Matt. -- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
Hi Matt, There is a good example including script sample on the MikroTik wiki - it applies the NAT in stages so that CPU load is minimal. Keep in mind that the NAT table lookup is triggered only once at the start of the connection (including tracked udp connections) so overhead is quite lower than you might expect :) https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28C... We use this technique quite often for cases where data retention traceability is required with NAT, and performance is perfectly OK :) Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Matt Perkins Sent: Wednesday, 1 August 2018 4:31 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] CGN Nat 444 on CCR1072
Hi All,
I have been tasked with implementing NAT444 on a 1072 does anybody have any idea what the expected throughput would be with 65025 NAT rules.
Matt.
-- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
If you do it right, you will only have N+1 NAT rules, where N is the number if private IPs sharing a single public IP. So, for example, I set a router up with 32:1 sharing, so I have 33 NAT rules to handle the CGNAT. This presentation from MUM Europe this year will point you in the right direction: https://mum.mikrotik.com/presentations/EU18/presentation_5195_1524667160.pdf Also, I would highly recommend you have dual-stack set up for all customers that might use CGNAT, as it has the potential to reduce helpdesk calls significantly due to there being no NAT for IPv6 traffic. Regards, Philip Loenneker | Network Engineer | TasmaNet 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia P: 1300 792 711 philip.loenneker@tasmanet.com.au www.tasmanet.com.au -----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Wednesday, 1 August 2018 4:49 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] CGN Nat 444 on CCR1072 Hi Matt, There is a good example including script sample on the MikroTik wiki - it applies the NAT in stages so that CPU load is minimal. Keep in mind that the NAT table lookup is triggered only once at the start of the connection (including tracked udp connections) so overhead is quite lower than you might expect :) https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28C... We use this technique quite often for cases where data retention traceability is required with NAT, and performance is perfectly OK :) Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Matt Perkins Sent: Wednesday, 1 August 2018 4:31 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] CGN Nat 444 on CCR1072
Hi All,
I have been tasked with implementing NAT444 on a 1072 does anybody have any idea what the expected throughput would be with 65025 NAT rules.
Matt.
-- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Thanks all. Sounds like good advise. Plan was to do dual stack so most of the traffic to NAT was a minimum. Just had no feel for the sort of traffic I could get out of a CCR1072 any less then about 5~8 gig is going to be more economical to use another platform. Matt. On 1/8/18 5:03 pm, Philip Loenneker wrote:
If you do it right, you will only have N+1 NAT rules, where N is the number if private IPs sharing a single public IP. So, for example, I set a router up with 32:1 sharing, so I have 33 NAT rules to handle the CGNAT.
This presentation from MUM Europe this year will point you in the right direction: https://mum.mikrotik.com/presentations/EU18/presentation_5195_1524667160.pdf
Also, I would highly recommend you have dual-stack set up for all customers that might use CGNAT, as it has the potential to reduce helpdesk calls significantly due to there being no NAT for IPv6 traffic.
Regards, Philip Loenneker | Network Engineer | TasmaNet 40-50 Innovation Drive, Dowsing Point, Tas 7010, Australia P: 1300 792 711 philip.loenneker@tasmanet.com.au www.tasmanet.com.au
-----Original Message----- From: Public <public-bounces@talk.mikrotik.com.au> On Behalf Of Mike Everest Sent: Wednesday, 1 August 2018 4:49 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] CGN Nat 444 on CCR1072
Hi Matt,
There is a good example including script sample on the MikroTik wiki - it applies the NAT in stages so that CPU load is minimal. Keep in mind that the NAT table lookup is triggered only once at the start of the connection (including tracked udp connections) so overhead is quite lower than you might expect :)
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28C...
We use this technique quite often for cases where data retention traceability is required with NAT, and performance is perfectly OK :)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Matt Perkins Sent: Wednesday, 1 August 2018 4:31 PM To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] CGN Nat 444 on CCR1072
Hi All,
I have been tasked with implementing NAT444 on a 1072 does anybody have any idea what the expected throughput would be with 65025 NAT rules.
Matt.
-- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
participants (3)
-
Matt Perkins -
Mike Everest -
Philip Loenneker