Yeah, personally, I'd split it between multiple boxes and do something like one /21 per box. It makes things a bit more complex, but it also means that if one of those boxes does happen to croak, you're only have to deal with a quarter of the subscribers going down instead of the whole works.
On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett <dmmoff...@gmail.com> wrote: > Thanks for the tip. I don't know why I didn't think to use the filter. > I guess 1,000 or so subscribers equals 26,000 or so connections. That's > good to know. > In this instance I have a private /21 NAT'd onto a public /28 with the ccr > 1036 and have plenty of spare room on the CPU. > > Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G > ports is only about $800 from Baltic. You could get 4 of those for your > 8,000 user load and have 4 hot spares in the rack. Assign a private /21 > to each unit. You could create a LAG for the 4 10G ports to get a 40G > uplink. > > > ------ Original Message ------ > From: "Steve Jones" <thatoneguyst...@gmail.com> > To: af@afmug.com > Sent: 1/15/2018 3:40:37 PM > Subject: Re: [AFMUG] IPv4 exhaust again > > filter by reply destination address and then by tcp state established is > what i did > > On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> wrote: > >> I took him to mean subscribers when he said 8000 connections. >> As far as Layer4 connections we're performing NAT for, I'm not totally >> sure how to tell. >> If I torch the LTE PDN interface, it counts up for awhile and then >> freezes. >> Connection tracking is showing something like 120,000 items but that >> isn't strictly stuff we're NAT'ing. Some traffic just passes through. >> >> >> ------ Original Message ------ >> From: "Steve Jones" <thatoneguyst...@gmail.com> >> To: af@afmug.com >> Sent: 1/15/2018 2:21:54 PM >> Subject: Re: [AFMUG] IPv4 exhaust again >> >> srcnat is what we use. 1800 connections right now from one section of the >> network >> >> On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote: >> >>> What flavor of NAT does mikrotik implement? >>> >>> *From:* Chuck McCown >>> *Sent:* Monday, January 15, 2018 12:07 PM >>> *To:* af@afmug.com >>> *Subject:* Re: [AFMUG] IPv4 exhaust again >>> >>> Wonder how heavy we can load that... I would want it to be able to >>> handle 8000 connections. >>> >>> *From:* Steve Jones >>> *Sent:* Monday, January 15, 2018 12:05 PM >>> *To:* af@afmug.com >>> *Subject:* Re: [AFMUG] IPv4 exhaust again >>> >>> ccr1072 >>> >>> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote: >>> >>>> What are you using? Router NAT or a server or ? >>>> >>>> *From:* Steve Jones >>>> *Sent:* Monday, January 15, 2018 11:48 AM >>>> *To:* af@afmug.com >>>> *Subject:* Re: [AFMUG] IPv4 exhaust again >>>> >>>> Im not going to lie, we are natting at 1:300 across a handful of >>>> publics and have little to no issue, though we really should since the >>>> customer router double NATs >>>> >>>> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote: >>>> >>>>> I need to have about /19 worth of customers natted to as few V4s as is >>>>> needed to make it work properly. >>>>> >>>>> We currently have about 3 /21s I think. Don’t want to have to buy a >>>>> fourth. >>>>> >>>>> *From:* Dennis Burgess >>>>> *Sent:* Monday, January 15, 2018 11:34 AM >>>>> *To:* af@afmug.com >>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again >>>>> >>>>> >>>>> Mikrotik can do that, I have a router with 20k NAT rules natting two >>>>> /21s to less than 254 ips .:) >>>>> >>>>> >>>>> >>>>> >>>>> >>>>> *Dennis Burgess** –** Network Solution Engineer – Consultant * >>>>> >>>>> MikroTik Certified Trainer/Consultant >>>>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> – >>>>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE >>>>> >>>>> >>>>> >>>>> For Wireless Hardware/Routers visit www.linktechs.net >>>>> >>>>> Radio Frequency Coverages: www.towercoverage.com >>>>> >>>>> Office: 314-735-0270 <(314)%20735-0270> >>>>> >>>>> E-Mail: dmburg...@linktechs.net >>>>> >>>>> >>>>> >>>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup >>>>> *Sent:* Monday, January 15, 2018 12:28 PM >>>>> *To:* af@afmug.com >>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again >>>>> >>>>> >>>>> >>>>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single >>>>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k >>>>> ports each, 32 customers 2k ports each. That's *source* ports, so they're >>>>> not limited to 8k, 4k or 2k connections total. You have to look at in both >>>>> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> >>>>> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot >>>>> deeper than that. >>>>> >>>>> Seems to be a whole lot easier than some crazy NAT appliance that's >>>>> running the whole network. I haven't done anything like this, but I'm >>>>> considering it. I think Juniper even lets you do this with a couple >>>>> commands? Yeah, I'm too cheap for that. >>>>> >>>>> Something else to keep in mind is that most consumer grade routers >>>>> still have a fairly limited connection table. My Cambium cnPilot router I >>>>> have at home lets you adjust the max table size (up to 8192). Most are 2k >>>>> or 4k. While even a low-end MikroTik will give you >100k. >>>>> >>>>> On 1/15/2018 11:35 AM, Chuck McCown wrote: >>>>> >>>>> Planning to buy another /21 or some such thing .... again ...... >>>>> >>>>> � >>>>> >>>>> So going to attempt to NAT the whole frigging company. >>>>> >>>>> � >>>>> >>>>> Seems like I am going in reverse here. >>>>> >>>>> � >>>>> >>>>> If we can make NAT work for most customers, then that will buy us time >>>>> to build our magic V4 translator gateway box for a V6 only network.� >>>>> >>>>> � >>>>> >>>>> Any suggestions on the best way to do this? >>>>> >>>>> >>>>> >>>> >>>> >>> >>> >> >> >
