Hi all, I thought members of this list may be interested in results of some discussions that I have been having over last few weeks with tech team at MT regarding CGNAT implementations and RFC7422. In reaction to these duiscussions, Janis M and Maris have put together an article on the subject here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CG NAT.29_or_NAT444 Two important points coming out of this discussion are: 1) src-nat table does not have major impact on CPU resource since only the first packet of the connection parses this table, therefore it is OK to have very large numbers of rules with no need for partitioning via multiple jump rules 2) a script published by Maris and Janis offers an effective way to build CGNAT rules with flexible definitions of src-port grouping When we started talking about this, I was asking for feature to make a CGNAT rule like that using just one entry, and although I still think that such a feature enhancement would be particularly valuabe, this scripted result achieves pretty much exactly what I was asking for ;) THANK YOU Maris and Janis M :-) Cheers, Mike.
Sounds Interesting Mike, thanks for the effort ! Regards Paul -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Wednesday, 3 February 2016 12:46 PM To: 'MikroTik Australia Public List' Subject: [MT-AU Public] CGNAT implementation with routerOS Hi all, I thought members of this list may be interested in results of some discussions that I have been having over last few weeks with tech team at MT regarding CGNAT implementations and RFC7422. In reaction to these duiscussions, Janis M and Maris have put together an article on the subject here: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CG NAT.29_or_NAT444 Two important points coming out of this discussion are: 1) src-nat table does not have major impact on CPU resource since only the first packet of the connection parses this table, therefore it is OK to have very large numbers of rules with no need for partitioning via multiple jump rules 2) a script published by Maris and Janis offers an effective way to build CGNAT rules with flexible definitions of src-port grouping When we started talking about this, I was asking for feature to make a CGNAT rule like that using just one entry, and although I still think that such a feature enhancement would be particularly valuabe, this scripted result achieves pretty much exactly what I was asking for ;) THANK YOU Maris and Janis M :-) Cheers, Mike. _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Sounds very interesting and idea what sort of performance would be expected from say a 1072 ? Matt. On 3/02/2016 12:52 PM, Paul Julian wrote:
Sounds Interesting Mike, thanks for the effort !
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Wednesday, 3 February 2016 12:46 PM To: 'MikroTik Australia Public List' Subject: [MT-AU Public] CGNAT implementation with routerOS
Hi all,
I thought members of this list may be interested in results of some discussions that I have been having over last few weeks with tech team at MT regarding CGNAT implementations and RFC7422. In reaction to these duiscussions, Janis M and Maris have put together an article on the subject here:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CG NAT.29_or_NAT444
Two important points coming out of this discussion are: 1) src-nat table does not have major impact on CPU resource since only the first packet of the connection parses this table, therefore it is OK to have very large numbers of rules with no need for partitioning via multiple jump rules 2) a script published by Maris and Janis offers an effective way to build CGNAT rules with flexible definitions of src-port grouping
When we started talking about this, I was asking for feature to make a CGNAT rule like that using just one entry, and although I still think that such a feature enhancement would be particularly valuabe, this scripted result achieves pretty much exactly what I was asking for ;)
THANK YOU Maris and Janis M :-)
Cheers, Mike.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
-- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
My interpretation of their comments about performance is that the CPU overhead impact on /any/ router will be minimal to the extent that it is expected to work just fine on a 2011 series. Therefore, I suppose that 1072 wouldn't even blink at it! :-D Cheers! Mike. Ps: I'm in the process of confirming with CAC whether this kind of scheme will suffice as alternative to keeping netlow logs - which will save us (and lots of other folks) a MASSIVE amount of storage resource ;)
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Matt Perkins Sent: Wednesday, 3 February 2016 1:14 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] CGNAT implementation with routerOS
Sounds very interesting and idea what sort of performance would be expected from say a 1072 ?
Matt.
On 3/02/2016 12:52 PM, Paul Julian wrote:
Sounds Interesting Mike, thanks for the effort !
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Wednesday, 3 February 2016 12:46 PM To: 'MikroTik Australia Public List' Subject: [MT-AU Public] CGNAT implementation with routerOS
Hi all,
I thought members of this list may be interested in results of some discussions that I have been having over last few weeks with tech team at MT regarding CGNAT implementations and RFC7422. In reaction to these duiscussions, Janis M and Maris have put together an article on the subject here:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT _.28CG NAT.29_or_NAT444
Two important points coming out of this discussion are: 1) src-nat table does not have major impact on CPU resource since only the first packet of the connection parses this table, therefore it is OK to have very large numbers of rules with no need for partitioning via multiple jump rules 2) a script published by Maris and Janis offers an effective way to build CGNAT rules with flexible definitions of src-port grouping
When we started talking about this, I was asking for feature to make a CGNAT rule like that using just one entry, and although I still think that such a feature enhancement would be particularly valuabe, this scripted result achieves pretty much exactly what I was asking for ;)
THANK YOU Maris and Janis M :-)
Cheers, Mike.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
Something that might be really cool for them to add. I had a suggestion from a couple years ago, Sync' NAT / conntrack info between ROS routers. This would allow for seemless failover or asyn routing and NAT... Linux has a deamon and process for doing this.. A -----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Wednesday, 3 February 2016 1:41 PM To: 'MikroTik Australia Public List' <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] CGNAT implementation with routerOS My interpretation of their comments about performance is that the CPU overhead impact on /any/ router will be minimal to the extent that it is expected to work just fine on a 2011 series. Therefore, I suppose that 1072 wouldn't even blink at it! :-D Cheers! Mike. Ps: I'm in the process of confirming with CAC whether this kind of scheme will suffice as alternative to keeping netlow logs - which will save us (and lots of other folks) a MASSIVE amount of storage resource ;)
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Matt Perkins Sent: Wednesday, 3 February 2016 1:14 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] CGNAT implementation with routerOS
Sounds very interesting and idea what sort of performance would be expected from say a 1072 ?
Matt.
On 3/02/2016 12:52 PM, Paul Julian wrote:
Sounds Interesting Mike, thanks for the effort !
Regards Paul
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Mike Everest Sent: Wednesday, 3 February 2016 12:46 PM To: 'MikroTik Australia Public List' Subject: [MT-AU Public] CGNAT implementation with routerOS
Hi all,
I thought members of this list may be interested in results of some discussions that I have been having over last few weeks with tech team at MT regarding CGNAT implementations and RFC7422. In reaction to these duiscussions, Janis M and Maris have put together an article on the subject here:
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_N AT _.28CG NAT.29_or_NAT444
Two important points coming out of this discussion are: 1) src-nat table does not have major impact on CPU resource since only the first packet of the connection parses this table, therefore it is OK to have very large numbers of rules with no need for partitioning via multiple jump rules 2) a script published by Maris and Janis offers an effective way to build CGNAT rules with flexible definitions of src-port grouping
When we started talking about this, I was asking for feature to make a CGNAT rule like that using just one entry, and although I still think that such a feature enhancement would be particularly valuabe, this scripted result achieves pretty much exactly what I was asking for ;)
THANK YOU Maris and Janis M :-)
Cheers, Mike.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
-- /* Matt Perkins Direct 1300 137 379 Spectrum Networks Ptd. Ltd. Office 1300 133 299 matt@spectrum.com.au Level 6, 350 George Street Sydney 2000 Spectrum Networks is a member of the Communications Alliance & TIO */
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
participants (4)
-
Alex Samad - Yieldbroker
-
Matt Perkins
-
Mike Everest
-
Paul Julian