Hardware for 6000 concurrent users

Hi guys,

I’m new to Mikrotik’s brand so I’ve just registered to this forum hoping that you guys could give some help.

We have a Hotel Resort as customer and by their standards they’re considering Mikrotik’s gateway solution. So we are trying to figure out the correct model for them. I’m not new to firewall and hotspot solutions, but with some other brands they classify their products in a max-user limit or capacity so it’s easier to calculate a model on a max concurrent user basis.
As far as I know CCR Routers are just classified by their hardware specs, so with no experience with the brand there’s no way for me to estimate a hardware model that will fulfill the customer’s requirements.

This is what I know so far:
1.- We need a gateway or gateways that can handle traffic for 6000 or more (maybe 6500) concurrent guest users. They have 7 ISP modems that need to be connected to the router, one 1Gbps modem and six 200Mbps as WAN connections adding a total throughput around 2.2Gbps.
2.- From the LAN side will be 10Gigabit (SFP+) port connected to the core switch.
3.- The gateway will do NAT to the Internet and also be DHCP server for all users. There’s no splash portal but there will be a captive portal redirection to a 3rd party web services using AAA RADIUS Servers to authenticate. So all guest users will authenticate with an external portal. Also bandwidth limits will be needed. There are 3 or 4 guest classifications, each one will have a bandwidth limitation, let’s say for example: Gold Guest 10Mbps max, Silver Guest 7 Mbps max, and so on.
4.- So far I’m not sure if other type of policies will be needed like web/URL filtering.

I don’t know if the biggest model CCR1072-1G-8S+ by itself can handle that kind of traffic.
If just one model is not enough, is it possible to have 2 or three CCR to distribute the load like a cluster? Or will have to operate as completely separated devices?

I know it’s complicated to estimate this, but maybe you guys that have use these routers and have field experience could share your thoughts.

Thanks in advance for all the help provided.

Best regards,

Great question, and just a question, are we to assume no wifi, this is all wired ethernet to rooms?

Hi Anav,

Good question, my bad for not being specific. Actually all guest users will be connected through a WiFi network. Each room have a wired AP, so all room-APs are connected to distribution switches, and these switches are connected to a Core SW. Also in this core SW is where the CCR Router is supposed to be connected from the LAN side.

Regards,

Well the resort has a captive audience, so i guess there are other APs throughout the resort so patrons are not ‘stuck in their rooms’ lol.
The only comment I would have is whatever your getting, get two of them, one in hot standby… If the main router fails, the hot standby takes over.
Otherwise you will have 650 screaming patrons!! (everything on UPS and backup generators too)

Yeah, there are more APs in other areas like pools, restaurants, etc.

Awesome, so it is posible to have Active-Standby mode. About this, if Active fails the Standby comes in automatically? I mean, by configuration is it possible to achieve this or some manual setup is it needed?

Regards,

Sadly I am not aware of HA High Availability on MT devices as it was on zyxel routers I used in the past. However MT has something called VRRP which may be useful.
In general, one can always check WANIPs for availability and if not available switch to other WANIPs.
There is also OSPF BGP and other great acronyms!

https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP

https://mum.mikrotik.com/presentations/VN19/presentation_6558_1548048558.pdf

https://mum.mikrotik.com/presentations/CA15/presentation_2958_1447077137.pdf

@Anav is right - there is no buildin HA solution which would take care of everything. VRRP is good example of standartized HA functionality, but it takes care only of IP addresses. It does not sync config etc..
It is possible, to some extent, do almost full-blown HA by yourself with scripts which will synchronize particular sections of config. I have also seen different approach - routers provisioned by external server, based on database entries. (i.e. customer registers account, router receives command to create his VLAN, IP, Queue etc…) This way, you can either have second router provisioned at the same time (and in case of failure, VRRP will take care of switching IP between master and slave) or you can have second router sitting in storage and in case of failure quickly replace the device, run the provisioning script and you are back on track. (this will obviously take some time but your spare router won’t be blown by some unexpected electricity surge, if such thing happens to your main router…)

Now, lets get back to your original questions:

some other brands they classify their products in a max-user limit or capacity

That is typical oversimplified number. Personally, I hate that because it completely ignore fact, that the number depends on features, which will be used. For example with simple routing without NAT, Queues and Connection Tracking, my hAP ac^2 (tiny SOHO device) could easily accomodate thousands of customers. But once you add the NAT (which implies Connection tracking) or Queues, this number will go way way down.
You did really good attempt to specify, which features you need, however the most important - web/url filtering is still unknown. It is important to know that web/url filtering requires a lot of CPU+memory. In addition, it is not binary - does not matter whether you want or not want the feature. It actually depends how many filters because each of them must be applied to all processed packets.
In my experience, I have seen CCR1036 easily handling over 500 NATted and Queued customers without a sweat (CPU around 15%) whith simple math, we can extrapolate it and guess that with 50% utilization, it should handle around 1500 users. (obviously, don’t design your network to utilize 100% of any device. Always have enough spare)

Personally, I would be bit hesitant to buy CCR1072 - it is quite expensive and for the same price, you can have 3 CCR1036-8G-2S+ (or 2 CCR1036-8G-2S+EM) which will give you sufficient amount of 10G and 1G ports for your task and more flexibility if you go with automatic provisioning from server (it is quite easy to “transfer” users from one router to another so you can practically do even load-balancing this way)

If the power is not sufficient, you can always get more devices and distribute the load so I would focus more on removing every SPOF (single point of failure), which might affect your network. 6000 users is almost like a small ISP and I would say that deserves proper network architecture… selecting best model comes only after you know how you connect your network.

I guess, in the end, the biggest challenge will be proper load-balancing with all those WANs

Thanks guys, I appreciate very much your help.

I’ll investigate with the customer about web filtering. Since they are a hotel, filtering content for the guests is not that usual, usually they don’t want to add any restriction for their guest, but I want to consider worst case scenario, I’ll probably consider at least a very basic filtering that may require very few filters to apply.

About which model to use, based on your thoughts, probably we’ll have to use at least two or even more routers to share all the load. Fortunately the customer was considering initially a way way more expensive gateway that at the end didn’t work for them, so buying two or three CCR1072s should not be an issue, that’s why I suggest in the previous post that model. But I see there’s a CCR1036 model that has 16GB RAM, same as CCR1072, so I’m not sure if would be best if I go for a 1036 model with that many RAM or go with the 8GB RAM version since I’ll be using more than one router.
Based on the numbers you shared, how many 1036s or 1072s do you think will be needed so 6000 users can be handled? I was thinking that maybe balancing 2 CCR1072s could handle that many traffic or go opposite with 4 CCR1036s.

Regards,

Try these guys, CleanBrowsing.org, simple and easy to use.

I assume if managers/owners want to block something, it will be competition websites. Not porn
I mean… can you imagine hotel blocking porn? They would be doomed to bankrupcy from their very first day