Maximum number of NAT users / sessions

If i understand it right, the maximum number of NAT sessions is limited by the number of connections at IP-> Firewall-> Connections → Max. Entries.
This value depends on installed amount of RAM and the maximum entry amount can increase if situation demands it and router still has free ram left.

So there is no realy limit in the number of NAT users, there is a limit by the max. entries that is limited by the free RAM. Is this right?

On a CCR1036-12G-4S i can see the max entries ist by default at 475.264 connections and if there is enough free RAM this number would be automaticly increased by the system.
Also I can decrease the “tcp-established-timeout” (default is 1 day).

Currently there are 5.100 NAT users and 65.500 connections. This means, if the users have all the same behavior it should be no problem to run with 10.000 or 15.000 NAT users if there is enough CPU power and bandwith.

Have somebody experience with such a number of NAT users?

Thank you!

65500 is about the maximum number of session per single NAT IP (in general your public IP). If you need to do more sessions, make shure you have more IP’s to do NAT on.

This means I need multiple public IPs and for each one NAT rule?

Internal IP range for user 10.10.0.0/18 = 10.10.0.2 -10.10.63.254 (10.10.0.1 is the Default Gateway)
10.10.0.0/20 NAT to 1. public IP (4.093 user and 1 x Default Gateway)
10.10.16.0/20 NAT to 2. public IP (4.094 user)
10.10.32.0/20 NAT to 3. public IP (4.094 user)
10.10.47.0/20 NAT to 4. public IP (4.094 user)
One DHCP Server with 4 IP pools
pool 1 = 10.10.0.2 - 10.10.15.254
pool 2 = 10.10.16.1 - 10.10.31.254
pool 3 = 10.10.32.1 - 10.10.47.254
pool 4 = 10.10.48.1 - 10.10.63.254
One Default Gateway 10.10.0.1

Best regards,

Ivan

OBSOLETE, go to:
https://forum.mikrotik.com/viewtopic.php?p=1010743#p1010743

If there are only 32767 ports at RouterOS for NAT and I have only one public IP for NAT, why I have more then 50.000 connections?
This router is only doing NAT and routing…
I will look at this the next days.

OBSOLETE, go to:
https://forum.mikrotik.com/viewtopic.php?p=1010743#p1010743

Perhaps I do not understand your post…

If you mean “for each” there are 32767 ports for tcp and 32767 ports for udp = 65534 ports
If you mean “for both” there are 32767 ports for tcp & udp together

So, if it is 32767 ports for both and I have more than 50.000 connections @ 5.100 users, there
are more than 17.233 ports used not for NAT.

I hope to have tomorrow again this number of users, so I will look more detailed at the number and type of connections.

Best regards,

Ivan

The socket pair (both ends of the communication) has to be unique for a session but not the socket at one end. Clearly, one IP and port number on one system can have multiple sessions provided that those sessions are terminated into different sockets at the far end.

OBSOLETE, go to:
https://forum.mikrotik.com/viewtopic.php?p=1010743#p1010743

OBSOLETE, go to:
https://forum.mikrotik.com/viewtopic.php?p=1010743#p1010743

is this still true today ? about the only ports being used for nat are 32767 ?

No. That was a nine year old post.

You can use any port you like from 1 to 65534 for a NAT.

is a common missconception to think that you are limited to 65535 connections per “WAN” ip, you are limited to that only for a single Destination IP, you can reuse SRC port “numbers” for diferent destinations.

in case of MikroTik Mascarade Rule normaly uses SRC port Number From 32768-65535, but nothing prevents you from using custom SRC-NAT rules to use ports from 1024-32767 for example

Most the time the problem when doing NAT for many end users with a single or a few ip addresses is that Destination servers can see this like a spamming attack or something like that if some user has a bad behavior affecting all users using same WAN ip, most the time Carrier Grade NAT solves this issue allowing destination servers to individualize each customer by its SRC-PORT number range

This topic gives rise to too many misunderstandings.

For example, if you have 2 devices A and B and the Gateway G:
A 192.168.0.11
B 192.168.0.12
G 192.0.2.1
and both try to contact website W “forum.mikrotik.com” obviously must be NATted, or the Privat IP can’t reach the site.

When A (or B) try to connect W, do not use own 443 port, but a “like random” port from 32768 and 65534 (both numbers included), but obviously the destination port is 443.
G do the NAT on both connection
A:54859->W:443 to G:54859->W:443
B:45784->W:443 to G:45784->W:443
And when W reply, G correctly identify the connection if the reply packet is for A or for B.

If for same reason A & B try to use same random port (CAN HAPPEN), G NAT use another free port for that, still on range 32768 and 65534 (both numbers included)
A:54859->W:443 to G:54859->W:443
B:54859->W:443 to G:62154->W:443
On this way, when W reply, is still possible for G to identify the connection if the reply packet is for A or for B.

So, by default, if not set otherwise, the ports used by the NAT are 32767 for each protocol where you can specify ports, such as TCP and UDP.
RouterOS (at the tests of the time, but I don’t think anything has changed) if it runs out of ports, it automatically doesn’t use the other lower ones.

Instead, as far as the topic of the thread is concerned,
approximately 23,000 connections can be tracked for every 32MB of memory.
As already specified, we mean ALL the connections that are traced, THEN even those that are NOT NATted.
SO, the limit of NATted connections depends on memory.

But even if one had 1GB of memory, the NAT limit is not 32767 entries,
but 32767 entries multiplied by each public IP used, multiplied by each protocol used, multiplied for each different website…
For example, if one has 1 IPs, the NAT limit is 32767 connections per protocol, for each single combination of REMOTE IP and PORT…
So if you have 32768 users that at the same time try to connect to https://forum.mikrotik.com, only 32767 work,
the 32768th user only can not connect https://forum.mikrotik.com, but can connect any other site of the world.
(to be precise, since more TCP requests are opened to download web fonts, scripts, images, etc., the maximum number, at the same time, is actually much smaller)

Many sites use CDNs, so it’s actually very rare that all users have the same IP address for youtube.com,
so this problem, for the most visited sites, is very rare, if not impossible, to happen.

In short: the only limit is the device’s memory, ~23,000 total connections for every 32MB of memory.

EDIT: Thanks to @chechito: The MAX limit is hardcoded to 1048576, and is needed at least 512MB

a facts that I forgot to add to the topic

a few weeks ago in other topic was confirmed that connection-tracking max number of connections has a maximum limit of max-entries: 1048576 (aprox 1 millon) no matter what device you have you cant have more than that up to date in RouterOS

in production the max i have seen is aprox 700k on ccr1036 doing CG-NAT for 12 Gbit/s of traffic, tcp-established-timeout: 16m

Yes, 1048576 is hardcoded, and I have one high end CCR for each 512 users, all with Public IPs, so: no NAT…

IMO - I discovered a couple of years ago than when an ISP has a large number of users ( thousand + ) and you are using a Mikrotik to NAT tens of thousands of RFC-1918 ( 10.0.0.0/8 , 192.168.0.0/16, 172.16.0.0/12 , or carrier grade nat 100.64.0.0/10 ) do not use the normal Mikrotik NAT ( aka NAT44) , instead use NAT444 ( note NAT44 vs NAT444 ).

I have around 2k clients ( ~ 1k wireless & ~ 1k fiber ) , my internet feed is a couple of 10-Gig BGP connections. The bulk of my customer ISP to customer IP WANs are IP-numbered into carrier grade nat 100.64.0.0/10 address space. I was using a couple of Mikrotik CHR routers configured to use normal NAT44 so my clients could get to the Internet. We were starting to get some complaints about things not working correctly and some complaints about speed and video streaming issues. Sooo , I did a whole bunch of reading and searching and discovered NAT444. Sooo , I re-worked my NATting Mikrotik CHR routers to use NAT444 ( now longer use normal NAT44 ).

Wow !!! The increase in speed was fantastic and all complaints came to a complete halt - which made me, my staff and my customers very very happy

In my Mikrotik CHR NAT444 configuration , I use the following:

• 8 live IP address per /21 per 100.64.0.0/21 block ( I have many CGN /21 blocks I am performing NAT444 on ).
• 256 ports from a live IP per 100.64.0.0/32 inside IP address - ( Example part of CHR config below ):

/ip firewall nat
add action=src-nat chain=srcnat src-address=100.64.1.34 to-addresses=[Live-IP-x.y.x].182
add action=src-nat chain=srcnat src-address=100.64.1.2 to-addresses=[Live-IP-x.y.x].183
add action=jump chain=srcnat jump-target=NrWireless1 src-address=100.64.2.0/24
add action=jump chain=NrWireless1 jump-target=NrWireless1-0 src-address=100.64.2.0/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-1 src-address=100.64.2.16/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-2 src-address=100.64.2.32/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-3 src-address=100.64.2.48/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-4 src-address=100.64.2.64/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-5 src-address=100.64.2.80/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-6 src-address=100.64.2.96/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-7 src-address=100.64.2.112/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-8 src-address=100.64.2.128/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-9 src-address=100.64.2.144/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-10 src-address=100.64.2.160/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-11 src-address=100.64.2.176/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-12 src-address=100.64.2.192/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-13 src-address=100.64.2.208/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-14 src-address=100.64.2.224/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-15 src-address=100.64.2.240/28
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.0 to-addresses=[Live-IP-x.y.x].84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.0 to-addresses=[Live-IP-x.y.x].84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.0 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.1 to-addresses=[Live-IP-x.y.x].84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.1 to-addresses=[Live-IP-x.y.x].84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.1 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.2 to-addresses=[Live-IP-x.y.x].84 to-ports=1500-1749
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.2 to-addresses=[Live-IP-x.y.x].84 to-ports=1500-1749
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.2 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.3 to-addresses=[Live-IP-x.y.x].84 to-ports=1750-1999
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.3 to-addresses=[Live-IP-x.y.x].84 to-ports=1750-1999
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.3 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.4 to-addresses=[Live-IP-x.y.x].84 to-ports=2000-2249
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.4 to-addresses=[Live-IP-x.y.x].84 to-ports=2000-2249
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.4 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.5 to-addresses=[Live-IP-x.y.x].84 to-ports=2250-2499
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.5 to-addresses=[Live-IP-x.y.x].84 to-ports=2250-2499
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.5 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.6 to-addresses=[Live-IP-x.y.x].84 to-ports=2500-2749
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.6 to-addresses=[Live-IP-x.y.x].84 to-ports=2500-2749
… … …

As you can imagine , the config is huge and long - however it works much much faster than the normal Mikrotik NAT44. Response time is way faster and total bandwidth throughput is much faster and - ( very important here … ) no more customer complaints ( zilch , nadda , zero

North Idaho Tom Jones

I don’t use NAT, I just give REAL public IPs to clients, with IPv6 and MTU at 1500, because clients pay me for the service, so I give them The Service…

My ISP offers two types of accounts ;
Residential ( NAT444 )
Business ( Live IP addresses )

My ISP offers multiple account speed options also.

If a customer wants Live IP address ( or live IP port-forwards ) , there is an additional $10 monthly fee.

Note:
I originally started my ISP using Live IP address to all customer WANS.
I had often had thousands of port scans ( from the Internet ) scanning every IP in each of my /24 Live IP networks. Often the port scan attempted connections were hundreds or thousands of times larger/more than my customer connections were, which resulted in a heck of a lot of waisted wireless AP-client bandwidth. NAT44 fixed the port-scanning problems but created delay problems because the NAT44 ( normal NAT ) consumed high CPU resources on my CHR which also made customers start having some problems. Sooo , I went to NAT444 and now everything is fast and clean and has no problems.

Now my wireless and fiber customer all have screaming high bandwidth (providing they order faster accounts).

North Idaho Tom Jones

and a CCR by each 512 customers !!!

too much Bling-bling