Hi folks.

I have a question regarding the performance on a CCR with **lots** of firewall rules.

I have 8000 clients behind the CCR and decided to make 'nat preallocation', having a set of customers sharing the same public IP address, but limiting the range of ports used for the src-nat. All the ports should not be shared for more than one private address.

For example:
To accomplish this I need 3 NAT rules for every private IP address:
#1 Restricting NAT'ed ports for TCP
#2 Restricting NAT'ed ports for UDP
#3 Allowing NAT for other protocols (ICMP, etc)

Example: This scenario push me to create 24000 srcNAT rules, and of course, the performance will be unacceptable if I don't try to lower the number of nat rules.

My question is if there is a set of 'best practices' to accomplish this.

Using jump or address lists will improve the performance?
How the qty of firewall rules affects the throughput of the router?
Can I tweak the hardware cpu (irq/rsp/whatever) allocation for this tasks?

Any better idea?

Thanks!!

A few tips you can use to gain more performance. The CCR is a massively parallel system that benefits from having many more simpler rules than a few complex ones. The number of rules you have doesnt matter but you need to make sure that they do not relate to each other or unnecessarily go through all of them. Make sure to disable passthrough for the rules.

Another thing you can do is simplify your rules. If lets say you have to generate a rule for each user to limit the rate at which they can transfer data at you might as well use a single QoS rule to define this. simple QoS rules are cheaper to implement than firewall.

If you use your firewall rules only for important things and do bandwidth management on QoS you will gain a lot of performance. If you need to NAT all your clients there are a few tricks you can do to reduce the number of NAT rules.
You can use general NAT rules like this.

Client connects to your router and gets IP from you. You add that IP to an address list called clients (make sure to use a timeout so that when they disconnect the IP doesnt linger there unnecessarily).

Now you need to NAT that connection you make a rule with this concept.
Destination NAT, source address list - clients, destination address list - !clients, out interface - WAN, action masquerade.

Than you use your traffic management all in QoS with only general rules in the firewall to drop traffic you dont like which can be applied to all.

If you need to do different types of NAT for different types of clients (for example if you are doing NAT for them so they share a public IP and you have some that have their own public IP than use different address lists and different rules) Address list can be really big and will only take ram. IPs can be part of multiple list at the same time.

For example you can have a list called internal with all IPs of your clients including their public or given LAN ones. You can than have 2 different IP lists, one which you need to perform NAT for and one which you do not so this way your general NAT rule would be from clients, to not internal and you can configure static routing to route traffic between your clients. Layer 3 routing between clients is cheaper than doing NAT between them.

Theres also a guide for the CCR explaining how do write your rules to get more performance out of them. Thankfully only each connection is limited to a single CCR core so even a single NAT rule for all can still go over all 36 cores if you have at least 36 connections (number of clients dont matter).

Address lists can avoid generating redundant rules.

Best tip would be to avoid using NAT.

Theres also a guide for the CCR explaining how do write your rules to get more performance out of them..

Could you provide a link please? Thanks

I have 8000 clients behind the CCR and decided to make 'nat preallocation', having a set of customers sharing the same public IP address, but limiting the range of ports used for the src-nat. All the ports should not be shared for more than one private address.

Correct me if I'm wrong.. do you need to spread ports usage among multiple (for nat only) pubblic IPs to avoid too fast recycling by conntrack (on peaks ..with thousands of users can become very little) ?

So, I guess, no problem for dedicated IP mapped clients ..maybe only performance optimization.

Although im not an ISP i do not use ports in any firewall configuration. The only thing is for masquerade you need to define your out interface other than that theres really no ports involved in configs except ofcourse to deny input/output to router except from yourself which in total are a few firewall rules.

Wait.. I was asking the OP why he needs nat port preallocation; I know only two reason for doing that:
1) "conntrack optimization" (especially in CGN scenario)
2) subscribers tracking
(Probably there are further reasonable reasons I ignore)
If the case is (1) I can suggest a solution using PCC to distribute src ip to predefined "N flows" (every client is always on the same if internal ip are consistent), then creating src-nat rules for the N flows. In this way you will have X*N rules, surely better than creating 3 rules for each customer.
If case (2) ..it depens on many other specs we don't have at the moment ..

SystemErrorMessage, the question to you was a link to the CCR guide you mentioned

I'm trying to create a home brew Carrier Grade NAT configuration with Mikrotik acording to RFC6888.

Creating a NAT preallocated set of rules allows the ISP to maintain a tracking of the customers using the RFC6598 address space. Otherwise we need to create a full logging of the flows originated in the customer side.

This is the only way to respond to the complaints originated on external companies and law enforcement units.

Regarding the 'is better to not use nat' comment: yes, you're right but we are in 2015 and IPv4 is no more a solution. If you implement dual stack or even 464xLAT you will need a CGN box or a NAT64 solution to be able to reach the dark side of the internet (ipv4).

My question is: "there is some kind of optimisation or possible solution if a CCR has lots of NAT rules?". In my lab, 48K of NAT rules on SRCNAT table does not allow the router to forward a single packet.

I don't know the internals of CCR. This could be optimised using address lists or jumps? or another idea?

Regards

I'm trying to create a home brew Carrier Grade NAT configuration with Mikrotik acording to RFC6888.

interesting topic

How did it go?
Did you find a suitable configuration to do the goal?

Thanks!

I'm trying to create an algorithm for creating several JUMP actions to nested chains, but is not done yet.