Community discussions

MikroTik App
 
atrisflex
just joined
Topic Author
Posts: 12
Joined: Thu Sep 08, 2022 7:39 pm

How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 6:36 pm

Lets say i've got 150 100.64.0.0/10 addresses I need to NAT to a public address. Assigning them 400 ports for both udp and tcp I'm looking at 300 NAT rules. See Example:

add action=netmap chain=srcnat out-interface=wlan1 protocol=tcp srcaddress=100.64.0.2/24 to-addresses=X.X.X.X/30 to-ports=1024-1424
add action=netmap chain=srcnat out-interface=wlan1 protocol=tcp srcaddress=100.64.0.3/24 to-addresses=X.X.X.X/30 to-ports=1425-1824
add action=netmap chain=srcnat out-interface=wlan1 protocol=tcp srcaddress=100.64.0.4/24 to-addresses=X.X.X.X/30 to-ports=1825-2224
add action=netmap chain=srcnat out-interface=wlan1 protocol=tcp srcaddress=100.64.0.5/24 to-addresses=X.X.X.X/30 to-ports=2225-2624

add action=netmap chain=srcnat out-interface=wlan1 protocol=udp srcaddress=100.64.0.2/24 to-addresses=X.X.X.X/30 to-ports=1024-1424
add action=netmap chain=srcnat out-interface=wlan1 protocol=udp srcaddress=100.64.0.3/24 to-addresses=X.X.X.X/30 to-ports=1425-1824
add action=netmap chain=srcnat out-interface=wlan1 protocol=udp srcaddress=100.64.0.4/24 to-addresses=X.X.X.X/30 to-ports=1825-2224
add action=netmap chain=srcnat out-interface=wlan1 protocol=udp srcaddress=100.64.0.5/24 to-addresses=X.X.X.X/30 to-ports=2225-2624

1. Is this way too many rules?
2. Is there a better way to accomplish this?

Also this is going on a CCR1072-1G-8S+ with 16Gb of ram.

Thanks.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 7:16 pm

2. Is there a better way to accomplish this?
Buy "150" Public IP addresses.
 
atrisflex
just joined
Topic Author
Posts: 12
Joined: Thu Sep 08, 2022 7:39 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 7:38 pm

2. Is there a better way to accomplish this?
Buy "150" Public IP addresses.
Very funny lol.

You can't advertise 150 addresses into bgp. I'd have to spend 10-20k on a /24... I guess my question is, can a MircoTik Router handle that much NAT? Even if I did buy addresses I would just want to use them as NAT pools anyways lol.
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 7:44 pm

I think you can search for CGNAT or deterministic NAT threads, within this list
 
atrisflex
just joined
Topic Author
Posts: 12
Joined: Thu Sep 08, 2022 7:39 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 7:50 pm

I think you can search for CGNAT or deterministic NAT threads, within this list
I found this in the documentation.

https://help.mikrotik.com/docs/display/ROS/NAT

There's a way to automate the creation of CGNAT rules by adding a function. This still doesn't answer the question if the router performance is enough to handle that long of a firewall NAT list. I plan on getting that list up to around 1000 internal ip addresses so 2000+ lines long.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 7:51 pm

Clarification: for 150 CGNAT addresses and 4 public addresses, you don't need 150 rules per port-aware protocol in total if you use netmap as you seem to do, it is just 38 rules as you handle four adjacent addresses by a single netmap rule. But maybe you only have a single public IP?

1. no *)
2. no **)

*) the rules in NAT chains only handle the initial packet of each connection, which means less than 5 % of all packets in most traffic patterns, so the number of rules per se is not a problem
**) with a linear set of 76 rules, an average initial packet has to traverse 38 rules in order to hit the correct one. You can reduce that to some 9.5 rules per average initial packet if you organize them into a (mostly) binary tree using action=jump rules, such as

chain=src-nat protocol=tcp action=jump jump-target=t0-255
### only non-tcp packets make it here
chain=src-nat protocol=udp action=jump jump-target=t0-255
### only non-tcp and non-udp packets make it here
chain=src-nat action=netmap to-addresses=x.x.x.x/30

chain=t0-255 src-address=100.64.0.128/25 action=jump jump-target=t128-255
chain=t0-255 src-address=100.64.0.64/26 action=jump jump-target=t64-127
chain=t0-255 src-address=100.64.0.32/27 action=jump jump-target=t32-63
chain=t0-255 src-address=100.64.0.16/28 action=jump jump-target=t16-31
chain=t0-255 src-address=100.64.0.8/29 action=jump jump-target=t8-15
chain=t0-255 src-address=100.64.0.4/30 action=jump jump-target=t4-7
### only packets from 100.64.0.0-.3 make it here
chain=t0-255 protocol=tcp action=netmap to-addresses=x.x.x.x/30 to-ports=a-b
chain=t0-255 protocol=udp action=netmap to-addresses=x.x.x.x/30 to-ports=a-b

chain=t4-7 protocol=tcp action=netmap to-addresses=x.x.x.x/30 to-ports=c-d
chain=t4-7 protocol=udp action=netmap to-addresses=x.x.x.x/30 to-ports=c-d

chain=t8-15 src-address=100.64.0.12/30 action=jump jump-target=t12-15
### only packets from 100.64.0.8-.11 make it here
chain=t8-15 protocol=tcp action=netmap to-addresses=x.x.x.x/30 to-ports=e-f
chain=t8-15 protocol=udp action=netmap to-addresses=x.x.x.x/30 to-ports=e-f

chain=t12-15 protocol=tcp action=netmap to-addresses=x.x.x.x/30 to-ports=g-h
chain=t12-15 protocol=udp action=netmap to-addresses=x.x.x.x/30 to-ports=g-h

etc...

So you end up with more rules configured, but less rules passed by an initial packet. But for just 150 CGNAT addresses, it may not be worth the effort.
 
atrisflex
just joined
Topic Author
Posts: 12
Joined: Thu Sep 08, 2022 7:39 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 8:01 pm

Sindy,

After reading though that I think I see what you're getting at. I'll see if I can write a function that'll out put the rules I need. thanks.
 
atrisflex
just joined
Topic Author
Posts: 12
Joined: Thu Sep 08, 2022 7:39 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 8:28 pm

Sindy,

So I basically took what you put in and edited it to make more sense to me, but I think I got the gist of it.

### TCP Filter
chain=src-nat protocol=tcp action=jump jump-target=CGNAT

### UDP Filter
chain=src-nat protocol=udp action=jump jump-target=CGNAT

### Everything Else Filter
chain=src-nat action=netmap to-addresses=x.x.x.x/30


chain=CGNAT src-address=100.64.0.0/27 action=jump jump-target=CGNAT-001
chain=CGNAT src-address=100.64.0.32/27 action=jump jump-target=CGNAT-002
chain=CGNAT src-address=100.64.0.64/27 action=jump jump-target=CGNAT-003
chain=CGNAT src-address=100.64.0.96/27 action=jump jump-target=CGNAT-004
chain=CGNAT src-address=100.64.0.128/27 action=jump jump-target=CGNAT-005
chain=CGNAT src-address=100.64.0.160/27 action=jump jump-target=CGNAT-006
chain=CGNAT src-address=100.64.0.192/27 action=jump jump-target=CGNAT-007
chain=CGNAT src-address=100.64.0.224/27 action=jump jump-target=CGNAT-008


### 100.64.0.0/27 make it here
chain=CGNAT-001 action=src-nat to-addresses=X.X.X.X to-ports=2000-2399 protocol=udp src-address=100.64.0.1 log=no log-prefix=""
chain=CGNAT-001 action=src-nat to-addresses=X.X.X.X to-ports=2000-2399 protocol=tcp src-address=100.64.0.1 log=no log-prefix=""
chain=CGNAT-001 action=src-nat to-addresses=X.X.X.X to-ports=2400-2799 protocol=udp src-address=100.64.0.2 log=no log-prefix=""
chain=CGNAT-001 action=src-nat to-addresses=X.X.X.X to-ports=2400-2799 protocol=tcp src-address=100.64.0.2 log=no log-prefix=""

etc ...
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 8:52 pm

i have deployed up to aprox 23.000 CG-NAT rules on a ccr1036 passing up to 10g total bandwidth, the key factor is working in Fast-track mode and organize rules in a tiered structure, in that way the worst case is a subscriber passing by only 110 rules, the total average being half of that, 55 rules

i use the script provided by documentation to create the bulk of the rules, then some reorganize and renaming of chains to build the tiered structure

https://help.mikrotik.com/docs/display/ ... AT(NAT444)


beyond that i think 16.000 NAT rules is a good balance
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 9:46 pm

So I basically took what you put in and edited it to make more sense to me, but I think I got the gist of it.
Well, the only difference is the number of branches at each level of branching, and some small optimization. When taking into account addresses alone, I split it into two branches at each level (each bit of the source address), whereas you split it into 8 branches at first level (for the 3 most significant bits of the source address), and then apparently to 32 branches (up to the remaining 5 bits) at the next one.

So in my case, for 256 CGNAT addresses mapped to a single public address, I have 8 levels of branching, so the pass through the sorter takes 7 to 8 rules passed (due to the optimisation where the last jump rule in each chain is omitted and the executive rules are used directly); in your case, for 256 CGNAT addresses sorted using just two levels of branching, you have an average of 4 rules passed at the first level (min 1, max 8 rules), and an average of 16 rules passed at the second level (min 1, max 32).

But I still don't get whether you have a single public IP or four, as you use action=netmap and /30 to-addresses for the port-agnostic protocols. If you indeed have the whole /30 of public addresses, you can use a single executive rule for four private addresses, as the combination of the two least significant bits of the public source address and the port range will be unique for each CGNAT source address. So for 256 CGNAT addresses you'll only need 64 executive rules per protocol, each executive rule handling 4 addresses.

If so (256 CGNAT addresses mapped to 4 public ones), my binary sorter takes slightly less than 6 rules passed on average, your octal one takes 8 (4 in first branching, 4 in the second one). The number of individual rules in the sorter is, however, slightly lower in your approach: you have 8 rules in the first pass plus 8 groups of 8 rules in the second pass, so 8+64=72 in total; I've got 2 rules in the first pass, 2×2 in the second, 2^3 in the third ... and 2^6 in the 6th, so 2+4+8+16+32+64=126 in total. Minus the optimisations in both cases of course.
 
atrisflex
just joined
Topic Author
Posts: 12
Joined: Thu Sep 08, 2022 7:39 pm

Re: How many Nat rules is too many Nat rules?

Tue Nov 15, 2022 9:54 pm

So I basically took what you put in and edited it to make more sense to me, but I think I got the gist of it.
Well, the only difference is the number of branches at each level of branching, and some small optimization. When taking into account addresses alone, I split it into two branches at each level (each bit of the source address), whereas you split it into 8 branches at first level (for the 3 most significant bits of the source address), and then apparently to 32 branches (up to the remaining 5 bits) at the next one.

So in my case, for 256 CGNAT addresses mapped to a single public address, I have 8 levels of branching, so the pass through the sorter takes 7 to 8 rules passed (due to the optimisation where the last jump rule in each chain is omitted and the executive rules are used directly); in your case, for 256 CGNAT addresses sorted using just two levels of branching, you have an average of 4 rules passed at the first level (min 1, max 8 rules), and an average of 16 rules passed at the second level (min 1, max 32).

But I still don't get whether you have a single public IP or four, as you use action=netmap and /30 to-addresses for the port-agnostic protocols. If you indeed have the whole /30 of public addresses, you can use a single executive rule for four private addresses, as the combination of the two least significant bits of the public source address and the port range will be unique for each CGNAT source address. So for 256 CGNAT addresses you'll only need 64 executive rules per protocol, each executive rule handling 4 addresses.

If so (256 CGNAT addresses mapped to 4 public ones), my binary sorter takes slightly less than 6 rules passed on average, your octal one takes 8 (4 in first branching, 4 in the second one). The number of individual rules in the sorter is, however, slightly lower in your approach: you have 8 rules in the first pass plus 8 groups of 8 rules in the second pass, so 8+64=72 in total; I've got 2 rules in the first pass, 2×2 in the second, 2^3 in the third ... and 2^6 in the 6th, so 2+4+8+16+32+64=126 in total. Minus the optimisations in both cases of course.
sorry that /30 was a typo. I'm only going to have a single IP address to get started.

Who is online

Users browsing this forum: Bing [Bot], ccrsxx, Google [Bot], mkx, Qalderu, rano, rplant, sted and 74 guests