Please prove me wrong.
I found this old thread. It looks like RouterOS is only using 2GB RAM regardless the platform. Even the official hardware from Mikrotik cannot utilise more than 2GB of RAM. Does that mean RouterOS is not meant to be used in large scale? Do I miss anything here?
This number in “max-entries” will increase only when needed. When you will have 60’000 entries, the max entries will increase to accommodate that. I know it may be confusing, but it works that way. It will not reserve RAM for connections that don’t exist. It will increase when you will hit the limit for some period of time. It will use 16GB, there is no scam 
What does it have to do with RAM??? It looks like amount of connections in conntrack is simply limited to half a million, and together with RAW table (firewall filter that happens before connection tracking) added to latest versions, i do not see the reason why there should be more.
memory is utilized quite well especially when you using BGP, so there are no limit of RAM usage.
Hi normis. Thank you for the quick reply. But please read carefully. The total-entries is already greater than max-entries. I don’t see max-entries increased anyhow. The original post of the thread even kept it running for hours on x86 platform and didn’t see the value changed.
max-entries: 524288
total-entries: 524316
Original post artificially increased connections for experiment sake. Do you really need half a million connections? In what real-life scenario?
Thank you for your reply. But the original post already quoted on normis. normis said the following in this thread so I assume connection tracking has something to do with RAM.
Well… What is wrong with “artificially inscresed connections for experiment sake”? People need to test the limit of the hardware/software. How are people suppose to test without artificially generating data? We all need to test the equipment before we deploy to production environment. At least I would’ve done my feasibility study first which is what I am doing now.
Well… I plan to start a small ISP for my neighbourhood. I happen to live around college campus. Here has entire village of college students. As we all know, college students do whatever they want. Let’s say for example they all use BitTorrent. It’s very easy to reach 10000 connections for 1 PC with BitTorrent running. Let’s say 1 house has 10 PCs and I would start small with just 10 houses. That’s already 1 million connections.
Based on the math, 1 CCR can only server 5 clients max…
Sorry, but what planet are you from?
i have /22 network full with clients, and only time i run into problems with amount of connections was when i was under DDoS attack(to be more precise - some of the clients were infected to be a part of DDoS attack to somewhere).
it is 500k, it is 500 connections per /22 client. atm they use 83 connections on average.
Haha. I’m living on planet Earth. I believe it’s the same planet as yours.
Anyway, joking aside.
Thank you very much for your valuable experience. Do you use connection tracking for your firewall? If so, how many connections do you normally get for presumably 1000 clients? Do you have SNMP set up to track your connections? Do you ever see your max-entries greater than 500k?
Thank you very much in advance if you can share your more about your real life situation.
Edit: Thank you. I see you added your comment. How do you manage to have only 83 connections on average? Do your clients not use BitTorrent? Don’t they download anything from Internet? Can you please share a bit more. Thank you.
First of all putting a state-full firewall on such large network is stupid. on almost all my routers that work with 100+ clients i have connection tracking off.
But after i got a call that i’m source of DDoS attack, i had to turn it on for some “special” clients.
Now with new RAW table - especially action=no-track, all problems are solved, i can leave firewall on form some clients, and rest of the clients go “no-track” mode. So i can’t give you number for whole /22 network, i can just say that those “special” clients are using 83 connections on average right now.
Thank you for your reply once again.
I don’t really want to use connection tracking, but I see an example from wiki that marks connections to handle load balancing. Is there a better way to load balance without using connection tracking? How do you manage your WAN connections in such scale? This is my bottleneck right now.
normis!!! Please don’t disappear on me.
Can you please please elaborate on how max-entries for connection tracking works? Is it NOT properly implemented?
Is it just like what macgaiver said that we shouldn’t use connection tracking in large scale?
BGP is managing it for me 
PCC is fine for client’s network if you use NAT.
OTZ…
Thank you, but I guess BGP doesn’t work for me. I honestly have no clue what BGP is besides it’s a routing protocol like OSPF. I have never ever had my hands on BGP in my life. I don’t think my local ISPs would ever let me use BGP or any other routing protocol.
Like I said, I would like to start small to subscribe a better ADSL/Fibre line and resale it.
I just had a quick look at my local ISP (Bell Canada). It’s Business level doesn’t say anything about BGP and I don’t think I can afford Enterprise level of Internet. In other words, I need connection tracking with more than 500k.
I’m 99,999% sure you will be fine with 500k
Hahaha!!! Thank you very much. It’s nice to have someone in the field saying so.
normis! Can you please confirm if it’s a bug that can be fixed regarding to the 500k? Although I may not (0.001%) need it, it’s still good to know it’s there when I need it.
we use a hash function in our connection tracking table, bigger the table, bigger the size of the hash necessary to map all connections. Bigger hash size, slower the searches, more resources used etc.
So there is no point having bigger hash than you can possibly need. From our experience in support, number of connections is rarely the bottleneck, but all those cases were fixed with firewall raw table and “no-track” action.
I strongy suggest to test everything out before jumping to theoretical conclusions.
normis! Thank you very VERY MUCH. You answer has been very helpful.
My idea is just to prepare for the very worst case scenario. I will try my best to come up the most efficient firewall rules for my needs, and play with RAW table.
originally it was something like “I’m 99,999% sure you will be fine with 640k” 
Well, now it’s official. There’s hard limit on the number of entries in connection tracking table: http://forum.mikrotik.com/t/v6-38rc-release-candidate-is-released/102037/78
So, no 16G can be used =)