Dear All,
We have CCR1036-12G-4S-EM with 6.27 version. The router config is very simple:
a/ 3 BGP sessions (full tables);
b/ NAT;
c/ Firewall (FORWARD chain is pass all, OUTPUT chain is pass all, INPUT chain with some firewall rules to allow specific managment traffic and BGP connections, rest is discarded);
d/ Policy Based Routing;
I’d like to tweak if possible the configuration for better performance router performance:
First change I am thing about is disabling connection tracking. Questions:
how much of performance increase I can expect?
will the PBR work without connection tracking? I guess yes as it is done via MANGLE rules, right?
the Firewall rules which are just about blocking specific ports will work without connection tracking?
I know I will loose NAT, but this is not a problem.
As it is CCR1036-12G-4S-EMI’m also thinking about changing the interface queues to “multi-queue-ethernet-default” from “only-hardware-queue”.
will this change improve the forwarding packets performance?
is this recommended to change this value on this routers?
You lose all firewall features, not only NAT, if you disable connection tracking.
I not see any advantage on any hint you post.
Remember, is not a Gaming PC, is one RouterBOARD…
When disabling connection tracking basic ip filtering still works. Connection tracking does compare every packet with a list of connections which might be very long on core routers. So disabling it is a good idea. We disable it on all routers except the cpes which do NAT.
Simply I leave it “auto” on all machine, when you put some rule that require it enabled, all go automatically…
About CCR and NAT, i do not think is a big problem, I made on the past some test with real users traffic near 200~250MB/s, and I really not see appreciable differences with conntrak forced on or off, but no nat rule on that moment.
But the answer is simple, if you can not use NAT, never use it…
As it is CCR1036-12G-4S-EMI’m also thinking about changing the interface queues to “multi-queue-ethernet-default” from “only-hardware-queue”.
Just tried: no appreciable differencies, but I not do it on main core… I do not want 4000 angry users…
will this change improve the forwarding packets performance?
Hardware usually is faster than software.
I expect suggestions from other users.
is this recommended to change this value on this routers?
Must be tested with very heavy traffic, but CCR are so much powerful to not need to change from hardware value.
does this change requires router reboot?
No, you can do it live.
Is not true, I just tested it on my core CCR1036-12G-4S. I create one fake nat rule, that activate conntrack,
but after some seconds I delete the rule (not instantly) the conntrack are automatically disabled.