Community discussions

MikroTik App
 
AlohaSpark
newbie
Topic Author
Posts: 45
Joined: Wed Jun 16, 2021 10:39 pm

How much of an impact does masquerade have versus src-nat?

Sun Jan 29, 2023 7:49 am

I am trying to figure out why my CCR1009 isn't pushing more than 500Mbps. CPU seems to be lightly loaded according to profiling during peak hours (5-10% total CPU usage, 15% on the highest-loaded core).

One advice according to this reply (viewtopic.php?t=149701#p736982) is to use src-nat rather than masquerade.

However, how much of an impact does this have? Will it halve NAT's CPU usage for example?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11439
Joined: Thu Mar 03, 2016 10:23 pm

Re: How much of an impact does masquerade have versus src-nat?

Sun Jan 29, 2023 12:38 pm

Performance wise masquerade should not be worse than src-nat. Masquerade has a few nice features which can turn into nasty and because of those its usage is not advised if the added functionality of masquerade is not required. OTOH src-nat has some nice features as well (e.g. if more than one address on out-interface is available, src-nat can be set to use multiple ... and in a deterministic way).

masquerade detects change of IP address on out-interface and will reconfigure to match the new one. Which is very handy in environment where this address changes frequently (e.g. in home environment where ISP assigns addresses dynamically). If out-interface address in principle doesn't change (i.e. it's set statically), then this functionality of masquerade is not necessary (because to-addresses of src-nat can be set statically as well).
The nasty part of above functionality is that when router detects link-down on out-interface, it prepares for address change ... it flushes connection tracking table (entries involving that particular out-interface) and all connections passing that out-interface have to re-establish after link is up again. In home environment with a few tens or hundreds of connections (by a few users) that's not a huge problem for router, but when router is used as border gateway for many users and number of connections goes into millions, it becomes performance nightmare for a router (both due to number of connections to be flushed and due to number connections that re-establish in short time) ... it may take it into spiral down to the state of dropping everything (including PPOoE connections if router is used as PPPoE server).
And it all happens even if out-interface address doesn't change eventually. If using src-nat, in same scenario connections would only experience a hiccup due to momentary longer delay, some packets would get retransmitted. But event would pass without the big drama.

Who is online

Users browsing this forum: No registered users and 59 guests