I have a question regarding the performance on a CCR with **lots** of firewall rules.
I have 8000 clients behind the CCR and decided to make 'nat preallocation', having a set of customers sharing the same public IP address, but limiting the range of ports used for the src-nat. All the ports should not be shared for more than one private address.
For example:
Code: Select all
Private-IP#1 -> Public IP#1 ports 2000 to 3999
Private-IP#2 -> Public IP#1 ports 4000 to 5999
[...]
Private-IP#3000 -> Public IP#200 ports 16000 to 17999
[...]
And so on...
#1 Restricting NAT'ed ports for TCP
#2 Restricting NAT'ed ports for UDP
#3 Allowing NAT for other protocols (ICMP, etc)
Example:
Code: Select all
/ip fi nat add chain=srcnat disabled=no protocol=tcp src-address=[PRIVATE-IP] dst-address-list=!NONAT to-addresses=[PUBLIC-IP] to-ports=2000-3999
/ip fi nat add chain=srcnat disabled=no protocol=udp src-address=[PRIVATE-IP] dst-address-list=!NONAT to-addresses=[PUBLIC-IP] to-ports=2000-3999
/ip fi nat add chain=srcnat disabled=no src-address=[PRIVATE-IP] dst-address-list=!NONAT to-addresses=[PUBLIC-IP]
My question is if there is a set of 'best practices' to accomplish this.
Using jump or address lists will improve the performance?
How the qty of firewall rules affects the throughput of the router?
Can I tweak the hardware cpu (irq/rsp/whatever) allocation for this tasks?
Any better idea?
Thanks!!