CGN NAT ( NAT444 ) help

It is well in the context of the current topic so I’d say it is OK, but I am neither an admin nor the OP so my opinion is not much significant.

Definitely not with a high severity, the new connection just does not get through.

No. In better case (Mikrotik), the TCP connection attempt will just time out, and the browser will show a corresponding error message like “the server did not respond”. In worse case (other devices I’ve seen), the newer connection will succeed but it will break some existing older one. A UDP attempt will also time out and the application will notify the user depending on how it is written. As @sup5 alerts, DNS request may be quite severely affected.

As I wrote to @anav above - you need a number of factors to aggregate in order that a limited pool of ports per source IP address and destination socket address would cause a problem to the source. When normal web browsers open multiple connections for a single page, these rarely open towards the same server. If VOD is “video on demand”, the issue would pop up if more devices at customer site would connect to the same server at the “broadcasting” end than the number of ports dedicated for that customer. So I’d personally be most afraid of DNS requests to get affected.

But still, original and re-used ports are always binded to the very same private IP, right ?

Can you elaborate, both above points, please ?

In the first one, are you implying DNS requests pass through the router implementing NAT ? If this router also act as a DNS server, DNS requests won’t be NATed at all, would they ?

In the second one, are you referring to udp-timeout and udp-stream-timeout ? What could be “aggressive but not too aggressive” values ?

Yes. For the same private IP, the same pool of ports is used for all connections.

Follow up
So far , I have converted about 5 or 6 CGN networks/vlans ( 100.64.x.y/21 ) from normal NAT44 to NAT444.
In all cases, I am getting reports that customer networks are working better and that some things that did not used to work now work ( now work with NAT444 ).

I am using 250 ports per NATted CGN customer IP. Then the customer router we maintain is also doing NAT ( normal NAT44 ).

Each /24 ( 255 NATted 100.64.x.y/24 IPs ) is NATting to one live IP address where each client has a port range of 250 IPs.
So , when NATting ( NAT444 ) a /21 ( eight C networks ) , each C network is NATting to one live IP address.

The customers on each NAT44 network which I have converted to NAT444 appear to be running faster and so far I have had zero customer tech-support calls since they were converted.

There are two items of interest; When converting a NATted ( NAT44 ) network to a NAT 444 network , the procedure is remove one line ( the lone/single NAT ( NAT44 ) line in the configuration and then paste in almost 1-thousand lines of code to get NAT444 running. So far , I am over 34-thousand lines of NAT444 code in the nat configuration. (( I would of never thought that more lines of nat configuration code would run faster - go figure … )).

One good thing for me is that it is super easy and quick to lookup and identify what customer is being referenced when I now get one of those copyright notices where some customer downloaded a copyrighted movie. These notices provide two pieces of information ( Live-IP-Address and the Port-Number ), With this , it is simple to quickly identify the customer.


North Idaho Tom Jones

I’m closely following this thread as I urgently need to prepare for such notices (
In a worst case scenario, if I can’t get severaI IP, I would have to NAT traffic from 250 devices into 1 public IP.
In case I can’t implement CGN, I was thinking of implementing a NAT-logging system instead, maybe using Netflow.

I’m still hesitating between both routes (logging or CGN).

In your worst case scenario - do you have 250 devices on an inside NATted /24 network ?
Do you have an available Live-IP-Address that is not being used at this time ?
If you don’t have a un-used IP free available address, then it may be possible to NAT444 to the outside Live-IP-Address of your NAT router. Is this your plan ?
Are you wanting to NAT an inside network that is larger than a /24 ( or multiple /24 networks ) ?

I might be able to make a config and send it to you so that all you have to do is:

• disable the existing nat statements and paste in the new NAT444 statements.

North Idaho Tom Jones

First of all, I would like to thank you for sharing your experiences here and helping us. I’m currently doing research to switch to nat444 from nat44, and I’m wondering that how do you print all these rules on your CHR , Can you help me to fight with this?

Regards,

re: … wondering that how do you print all these rules on your CHR …


forget about pasting it in - way to many lines of code and chances are high of a dropped line.

I ended up makin a text file and uploaded the text file to the CHR via winbox , then ran the file as a script ( I think my file was a .rsc file ?? ) — Anyway - that way worked well and pretty fast.

note - I have just over 1,000 fiber connected customers , average customer traceroute through the fiber network through chr distribution router - through my chr bandwidth shaper through my chr NAT444 , through my CHR OSPF router , through my CHR BGP router averages about .02 ms to .5 ms ( sometimes 2 ms ) per hop ( that includes going through the chr NAT444 router !!! ) ---- and this is while 1k fiber customers are average combined passing 2 to 4 Gig of Internet traffic through the same chr NAT444 router..


North Idaho Tom Jones

I was talking about this, yes its better to import it to the CHR .rsc or prepare txt file but how do you prepare this files ? do you write them to the txt by your self or any script to create or any web page that create these rules.

how many port do you use for per customer without problem ? at the topic seems that 250 port per ip , still no any problem with 250 port ?

When I created my NAT444.rsc file , I used an txt editor. I first created a base configuration , then pasted in my config , edit the original config then past-append to my rsc file , then repeat many times.



Here is a clippit sample of my RSC file that I used. ( note - my actual rsc file was much much larger !!!

/ip firewall nat
add action=src-nat chain=srcnat src-address=100.64.1.34 to-addresses=
A.B.C.182
add action=src-nat chain=srcnat src-address=100.64.1.2 to-addresses=
A.B.C.183
add action=jump chain=srcnat jump-target=NrWireless1 src-address=
100.64.2.0/24
add action=jump chain=NrWireless1 jump-target=NrWireless1-0 src-address=
100.64.2.0/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-1 src-address=
100.64.2.16/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-2 src-address=
100.64.2.32/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-3 src-address=
100.64.2.48/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-4 src-address=
100.64.2.64/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-5 src-address=
100.64.2.80/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-6 src-address=
100.64.2.96/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-7 src-address=
100.64.2.112/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-8 src-address=
100.64.2.128/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-9 src-address=
100.64.2.144/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-10 src-address=
100.64.2.160/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-11 src-address=
100.64.2.176/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-12 src-address=
100.64.2.192/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-13 src-address=
100.64.2.208/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-14 src-address=
100.64.2.224/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-15 src-address=
100.64.2.240/28
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.0
to-addresses=A.B.C.84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.0
to-addresses=A.B.C.84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.0 to-addresses=
A.B.C.84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.1
to-addresses=A.B.C.84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.1
to-addresses=A.B.C.84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.1 to-addresses=
A.B.C.84

…


add action=jump chain=srcnat jump-target=PlWireless1 src-address=
100.64.80.0/24
add action=jump chain=PlWireless1 jump-target=PlWireless1-0 src-address=
100.64.80.0/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-1 src-address=
100.64.80.16/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-2 src-address=
100.64.80.32/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-3 src-address=
100.64.80.48/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-4 src-address=
100.64.80.64/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-5 src-address=
100.64.80.80/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-6 src-address=
100.64.80.96/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-7 src-address=
100.64.80.112/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-8 src-address=
100.64.80.128/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-9 src-address=
100.64.80.144/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-10 src-address=
100.64.80.160/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-11 src-address=
100.64.80.176/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-12 src-address=
100.64.80.192/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-13 src-address=
100.64.80.208/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-14 src-address=
100.64.80.224/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-15 src-address=
100.64.80.240/28
add action=src-nat chain=PlWireless1-0 protocol=tcp src-address=100.64.80.0
to-addresses=A.B.C.224 to-ports=1000-1249
add action=src-nat chain=PlWireless1-0 protocol=udp src-address=100.64.80.0
to-addresses=A.B.C.224 to-ports=1000-1249
add action=src-nat chain=PlWireless1-0 src-address=100.64.80.0 to-addresses=
A.B.C.224
add action=src-nat chain=PlWireless1-0 protocol=tcp src-address=100.64.80.1
to-addresses=A.B.C.224 to-ports=1250-1499


…



add action=src-nat chain=PlWireless1-0 protocol=udp src-address=100.64.80.1
to-addresses=A.B.C.224 to-ports=1250-1499
add action=src-nat chain=PlWireless1-0 src-address=100.64.80.1 to-addresses=
A.B.C.224
add action=src-nat chain=PlWireless1-0 protocol=tcp src-address=100.64.80.2
to-addresses=A.B.C.224 to-ports=1500-1749
add action=src-nat chain=PlWireless1-0 protocol=udp src-address=100.64.80.2
to-addresses=A.B.C.224 to-ports=1500-1749
add action=src-nat chain=PlWireless1-0 src-address=100.64.80.2 to-addresses=
A.B.C.224

Thank you for sharing, I am starting to do the same process, only by using netmap instead of src-nat, I aim to reduce the number of rules.

Don’t forget to read this:
http://forum.mikrotik.com/t/how-to-edge-router-and-bng-optimization-for-isps/150007/1

Bear in mind that 250 ports per customer actually mean 250 ports per connection to a particular remote socket, so far more than 250 connections per customer in total. There are just a few scenarios where that may still be a limitation - what comes to my mind is that some of your customers would have hundreds of IoT devices talking to the same cloud server. Too many kids watching Youtube are far less likely.

As for the creation of the rules, I always prefer to use a script to generate any kind of large configurations because if you make a mistake in the script, you learn about it quite quickly as it affects a good deal of the result; if you make a mistake in the copy-paste-edit process, it is much harder to notice. So even though the time spent on writing the script may be similar to the one spent on copy-paste-edit, the debugging phase is typically faster.

It’s not the number of firewall/nat rules that slows down throughput and places a large CPU load on the system. What slows down a system is how many rules have to be processed to get packets through the system. Thus - efficient use of jump tables is where you get the speed because you are then able to jump/skip rules that do not apply to a packet. Thus a large number of rules is OK if you have efficient jump tables to quickly get packets through the system.

example below for efficient use of jumps ( note - did not double check my counts )
however , the concept I am emphasizing is to make rules/test that result is the fewest condition tests being performed/examined and exit/finish the rules with the average fewest number of condition test being performed - to get the fastest average speed. Something similar to this applies to your code when creating a NAT444 configuration that may be thousands of lines of code.

X equals any random whole number from 1 to 10

010 if X = 1 then finish/exit all other tests
020 if X = 2 then finish/exit all other tests
030 if X = 3 then finish/exit all other tests
040 if X = 4 then finish/exit all other tests
050 if X = 5 then finish/exit all other tests
060 if X = 6 then finish/exit all other tests
070 if X = 7 then finish/exit all other tests
080 if X = 8 then finish/exit all other tests
090 if X = 9 then finish/exit all other tests
100 finish/exit all other tests ( same as if X = 10 then finish/exit all other tests without the if test )

• 10 lines - Average number of lines processed per X is 5

X equals any random whole number from 1 to 10

010 if X > 5 jump to 500
020 if X = 1 then finish/exit all other tests
030 if X = 2 then finish/exit all other tests
040 if X = 3 then finish/exit all other tests
050 if X = 4 then finish/exit all other tests
060 finish/exit all other tests
500 if X = 6 then finish/exit all other tests
510 if X = 7 then finish/exit all other tests
520 if X = 8 then finish/exit all other tests
530 if X = 9 then finish/exit all other tests
540 finish/exit all other tests

• 11 lines - Average number of lines processed per X is 4

X equals any random whole number from 1 to 10

010 if X > 8 jump to 800
020 if X > 6 jump to 600
030 if X > 4 jump to 400
040 if X > 2 jump to 300
100 if X = 1 then finish/exit all other tests
110 finish/exit all other tests
300 if X = 3 then finish/exit all other tests
310 finish/exit all other tests
400 if X = 5 then finish/exit all other tests
410 finish/exit all other tests
500 if X = 7 then finish/exit all other tests
510 finish/exit all other tests
600 if X = 9 then finish/exit all other tests
610 finish/exit all other tests

• 14 lines - Average number of lines processed per X is 3.5

This reminds me of a simple test procedure:

• you have nine identical looking marbles
• eight marbles are the same weight
• one marble is heavier than the other eight marbles
• you have a balance scale
  Find the one heaver marble using the balance scale only 3 times.

will definitely be examined in detail , thanks for inform

I think using 250 ports may cause problems, for example a crowded restaurant… That’s why I asked how is going with 250 ports.

Thank you very much for the examples and information. It’s great that you care so much about the subject.
I created the nat rules and jump rules and I am currently testing it in a /22 ip pool and waiting results…
also I put 4000 port for per ip

It didn’t even come to my mind you might plan on connecting businesses, let alone hospitality ones, this way. Indeed if the whole restaurant is watching youtube, or even worse, if the restaurant has a cloud-based order management service used directly by the guests, 250 ports might be insufficient.

IMO - if the customer is a business, then sell them a high-speed business account with a static IP address - otherwise no normal residential customer will never need to make 250+ port connections to any single Internet located server. If a customer needs to make 250+ port connections to anything , then they are behaving like a business so then sell them a business account with a static IP address.