Lets say i’ve got 150 100.64.0.0/10 addresses I need to NAT to a public address. Assigning them 400 ports for both udp and tcp I’m looking at 300 NAT rules. See Example:
You can’t advertise 150 addresses into bgp. I’d have to spend 10-20k on a /24… I guess my question is, can a MircoTik Router handle that much NAT? Even if I did buy addresses I would just want to use them as NAT pools anyways lol.
There’s a way to automate the creation of CGNAT rules by adding a function. This still doesn’t answer the question if the router performance is enough to handle that long of a firewall NAT list. I plan on getting that list up to around 1000 internal ip addresses so 2000+ lines long.
Clarification: for 150 CGNAT addresses and 4 public addresses, you don’t need 150 rules per port-aware protocol in total if you use netmap as you seem to do, it is just 38 rules as you handle four adjacent addresses by a single netmap rule. But maybe you only have a single public IP?
no *)
no **)
*) the rules in NAT chains only handle the initial packet of each connection, which means less than 5 % of all packets in most traffic patterns, so the number of rules per se is not a problem
**) with a linear set of 76 rules, an average initial packet has to traverse 38 rules in order to hit the correct one. You can reduce that to some 9.5 rules per average initial packet if you organize them into a (mostly) binary tree using action=jump rules, such as
So you end up with more rules configured, but less rules passed by an initial packet. But for just 150 CGNAT addresses, it may not be worth the effort.
i have deployed up to aprox 23.000 CG-NAT rules on a ccr1036 passing up to 10g total bandwidth, the key factor is working in Fast-track mode and organize rules in a tiered structure, in that way the worst case is a subscriber passing by only 110 rules, the total average being half of that, 55 rules
i use the script provided by documentation to create the bulk of the rules, then some reorganize and renaming of chains to build the tiered structure
Well, the only difference is the number of branches at each level of branching, and some small optimization. When taking into account addresses alone, I split it into two branches at each level (each bit of the source address), whereas you split it into 8 branches at first level (for the 3 most significant bits of the source address), and then apparently to 32 branches (up to the remaining 5 bits) at the next one.
So in my case, for 256 CGNAT addresses mapped to a single public address, I have 8 levels of branching, so the pass through the sorter takes 7 to 8 rules passed (due to the optimisation where the last jump rule in each chain is omitted and the executive rules are used directly); in your case, for 256 CGNAT addresses sorted using just two levels of branching, you have an average of 4 rules passed at the first level (min 1, max 8 rules), and an average of 16 rules passed at the second level (min 1, max 32).
But I still don’t get whether you have a single public IP or four, as you use action=netmap and /30 to-addresses for the port-agnostic protocols. If you indeed have the whole /30 of public addresses, you can use a single executive rule for four private addresses, as the combination of the two least significant bits of the public source address and the port range will be unique for each CGNAT source address. So for 256 CGNAT addresses you’ll only need 64 executive rules per protocol, each executive rule handling 4 addresses.
If so (256 CGNAT addresses mapped to 4 public ones), my binary sorter takes slightly less than 6 rules passed on average, your octal one takes 8 (4 in first branching, 4 in the second one). The number of individual rules in the sorter is, however, slightly lower in your approach: you have 8 rules in the first pass plus 8 groups of 8 rules in the second pass, so 8+64=72 in total; I’ve got 2 rules in the first pass, 2×2 in the second, 2^3 in the third … and 2^6 in the 6th, so 2+4+8+16+32+64=126 in total. Minus the optimisations in both cases of course.