Re: [AFMUG] IPv4 exhaust again

[Mike Hammett]

Not unless it's also doing uPNP somehow. 




- 
Mike Hammett 
Intelligent Computing Solutions 

Midwest Internet Exchange 

The Brothers WISP 




- Original Message -

From: "Kurt Fankhauser" <lists.wavel...@gmail.com> 
To: af@afmug.com 
Sent: Monday, January 15, 2018 12:45:46 PM 
Subject: Re: [AFMUG] IPv4 exhaust again 


does CG-NAT work with the Xbox people? 


On Mon, Jan 15, 2018 at 1:39 PM, Chuck McCown < ch...@wbmfg.com > wrote: 






I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly. 

We currently have about 3 /21s I think. Don’t want to have to buy a fourth. 




From: Dennis Burgess 
Sent: Monday, January 15, 2018 11:34 AM 


To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again 





Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:) 



Dennis Burgess – Network Solution Engineer – Consultant 
MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE 

For Wireless Hardware/Routers visit www.linktechs.net 
Radio Frequency Coverages: www.towercoverage.com 
Office: 314-735-0270 
E-Mail: dmburg...@linktechs.net 



From: Af [mailto: af-boun...@afmug.com ] On Behalf Of George Skorup 
Sent: Monday, January 15, 2018 12:28 PM 
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again 

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that. 

Seems to be a whole lot easier than some crazy NAT appliance that's running the 
whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that. 

Something else to keep in mind is that most consumer grade routers still have a 
fairly limited connection table. My Cambium cnPilot router I have at home lets 
you adjust the max table size (up to 8192). Most are 2k or 4k. While even a 
low-end MikroTik will give you >100k. 

On 1/15/2018 11:35 AM, Chuck McCown wrote: 





Planning to buy another /21 or some such thing  again .. 

� 

So going to attempt to NAT the whole frigging company. 

� 

Seems like I am going in reverse here. 

� 

If we can make NAT work for most customers, then that will buy us time to build 
our magic V4 translator gateway box for a V6 only network.� 

� 

Any suggestions on the best way to do this? 

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

Well depends on what you consider down, and if you have to have all of that.  
Really just a matter of engineering it all.  But that’s just me.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 3:48 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

If they are smart enough to reboot a router or just keep trying for a few 
seconds and then can continue, that is non-service affecting.
If our call center lights up with 200 calls, that is service affecting.

From: Dennis Burgess
Sent: Monday, January 15, 2018 2:44 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

That really depends on what you consider “non-service affecting” ..  I would 
argue that as long as customers can get out and customers can get into their 
public IPs, a 10-30 seconds of them not getting out, is fine.  Finding products 
that store connections etc, and continues a download during the failure, gets 
real costly.  Just my two cents, but I do understand your point of view.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 3:38 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Just need it to be:
Totally automatic failover
Non service affecting

We will soon have either 100 Gig or 40 Gig to the world.
So I am thinking whatever we use needs to be multiple units all running in 
parallel.

From: Dennis Burgess
Sent: Monday, January 15, 2018 2:33 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

You can engineer around that as well.  There are many things you can do with 
multiples of those types of units. Simple to do and failover can be easy if 
setup correctly.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mathew Howard
Sent: Monday, January 15, 2018 3:15 PM
To: af <af@afmug.com<mailto:af@afmug.com>>
Subject: Re: [AFMUG] IPv4 exhaust again

Yeah, personally, I'd split it between multiple boxes and do something like one 
/21 per box. It makes things a bit more complex, but it also means that if one 
of those boxes does happen to croak, you're only have to deal with a quarter of 
the subscribers going down instead of the whole works.

On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett 
<dmmoff...@gmail.com<mailto:dmmoff...@gmail.com>> wrote:
Thanks for the tip.  I don't know why I didn't think to use the filter.
I guess 1,000 or so subscribers equals 26,000 or so connections.  That's good 
to know.
In this instance I have a private /21 NAT'd onto a public /28 with the ccr 1036 
and have plenty of spare room on the CPU.

Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports is 
only about $800 from Baltic.  You could get 4 of those for your 8,000 user load 
and have 4 hot spares in the rack.   Assign a private /21 to each unit.  You 
could create a LAG for the 4 10G ports to get a 40G uplink.

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

If they are smart enough to reboot a router or just keep trying for a few 
seconds and then can continue, that is non-service affecting.
If our call center lights up with 200 calls, that is service affecting.  

From: Dennis Burgess 
Sent: Monday, January 15, 2018 2:44 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

That really depends on what you consider “non-service affecting” ..  I would 
argue that as long as customers can get out and customers can get into their 
public IPs, a 10-30 seconds of them not getting out, is fine.  Finding products 
that store connections etc, and continues a download during the failure, gets 
real costly.  Just my two cents, but I do understand your point of view.  

 

 

Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

 

For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 3:38 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

 

Just need it to be:

Totally automatic failover

Non service affecting

 

We will soon have either 100 Gig or 40 Gig to the world.  

So I am thinking whatever we use needs to be multiple units all running in 
parallel.  

 

From: Dennis Burgess 

Sent: Monday, January 15, 2018 2:33 PM

To: af@afmug.com 

Subject: Re: [AFMUG] IPv4 exhaust again

 

You can engineer around that as well.  There are many things you can do with 
multiples of those types of units. Simple to do and failover can be easy if 
setup correctly. 

 

 

Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

 

For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mathew Howard
Sent: Monday, January 15, 2018 3:15 PM
To: af <af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

 

Yeah, personally, I'd split it between multiple boxes and do something like one 
/21 per box. It makes things a bit more complex, but it also means that if one 
of those boxes does happen to croak, you're only have to deal with a quarter of 
the subscribers going down instead of the whole works.

 

On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

  Thanks for the tip.  I don't know why I didn't think to use the filter.

  I guess 1,000 or so subscribers equals 26,000 or so connections.  That's good 
to know.

  In this instance I have a private /21 NAT'd onto a public /28 with the ccr 
1036 and have plenty of spare room on the CPU.

   

  Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports 
is only about $800 from Baltic.  You could get 4 of those for your 8,000 user 
load and have 4 hot spares in the rack.   Assign a private /21 to each unit.  
You could create a LAG for the 4 10G ports to get a 40G uplink.

   

   

   

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

That really depends on what you consider “non-service affecting” ..  I would 
argue that as long as customers can get out and customers can get into their 
public IPs, a 10-30 seconds of them not getting out, is fine.  Finding products 
that store connections etc, and continues a download during the failure, gets 
real costly.  Just my two cents, but I do understand your point of view.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 3:38 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Just need it to be:
Totally automatic failover
Non service affecting

We will soon have either 100 Gig or 40 Gig to the world.
So I am thinking whatever we use needs to be multiple units all running in 
parallel.

From: Dennis Burgess
Sent: Monday, January 15, 2018 2:33 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

You can engineer around that as well.  There are many things you can do with 
multiples of those types of units. Simple to do and failover can be easy if 
setup correctly.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mathew Howard
Sent: Monday, January 15, 2018 3:15 PM
To: af <af@afmug.com<mailto:af@afmug.com>>
Subject: Re: [AFMUG] IPv4 exhaust again

Yeah, personally, I'd split it between multiple boxes and do something like one 
/21 per box. It makes things a bit more complex, but it also means that if one 
of those boxes does happen to croak, you're only have to deal with a quarter of 
the subscribers going down instead of the whole works.

On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett 
<dmmoff...@gmail.com<mailto:dmmoff...@gmail.com>> wrote:
Thanks for the tip.  I don't know why I didn't think to use the filter.
I guess 1,000 or so subscribers equals 26,000 or so connections.  That's good 
to know.
In this instance I have a private /21 NAT'd onto a public /28 with the ccr 1036 
and have plenty of spare room on the CPU.

Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports is 
only about $800 from Baltic.  You could get 4 of those for your 8,000 user load 
and have 4 hot spares in the rack.   Assign a private /21 to each unit.  You 
could create a LAG for the 4 10G ports to get a 40G uplink.

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

Just need it to be:
Totally automatic failover
Non service affecting

We will soon have either 100 Gig or 40 Gig to the world.  
So I am thinking whatever we use needs to be multiple units all running in 
parallel.  

From: Dennis Burgess 
Sent: Monday, January 15, 2018 2:33 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

You can engineer around that as well.  There are many things you can do with 
multiples of those types of units. Simple to do and failover can be easy if 
setup correctly. 

 

 

Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

 

For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mathew Howard
Sent: Monday, January 15, 2018 3:15 PM
To: af <af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

 

Yeah, personally, I'd split it between multiple boxes and do something like one 
/21 per box. It makes things a bit more complex, but it also means that if one 
of those boxes does happen to croak, you're only have to deal with a quarter of 
the subscribers going down instead of the whole works.

 

On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

  Thanks for the tip.  I don't know why I didn't think to use the filter.

  I guess 1,000 or so subscribers equals 26,000 or so connections.  That's good 
to know.

  In this instance I have a private /21 NAT'd onto a public /28 with the ccr 
1036 and have plenty of spare room on the CPU.

   

  Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports 
is only about $800 from Baltic.  You could get 4 of those for your 8,000 user 
load and have 4 hot spares in the rack.   Assign a private /21 to each unit.  
You could create a LAG for the 4 10G ports to get a 40G uplink.

   

   

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

You can engineer around that as well.  There are many things you can do with 
multiples of those types of units. Simple to do and failover can be easy if 
setup correctly.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mathew Howard
Sent: Monday, January 15, 2018 3:15 PM
To: af <af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Yeah, personally, I'd split it between multiple boxes and do something like one 
/21 per box. It makes things a bit more complex, but it also means that if one 
of those boxes does happen to croak, you're only have to deal with a quarter of 
the subscribers going down instead of the whole works.

On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett 
<dmmoff...@gmail.com<mailto:dmmoff...@gmail.com>> wrote:
Thanks for the tip.  I don't know why I didn't think to use the filter.
I guess 1,000 or so subscribers equals 26,000 or so connections.  That's good 
to know.
In this instance I have a private /21 NAT'd onto a public /28 with the ccr 1036 
and have plenty of spare room on the CPU.

Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports is 
only about $800 from Baltic.  You could get 4 of those for your 8,000 user load 
and have 4 hot spares in the rack.   Assign a private /21 to each unit.  You 
could create a LAG for the 4 10G ports to get a 40G uplink.


-- Original Message --
From: "Steve Jones" 
<thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: 1/15/2018 3:40:37 PM
Subject: Re: [AFMUG] IPv4 exhaust again

filter by reply destination address and then by tcp state established is what i 
did

On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett 
<dmmoff...@gmail.com<mailto:dmmoff...@gmail.com>> wrote:
I took him to mean subscribers when he said 8000 connections.
As far as Layer4 connections we're performing NAT for, I'm not totally sure how 
to tell.
If I torch the LTE PDN interface, it counts up for awhile and then freezes.
Connection tracking is showing something like 120,000 items but that isn't 
strictly stuff we're NAT'ing.  Some traffic just passes through.


-- Original Message --
From: "Steve Jones" 
<thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: 1/15/2018 2:21:54 PM
Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of the 
network

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What flavor of NAT does mikrotik implement?

From: Chuck McCown
Sent: Monday, January 15, 2018 12:07 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to handle 8000 
connections.

From: Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What are you using?  Router NAT or a server or ?

From: Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a fourth.

From: Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:)


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270<tel:(314)%20735-0270>
E-Mail: dmburg...@linktechs.net<mailt

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

Note, the its 4 SFP not SPF+ there is a 2 port SFP+ version of the 1036.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Adam Moffett
Sent: Monday, January 15, 2018 3:02 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Thanks for the tip.  I don't know why I didn't think to use the filter.
I guess 1,000 or so subscribers equals 26,000 or so connections.  That's good 
to know.
In this instance I have a private /21 NAT'd onto a public /28 with the ccr 1036 
and have plenty of spare room on the CPU.

Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports is 
only about $800 from Baltic.  You could get 4 of those for your 8,000 user load 
and have 4 hot spares in the rack.   Assign a private /21 to each unit.  You 
could create a LAG for the 4 10G ports to get a 40G uplink.


-- Original Message --
From: "Steve Jones" 
<thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: 1/15/2018 3:40:37 PM
Subject: Re: [AFMUG] IPv4 exhaust again

filter by reply destination address and then by tcp state established is what i 
did

On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett 
<dmmoff...@gmail.com<mailto:dmmoff...@gmail.com>> wrote:
I took him to mean subscribers when he said 8000 connections.
As far as Layer4 connections we're performing NAT for, I'm not totally sure how 
to tell.
If I torch the LTE PDN interface, it counts up for awhile and then freezes.
Connection tracking is showing something like 120,000 items but that isn't 
strictly stuff we're NAT'ing.  Some traffic just passes through.


-- Original Message --
From: "Steve Jones" 
<thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>>
To: af@afmug.com<mailto:af@afmug.com>
Sent: 1/15/2018 2:21:54 PM
Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of the 
network

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What flavor of NAT does mikrotik implement?

From: Chuck McCown
Sent: Monday, January 15, 2018 12:07 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to handle 8000 
connections.

From: Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What are you using?  Router NAT or a server or ?

From: Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a fourth.

From: Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:)


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270<tel:(314)%20735-0270>
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both dire

Re: [AFMUG] IPv4 exhaust again

[Mathew Howard]

Yeah, personally, I'd split it between multiple boxes and do something like
one /21 per box. It makes things a bit more complex, but it also means that
if one of those boxes does happen to croak, you're only have to deal with a
quarter of the subscribers going down instead of the whole works.

On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

> Thanks for the tip.  I don't know why I didn't think to use the filter.
> I guess 1,000 or so subscribers equals 26,000 or so connections.  That's
> good to know.
> In this instance I have a private /21 NAT'd onto a public /28 with the ccr
> 1036 and have plenty of spare room on the CPU.
>
> Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G
> ports is only about $800 from Baltic.  You could get 4 of those for your
> 8,000 user load and have 4 hot spares in the rack.   Assign a private /21
> to each unit.  You could create a LAG for the 4 10G ports to get a 40G
> uplink.
>
>
> -- Original Message --
> From: "Steve Jones" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Sent: 1/15/2018 3:40:37 PM
> Subject: Re: [AFMUG] IPv4 exhaust again
>
> filter by reply destination address and then by tcp state established is
> what i did
>
> On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> wrote:
>
>> I took him to mean subscribers when he said 8000 connections.
>> As far as Layer4 connections we're performing NAT for, I'm not totally
>> sure how to tell.
>> If I torch the LTE PDN interface, it counts up for awhile and then
>> freezes.
>> Connection tracking is showing something like 120,000 items but that
>> isn't strictly stuff we're NAT'ing.  Some traffic just passes through.
>>
>>
>> -- Original Message --
>> From: "Steve Jones" <thatoneguyst...@gmail.com>
>> To: af@afmug.com
>> Sent: 1/15/2018 2:21:54 PM
>> Subject: Re: [AFMUG] IPv4 exhaust again
>>
>> srcnat is what we use. 1800 connections right now from one section of the
>> network
>>
>> On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>
>>> What flavor of NAT does mikrotik implement?
>>>
>>> *From:* Chuck McCown
>>> *Sent:* Monday, January 15, 2018 12:07 PM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>> Wonder how heavy we can load that... I would want it to be able to
>>> handle 8000 connections.
>>>
>>> *From:* Steve Jones
>>> *Sent:* Monday, January 15, 2018 12:05 PM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>> ccr1072
>>>
>>> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>>
>>>> What are you using?  Router NAT or a server or ?
>>>>
>>>> *From:* Steve Jones
>>>> *Sent:* Monday, January 15, 2018 11:48 AM
>>>> *To:* af@afmug.com
>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>
>>>> Im not going to lie, we are natting at 1:300 across a handful of
>>>> publics and have little to no issue, though we really should since the
>>>> customer router double NATs
>>>>
>>>> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>>>
>>>>> I need to have about /19 worth of customers natted to as few V4s as is
>>>>> needed to make it work properly.
>>>>>
>>>>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>>>>> fourth.
>>>>>
>>>>> *From:* Dennis Burgess
>>>>> *Sent:* Monday, January 15, 2018 11:34 AM
>>>>> *To:* af@afmug.com
>>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>>
>>>>>
>>>>> Mikrotik can do that, I have a router with 20k NAT rules natting two
>>>>> /21s to less than 254 ips .:)
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>>>>
>>>>> MikroTik Certified Trainer/Consultant
>>>>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>>>>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>>>>
>>>>>
>>>>>
>>>>> For Wireless Hardware/Routers visit www.linktechs.net
>>>>>
>>>>> Radio Frequency Coverages: www.to

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

tnx

From: Adam Moffett 
Sent: Monday, January 15, 2018 2:02 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

Thanks for the tip.  I don't know why I didn't think to use the filter.
I guess 1,000 or so subscribers equals 26,000 or so connections.  That's good 
to know.
In this instance I have a private /21 NAT'd onto a public /28 with the ccr 1036 
and have plenty of spare room on the CPU.

Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports is 
only about $800 from Baltic.  You could get 4 of those for your 8,000 user load 
and have 4 hot spares in the rack.   Assign a private /21 to each unit.  You 
could create a LAG for the 4 10G ports to get a 40G uplink.


-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 1/15/2018 3:40:37 PM
Subject: Re: [AFMUG] IPv4 exhaust again

  filter by reply destination address and then by tcp state established is what 
i did

  On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

I took him to mean subscribers when he said 8000 connections.
As far as Layer4 connections we're performing NAT for, I'm not totally sure 
how to tell.  
If I torch the LTE PDN interface, it counts up for awhile and then freezes.
Connection tracking is showing something like 120,000 items but that isn't 
strictly stuff we're NAT'ing.  Some traffic just passes through.


-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 1/15/2018 2:21:54 PM
Subject: Re: [AFMUG] IPv4 exhaust again

  srcnat is what we use. 1800 connections right now from one section of the 
network

  On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:

What flavor of NAT does mikrotik implement?

From: Chuck McCown 
Sent: Monday, January 15, 2018 12:07 PM
    To: af@afmug.com 
    Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to 
handle 8000 connections.  

From: Steve Jones 
Sent: Monday, January 15, 2018 12:05 PM
    To: af@afmug.com 
    Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  What are you using?  Router NAT or a server or ?

  From: Steve Jones 
  Sent: Monday, January 15, 2018 11:48 AM
      To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  Im not going to lie, we are natting at 1:300 across a handful of 
publics and have little to no issue, though we really should since the customer 
router double NATs

  On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> 
wrote:

I need to have about /19 worth of customers natted to as few V4s as 
is needed to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy 
a fourth.  

From: Dennis Burgess 
Sent: Monday, January 15, 2018 11:34 AM
    To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting 
two /21s to less than 254 ips .:) 





Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, 
MTCTCE, MTCINE



For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 



From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
    To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again



Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a 
single public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k 
ports each, 32 customers 2k ports each. That's *source* ports, so they're not 
limited to 8k, 4k or 2k connections total. You have to look at in both 
directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 
mappings are both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but I'm 
considering it. I think Juniper even lets you do this with a couple commands? 
Yeah, I'm too cheap for that.

Something else to keep in mind is that most consumer grade routers 
still have a fairly limited connection table. My Cambium cnPilot router I have 
at home lets you adjust the max table size (up to 8192). Most are 2k or 4k. 
While even a low-end MikroTik will give you >100k.

On 1/15/

Re: [AFMUG] IPv4 exhaust again

[Adam Moffett]

Thanks for the tip.  I don't know why I didn't think to use the filter.
I guess 1,000 or so subscribers equals 26,000 or so connections.  That's 
good to know.
In this instance I have a private /21 NAT'd onto a public /28 with the 
ccr 1036 and have plenty of spare room on the CPU.


Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G 
ports is only about $800 from Baltic.  You could get 4 of those for your 
8,000 user load and have 4 hot spares in the rack.   Assign a private 
/21 to each unit.  You could create a LAG for the 4 10G ports to get a 
40G uplink.



-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 1/15/2018 3:40:37 PM
Subject: Re: [AFMUG] IPv4 exhaust again

filter by reply destination address and then by tcp state established 
is what i did


On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> 
wrote:

I took him to mean subscribers when he said 8000 connections.
As far as Layer4 connections we're performing NAT for, I'm not totally 
sure how to tell.
If I torch the LTE PDN interface, it counts up for awhile and then 
freezes.
Connection tracking is showing something like 120,000 items but that 
isn't strictly stuff we're NAT'ing.  Some traffic just passes through.



-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 1/15/2018 2:21:54 PM
Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of 
the network


On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> 
wrote:

What flavor of NAT does mikrotik implement?

From:Chuck McCown
Sent: Monday, January 15, 2018 12:07 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to 
handle 8000 connections.


From:Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> 
wrote:

What are you using?  Router NAT or a server or ?

From:Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of 
publics and have little to no issue, though we really should since 
the customer router double NATs


On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> 
wrote:
I need to have about /19 worth of customers natted to as few V4s 
as is needed to make it work properly.


We currently have about 3 /21s I think.  Don’t want to have to buy 
a fourth.


From:Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting 
two /21s to less than 254 ips .:)






Dennis Burgess – Network Solution Engineer – Consultant

MikroTik Certified Trainer/Consultant 
<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> 
– MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE




For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com

Office: 314-735-0270 <tel:(314)%20735-0270>

E-Mail: dmburg...@linktechs.net



From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again



Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a 
single public IPv4 address. Give 8 customers 8k ports each, or 16 
customer 4k ports each, 32 customers 2k ports each. That's 
*source* ports, so they're not limited to 8k, 4k or 2k connections 
total. You have to look at in both directions. 10.10.10.10:1024 -> 
8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are both 
valid, and it obviously goes a lot deeper than that.


Seems to be a whole lot easier than some crazy NAT appliance 
that's running the whole network. I haven't done anything like 
this, but I'm considering it. I think Juniper even lets you do 
this with a couple commands? Yeah, I'm too cheap for that.


Something else to keep in mind is that most consumer grade routers 
still have a fairly limited connection table. My Cambium cnPilot 
router I have at home lets you adjust the max table size (up to 
8192). Most are 2k or 4k. While even a low-end MikroTik will give 
you >100k.


On 1/15/2018 11:35 AM, Chuck McCown wrote:


Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company.

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us 
time to build our magic V4 translator gateway box for a V6 only 
network.�


�

Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Dave]

We have a PowerV4 router from linktechs and it rocks for our edge not 
doing a lot with a 10G circuit and most of the network

 I really like its flexibility and Horsepower.


On 01/15/2018 02:50 PM, Chuck McCown wrote:

Yes, we have 6000 now and are adding about 1000 each year.
*From:* Mathew Howard
*Sent:* Monday, January 15, 2018 1:47 PM
*To:* af
*Subject:* Re: [AFMUG] IPv4 exhaust again
I'm pretty sure he did mean 8000 subscribers... I would want one of 
the i7 x86 boxes for that kind of load, but I'd imagine that would 
handle it without any problems.

On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

I took him to mean subscribers when he said 8000 connections.
As far as Layer4 connections we're performing NAT for, I'm not
totally sure how to tell.
If I torch the LTE PDN interface, it counts up for awhile and then
freezes.
Connection tracking is showing something like 120,000 items but
that isn't strictly stuff we're NAT'ing.  Some traffic just passes
through.
-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 1/15/2018 2:21:54 PM
    Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one
section of the network
On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com>
wrote:

What flavor of NAT does mikrotik implement?
*From:* Chuck McCown
*Sent:* Monday, January 15, 2018 12:07 PM
*To:* af@afmug.com
    *Subject:* Re: [AFMUG] IPv4 exhaust again
Wonder how heavy we can load that... I would want it to be
able to handle 8000 connections.
*From:* Steve Jones
*Sent:* Monday, January 15, 2018 12:05 PM
*To:* af@afmug.com
    *Subject:* Re: [AFMUG] IPv4 exhaust again
ccr1072
On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown
<ch...@wbmfg.com> wrote:

What are you using? Router NAT or a server or ?
*From:* Steve Jones
*Sent:* Monday, January 15, 2018 11:48 AM
*To:* af@afmug.com
    *Subject:* Re: [AFMUG] IPv4 exhaust again
Im not going to lie, we are natting at 1:300 across a
handful of publics and have little to no issue, though we
really should since the customer router double NATs
On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown
<ch...@wbmfg.com> wrote:

I need to have about /19 worth of customers natted to
as few V4s as is needed to make it work properly.
We currently have about 3 /21s I think.  Don’t want
to have to buy a fourth.
*From:* Dennis Burgess
*Sent:* Monday, January 15, 2018 11:34 AM
*To:* af@afmug.com
        *Subject:* Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT
rules natting two /21s to less than 254 ips .:)

*/_Dennis Burgess_/**–**Network Solution Engineer –
Consultant ***

MikroTik Certified Trainer/Consultant

<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
– MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net
<http://www.linktechs.net/>

Radio Frequency Coverages: www.towercoverage.com
<http://www.towercoverage.com/>

Office: 314-735-0270 <tel:%28314%29%20735-0270>

E-Mail: dmburg...@linktechs.net

*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of
*George Skorup
*Sent:* Monday, January 15, 2018 12:28 PM
        *To:* af@afmug.com
*Subject:* Re: [AFMUG] IPv4 exhaust again

Dual-stack and CGN? You can get 8:1, 16:1 or even
32:1 out of a single public IPv4 address. Give 8
customers 8k ports each, or 16 customer 4k ports
each, 32 customers 2k ports each. That's *source*
ports, so they're not limited to 8k, 4k or 2k
connections total. You have to look at in both
directions. 10.10.10.10:1024
<http://10.10.10.10:1024> -> 8.8.8.8:53
<http://8.8.8.8:53> and 10.10.10.10:1024
<http://10.10.10.10:1024> -> 8.8.4.4:53
<http://8.8.4.4:53> mappings are both valid, and it
obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT
appliance that's running the whole network. I haven't
done anything like this, but I'm considering it. I
t

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

Yes, we have 6000 now and are adding about 1000 each year.  

From: Mathew Howard 
Sent: Monday, January 15, 2018 1:47 PM
To: af 
Subject: Re: [AFMUG] IPv4 exhaust again

I'm pretty sure he did mean 8000 subscribers... I would want one of the i7 x86 
boxes for that kind of load, but I'd imagine that would handle it without any 
problems.


On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

  I took him to mean subscribers when he said 8000 connections.
  As far as Layer4 connections we're performing NAT for, I'm not totally sure 
how to tell.  
  If I torch the LTE PDN interface, it counts up for awhile and then freezes.
  Connection tracking is showing something like 120,000 items but that isn't 
strictly stuff we're NAT'ing.  Some traffic just passes through.


  -- Original Message --
  From: "Steve Jones" <thatoneguyst...@gmail.com>
  To: af@afmug.com
  Sent: 1/15/2018 2:21:54 PM
  Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of the 
network

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  What flavor of NAT does mikrotik implement?

  From: Chuck McCown 
  Sent: Monday, January 15, 2018 12:07 PM
  To: af@afmug.com 
      Subject: Re: [AFMUG] IPv4 exhaust again

  Wonder how heavy we can load that... I would want it to be able to handle 
8000 connections.  

  From: Steve Jones 
  Sent: Monday, January 15, 2018 12:05 PM
  To: af@afmug.com 
      Subject: Re: [AFMUG] IPv4 exhaust again

  ccr1072

  On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

What are you using?  Router NAT or a server or ?

From: Steve Jones 
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com 
    Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of 
publics and have little to no issue, though we really should since the customer 
router double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  I need to have about /19 worth of customers natted to as few V4s as 
is needed to make it work properly.

  We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.  

  From: Dennis Burgess 
  Sent: Monday, January 15, 2018 11:34 AM
      To: af@afmug.com 
      Subject: Re: [AFMUG] IPv4 exhaust again

  Mikrotik can do that, I have a router with 20k NAT rules natting two 
/21s to less than 254 ips .:) 





  Dennis Burgess – Network Solution Engineer – Consultant 

  MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, 
MTCINE



  For Wireless Hardware/Routers visit www.linktechs.net

  Radio Frequency Coverages: www.towercoverage.com 

  Office: 314-735-0270

  E-Mail: dmburg...@linktechs.net 



  From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
  Sent: Monday, January 15, 2018 12:28 PM
      To: af@afmug.com
      Subject: Re: [AFMUG] IPv4 exhaust again



  Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a 
single public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k 
ports each, 32 customers 2k ports each. That's *source* ports, so they're not 
limited to 8k, 4k or 2k connections total. You have to look at in both 
directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 
mappings are both valid, and it obviously goes a lot deeper than that.

  Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but I'm 
considering it. I think Juniper even lets you do this with a couple commands? 
Yeah, I'm too cheap for that.

  Something else to keep in mind is that most consumer grade routers 
still have a fairly limited connection table. My Cambium cnPilot router I have 
at home lets you adjust the max table size (up to 8192). Most are 2k or 4k. 
While even a low-end MikroTik will give you >100k.

  On 1/15/2018 11:35 AM, Chuck McCown wrote:

Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company. 

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us 
time to build our magic V4 translator gateway box for a V6 only network.� 

�

Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Mathew Howard]

I'm pretty sure he did mean 8000 subscribers... I would want one of the i7
x86 boxes for that kind of load, but I'd imagine that would handle it
without any problems.

On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

> I took him to mean subscribers when he said 8000 connections.
> As far as Layer4 connections we're performing NAT for, I'm not totally
> sure how to tell.
> If I torch the LTE PDN interface, it counts up for awhile and then freezes.
> Connection tracking is showing something like 120,000 items but that isn't
> strictly stuff we're NAT'ing.  Some traffic just passes through.
>
>
> -- Original Message --
> From: "Steve Jones" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Sent: 1/15/2018 2:21:54 PM
> Subject: Re: [AFMUG] IPv4 exhaust again
>
> srcnat is what we use. 1800 connections right now from one section of the
> network
>
> On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
>> What flavor of NAT does mikrotik implement?
>>
>> *From:* Chuck McCown
>> *Sent:* Monday, January 15, 2018 12:07 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> Wonder how heavy we can load that... I would want it to be able to handle
>> 8000 connections.
>>
>> *From:* Steve Jones
>> *Sent:* Monday, January 15, 2018 12:05 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> ccr1072
>>
>> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>
>>> What are you using?  Router NAT or a server or ?
>>>
>>> *From:* Steve Jones
>>> *Sent:* Monday, January 15, 2018 11:48 AM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>> Im not going to lie, we are natting at 1:300 across a handful of publics
>>> and have little to no issue, though we really should since the customer
>>> router double NATs
>>>
>>> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>>
>>>> I need to have about /19 worth of customers natted to as few V4s as is
>>>> needed to make it work properly.
>>>>
>>>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>>>> fourth.
>>>>
>>>> *From:* Dennis Burgess
>>>> *Sent:* Monday, January 15, 2018 11:34 AM
>>>> *To:* af@afmug.com
>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>
>>>>
>>>> Mikrotik can do that, I have a router with 20k NAT rules natting two
>>>> /21s to less than 254 ips .:)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>>>
>>>> MikroTik Certified Trainer/Consultant
>>>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>>>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>>>
>>>>
>>>>
>>>> For Wireless Hardware/Routers visit www.linktechs.net
>>>>
>>>> Radio Frequency Coverages: www.towercoverage.com
>>>>
>>>> Office: 314-735-0270 <(314)%20735-0270>
>>>>
>>>> E-Mail: dmburg...@linktechs.net
>>>>
>>>>
>>>>
>>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
>>>> *Sent:* Monday, January 15, 2018 12:28 PM
>>>> *To:* af@afmug.com
>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>
>>>>
>>>>
>>>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
>>>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
>>>> ports each, 32 customers 2k ports each. That's *source* ports, so they're
>>>> not limited to 8k, 4k or 2k connections total. You have to look at in both
>>>> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
>>>> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
>>>> than that.
>>>>
>>>> Seems to be a whole lot easier than some crazy NAT appliance that's
>>>> running the whole network. I haven't done anything like this, but I'm
>>>> considering it. I think Juniper even lets you do this with a couple
>>>> commands? Yeah, I'm too cheap for that.
>>>>
>>>> Something else to keep in mind is that most consumer grade routers
>>>> still have a fairly limited connection table. My Cambium cnPilot router I
>>>> have at home lets you adjust the max table size (up to 8192). Most are 2k
>>>> or 4k. While even a low-end MikroTik will give you >100k.
>>>>
>>>> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>>>>
>>>> Planning to buy another /21 or some such thing  again ..
>>>>
>>>> �
>>>>
>>>> So going to attempt to NAT the whole frigging company.
>>>>
>>>> �
>>>>
>>>> Seems like I am going in reverse here.
>>>>
>>>> �
>>>>
>>>> If we can make NAT work for most customers, then that will buy us time
>>>> to build our magic V4 translator gateway box for a V6 only network.�
>>>>
>>>> �
>>>>
>>>> Any suggestions on the best way to do this?
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: [AFMUG] IPv4 exhaust again

[Steve Jones]

filter by reply destination address and then by tcp state established is
what i did

On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com> wrote:

> I took him to mean subscribers when he said 8000 connections.
> As far as Layer4 connections we're performing NAT for, I'm not totally
> sure how to tell.
> If I torch the LTE PDN interface, it counts up for awhile and then freezes.
> Connection tracking is showing something like 120,000 items but that isn't
> strictly stuff we're NAT'ing.  Some traffic just passes through.
>
>
> -- Original Message --
> From: "Steve Jones" <thatoneguyst...@gmail.com>
> To: af@afmug.com
> Sent: 1/15/2018 2:21:54 PM
> Subject: Re: [AFMUG] IPv4 exhaust again
>
> srcnat is what we use. 1800 connections right now from one section of the
> network
>
> On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
>> What flavor of NAT does mikrotik implement?
>>
>> *From:* Chuck McCown
>> *Sent:* Monday, January 15, 2018 12:07 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> Wonder how heavy we can load that... I would want it to be able to handle
>> 8000 connections.
>>
>> *From:* Steve Jones
>> *Sent:* Monday, January 15, 2018 12:05 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> ccr1072
>>
>> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>
>>> What are you using?  Router NAT or a server or ?
>>>
>>> *From:* Steve Jones
>>> *Sent:* Monday, January 15, 2018 11:48 AM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>> Im not going to lie, we are natting at 1:300 across a handful of publics
>>> and have little to no issue, though we really should since the customer
>>> router double NATs
>>>
>>> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>>
>>>> I need to have about /19 worth of customers natted to as few V4s as is
>>>> needed to make it work properly.
>>>>
>>>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>>>> fourth.
>>>>
>>>> *From:* Dennis Burgess
>>>> *Sent:* Monday, January 15, 2018 11:34 AM
>>>> *To:* af@afmug.com
>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>
>>>>
>>>> Mikrotik can do that, I have a router with 20k NAT rules natting two
>>>> /21s to less than 254 ips .:)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>>>
>>>> MikroTik Certified Trainer/Consultant
>>>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>>>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>>>
>>>>
>>>>
>>>> For Wireless Hardware/Routers visit www.linktechs.net
>>>>
>>>> Radio Frequency Coverages: www.towercoverage.com
>>>>
>>>> Office: 314-735-0270 <(314)%20735-0270>
>>>>
>>>> E-Mail: dmburg...@linktechs.net
>>>>
>>>>
>>>>
>>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
>>>> *Sent:* Monday, January 15, 2018 12:28 PM
>>>> *To:* af@afmug.com
>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>
>>>>
>>>>
>>>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
>>>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
>>>> ports each, 32 customers 2k ports each. That's *source* ports, so they're
>>>> not limited to 8k, 4k or 2k connections total. You have to look at in both
>>>> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
>>>> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
>>>> than that.
>>>>
>>>> Seems to be a whole lot easier than some crazy NAT appliance that's
>>>> running the whole network. I haven't done anything like this, but I'm
>>>> considering it. I think Juniper even lets you do this with a couple
>>>> commands? Yeah, I'm too cheap for that.
>>>>
>>>> Something else to keep in mind is that most consumer grade routers
>>>> still have a fairly limited connection table. My Cambium cnPilot router I
>>>> have at home lets you adjust the max table size (up to 8192). Most are 2k
>>>> or 4k. While even a low-end MikroTik will give you >100k.
>>>>
>>>> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>>>>
>>>> Planning to buy another /21 or some such thing  again ..
>>>>
>>>> �
>>>>
>>>> So going to attempt to NAT the whole frigging company.
>>>>
>>>> �
>>>>
>>>> Seems like I am going in reverse here.
>>>>
>>>> �
>>>>
>>>> If we can make NAT work for most customers, then that will buy us time
>>>> to build our magic V4 translator gateway box for a V6 only network.�
>>>>
>>>> �
>>>>
>>>> Any suggestions on the best way to do this?
>>>>
>>>>
>>>>
>>>
>>>
>>
>>
>
>

Re: [AFMUG] IPv4 exhaust again

[Adam Moffett]

I took him to mean subscribers when he said 8000 connections.
As far as Layer4 connections we're performing NAT for, I'm not totally 
sure how to tell.
If I torch the LTE PDN interface, it counts up for awhile and then 
freezes.
Connection tracking is showing something like 120,000 items but that 
isn't strictly stuff we're NAT'ing.  Some traffic just passes through.



-- Original Message --
From: "Steve Jones" <thatoneguyst...@gmail.com>
To: af@afmug.com
Sent: 1/15/2018 2:21:54 PM
Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of 
the network


On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:

What flavor of NAT does mikrotik implement?

From:Chuck McCown
Sent: Monday, January 15, 2018 12:07 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to 
handle 8000 connections.


From:Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> 
wrote:

What are you using?  Router NAT or a server or ?

From:Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of 
publics and have little to no issue, though we really should since 
the customer router double NATs


On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> 
wrote:
I need to have about /19 worth of customers natted to as few V4s as 
is needed to make it work properly.


We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.


From:Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two 
/21s to less than 254 ips .:)






Dennis Burgess – Network Solution Engineer – Consultant

MikroTik Certified Trainer/Consultant 
<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> – 
MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE




For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com

Office: 314-735-0270 <tel:(314)%20735-0270>

E-Mail: dmburg...@linktechs.net



From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again



Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a 
single public IPv4 address. Give 8 customers 8k ports each, or 16 
customer 4k ports each, 32 customers 2k ports each. That's *source* 
ports, so they're not limited to 8k, 4k or 2k connections total. You 
have to look at in both directions. 10.10.10.10:1024 -> 8.8.8.8:53 
and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are both valid, and it 
obviously goes a lot deeper than that.


Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but 
I'm considering it. I think Juniper even lets you do this with a 
couple commands? Yeah, I'm too cheap for that.


Something else to keep in mind is that most consumer grade routers 
still have a fairly limited connection table. My Cambium cnPilot 
router I have at home lets you adjust the max table size (up to 
8192). Most are 2k or 4k. While even a low-end MikroTik will give 
you >100k.


On 1/15/2018 11:35 AM, Chuck McCown wrote:


Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company.

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us 
time to build our magic V4 translator gateway box for a V6 only 
network.�


�

Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Steve Jones]

we had a contractor tell me there is a way to do that. I cant speak as to
how he intended on doing it. hes from a cisco shop, so maybe he just
assumed it would be the same. We wanted it because of geographically
separate bgp routers but never went that far since our upstream bandwidth
is too different between providers so we just pulled off a 24 for each one
that doesnt announce on the other to handle the NAT

On Mon, Jan 15, 2018 at 1:38 PM, Dennis Burgess <dmburg...@linktechs.net>
wrote:

> You can have failover, just the connections will be broke aand they will
> have to be restarted.  That’s it.  Normally I don’t worry about that kind
> of stuff.
>
>
>
>
>
> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>
> MikroTik Certified Trainer/Consultant
> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>
>
>
> For Wireless Hardware/Routers visit www.linktechs.net
>
> Radio Frequency Coverages: www.towercoverage.com
>
> Office: 314-735-0270 <(314)%20735-0270>
>
> E-Mail: dmburg...@linktechs.net
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Chuck McCown
> *Sent:* Monday, January 15, 2018 1:34 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> Too bad.  I am kind of scared to not have some kind of hot standby or load
> sharing that will fail in a graceful manner.
>
>
>
> *From:* Dennis Burgess
>
> *Sent:* Monday, January 15, 2018 12:28 PM
>
> *To:* af@afmug.com
>
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> MT does not do stateful failover L  sorry.
>
>
>
>
>
> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>
> MikroTik Certified Trainer/Consultant
> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>
>
>
> For Wireless Hardware/Routers visit www.linktechs.net
>
> Radio Frequency Coverages: www.towercoverage.com
>
> Office: 314-735-0270 <(314)%20735-0270>
>
> E-Mail: dmburg...@linktechs.net
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Chuck McCown
> *Sent:* Monday, January 15, 2018 1:24 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> I wonder if it would handle two boxes, sync them and have a nice stateful
> failover mechanism?
>
>
>
> *From:* Steve Jones
>
> *Sent:* Monday, January 15, 2018 12:21 PM
>
> *To:* af@afmug.com
>
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> srcnat is what we use. 1800 connections right now from one section of the
> network
>
>
>
> On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
> What flavor of NAT does mikrotik implement?
>
>
>
> *From:* Chuck McCown
>
> *Sent:* Monday, January 15, 2018 12:07 PM
>
> *To:* af@afmug.com
>
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> Wonder how heavy we can load that... I would want it to be able to handle
> 8000 connections.
>
>
>
> *From:* Steve Jones
>
> *Sent:* Monday, January 15, 2018 12:05 PM
>
> *To:* af@afmug.com
>
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> ccr1072
>
>
>
> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
> What are you using?  Router NAT or a server or ?
>
>
>
> *From:* Steve Jones
>
> *Sent:* Monday, January 15, 2018 11:48 AM
>
> *To:* af@afmug.com
>
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> Im not going to lie, we are natting at 1:300 across a handful of publics
> and have little to no issue, though we really should since the customer
> router double NATs
>
>
>
> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
> I need to have about /19 worth of customers natted to as few V4s as is
> needed to make it work properly.
>
>
>
> We currently have about 3 /21s I think.  Don’t want to have to buy a
> fourth.
>
>
>
> *From:* Dennis Burgess
>
> *Sent:* Monday, January 15, 2018 11:34 AM
>
> *To:* af@afmug.com
>
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> Mikrotik can do that, I have a router with 20k NAT rules natting two /21s
> to less than 254 ips .:)
>
>
>
>
>
> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>
> MikroTik Certified Trainer/Consultant
> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>
>
>
> For Wireless Hardware/Routers visit www

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

You can have failover, just the connections will be broke aand they will have 
to be restarted.  That’s it.  Normally I don’t worry about that kind of stuff.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 1:34 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Too bad.  I am kind of scared to not have some kind of hot standby or load 
sharing that will fail in a graceful manner.

From: Dennis Burgess
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

MT does not do stateful failover ☹  sorry.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 1:24 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

I wonder if it would handle two boxes, sync them and have a nice stateful 
failover mechanism?

From: Steve Jones
Sent: Monday, January 15, 2018 12:21 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of the 
network

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What flavor of NAT does mikrotik implement?

From: Chuck McCown
Sent: Monday, January 15, 2018 12:07 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to handle 8000 
connections.

From: Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What are you using?  Router NAT or a server or ?

From: Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a fourth.

From: Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:)


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270<tel:(314)%20735-0270>
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.8.8:53<http://8.8.8.8:53> and 
10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.4.4:53<http://8.8.4.4:53> 
mappings are both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's running the 
whole n

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

Too bad.  I am kind of scared to not have some kind of hot standby or load 
sharing that will fail in a graceful manner.

From: Dennis Burgess 
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

MT does not do stateful failover L  sorry. 

 

 

Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

 

For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 1:24 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

 

I wonder if it would handle two boxes, sync them and have a nice stateful 
failover mechanism?

 

From: Steve Jones 

Sent: Monday, January 15, 2018 12:21 PM

To: af@afmug.com 

Subject: Re: [AFMUG] IPv4 exhaust again

 

srcnat is what we use. 1800 connections right now from one section of the 
network

 

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  What flavor of NAT does mikrotik implement?

   

  From: Chuck McCown 

  Sent: Monday, January 15, 2018 12:07 PM

  To: af@afmug.com 

  Subject: Re: [AFMUG] IPv4 exhaust again

   

  Wonder how heavy we can load that... I would want it to be able to handle 
8000 connections.  

   

  From: Steve Jones 

  Sent: Monday, January 15, 2018 12:05 PM

  To: af@afmug.com 

  Subject: Re: [AFMUG] IPv4 exhaust again

   

  ccr1072

   

  On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

What are you using?  Router NAT or a server or ?

 

From: Steve Jones 

Sent: Monday, January 15, 2018 11:48 AM

To: af@afmug.com 

    Subject: Re: [AFMUG] IPv4 exhaust again

 

Im not going to lie, we are natting at 1:300 across a handful of publics 
and have little to no issue, though we really should since the customer router 
double NATs

 

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  I need to have about /19 worth of customers natted to as few V4s as is 
needed to make it work properly.

   

  We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.  

   

  From: Dennis Burgess 

  Sent: Monday, January 15, 2018 11:34 AM

  To: af@afmug.com 

  Subject: Re: [AFMUG] IPv4 exhaust again

   

  Mikrotik can do that, I have a router with 20k NAT rules natting two /21s 
to less than 254 ips .:) 

   

   

  Dennis Burgess – Network Solution Engineer – Consultant 

  MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, 
MTCINE

   

  For Wireless Hardware/Routers visit www.linktechs.net

  Radio Frequency Coverages: www.towercoverage.com 

  Office: 314-735-0270

  E-Mail: dmburg...@linktechs.net 

   

  From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
  Sent: Monday, January 15, 2018 12:28 PM
  To: af@afmug.com
  Subject: Re: [AFMUG] IPv4 exhaust again

   

  Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single 
public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports 
each, 32 customers 2k ports each. That's *source* ports, so they're not limited 
to 8k, 4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

  Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but I'm 
considering it. I think Juniper even lets you do this with a couple commands? 
Yeah, I'm too cheap for that.

  Something else to keep in mind is that most consumer grade routers still 
have a fairly limited connection table. My Cambium cnPilot router I have at 
home lets you adjust the max table size (up to 8192). Most are 2k or 4k. While 
even a low-end MikroTik will give you >100k.

  On 1/15/2018 11:35 AM, Chuck McCown wrote:

Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company. 

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us time 
to build our magic V4 translator gateway box for a V6 only network.� 

�

Any suggestions on the best way to do this?

   

 

   

 

Re: [AFMUG] IPv4 exhaust again

[Steve Jones]

another router has a little over 7k established customer nat connections
right now, not sure what our radio and infrastructure count is. running 2%
cpu load with ospf and bgp. If I look at any other tcp state the number
just keeps going up

On Mon, Jan 15, 2018 at 1:25 PM, Mathew Howard <mhoward...@gmail.com> wrote:

> You can't get x86 Miktorik boxes that are will handle more. I think
> Linktechs and Balticnetworks both sell some decent ones (not built by
> Mikrotik, but they use hardware that's well tested with routerOS).
>
> On Mon, Jan 15, 2018 at 1:20 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
>> Does MT have something larger?
>>
>> I would need two for redundancy.  I presume use policy based routing
>> sending all the 10.x.x.x source IP traffic to one of the two NAT boxes that
>> will be set up for load sharing.  Core would send everything else to the
>> edge.
>>
>> Details details, I let the router experts sweat that stuff.
>>
>> *From:* Adam Moffett
>> *Sent:* Monday, January 15, 2018 12:17 PM
>> *To:* af@afmug.com ; af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> the 1072 has 72 cores.  We have a 1036 (36 core) doing NAT for over a
>> thousand LTE+Wimax customers.  CPU usage is like 30%. The "firewall" and
>> "networking" processes account for most of the usage.
>>
>> We could extrapolate that to say a 1072 could maybe 4,000 with 60% CPU
>> usage.just a guess obviously.  There's nothing to say it would scale
>> linearly.
>>
>>
>>
>> -- Original Message --
>> From: "Chuck McCown" <ch...@wbmfg.com>
>> To: af@afmug.com
>> Sent: 1/15/2018 2:07:39 PM
>> Subject: Re: [AFMUG] IPv4 exhaust again
>>
>>
>> Wonder how heavy we can load that... I would want it to be able to handle
>> 8000 connections.
>>
>> *From:* Steve Jones
>> *Sent:* Monday, January 15, 2018 12:05 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> ccr1072
>>
>> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>
>>> What are you using?  Router NAT or a server or ?
>>>
>>> *From:* Steve Jones
>>> *Sent:* Monday, January 15, 2018 11:48 AM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>> Im not going to lie, we are natting at 1:300 across a handful of publics
>>> and have little to no issue, though we really should since the customer
>>> router double NATs
>>>
>>> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>>
>>>> I need to have about /19 worth of customers natted to as few V4s as is
>>>> needed to make it work properly.
>>>>
>>>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>>>> fourth.
>>>>
>>>> *From:* Dennis Burgess
>>>> *Sent:* Monday, January 15, 2018 11:34 AM
>>>> *To:* af@afmug.com
>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>
>>>>
>>>> Mikrotik can do that, I have a router with 20k NAT rules natting two
>>>> /21s to less than 254 ips .:)
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>>>
>>>> MikroTik Certified Trainer/Consultant
>>>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>>>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>>>
>>>>
>>>>
>>>> For Wireless Hardware/Routers visit www.linktechs.net
>>>>
>>>> Radio Frequency Coverages: www.towercoverage.com
>>>>
>>>> Office: 314-735-0270 <(314)%20735-0270>
>>>>
>>>> E-Mail: dmburg...@linktechs.net
>>>>
>>>>
>>>>
>>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
>>>> *Sent:* Monday, January 15, 2018 12:28 PM
>>>> *To:* af@afmug.com
>>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>>
>>>>
>>>>
>>>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
>>>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
>>>> ports each, 32 customers 2k ports each. That's *source* ports, so they're
>>>> not limited to 8k, 4k or 2k connections total. You have to look at in both
>>&

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

MT does not do stateful failover ☹  sorry.


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 1:24 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

I wonder if it would handle two boxes, sync them and have a nice stateful 
failover mechanism?

From: Steve Jones
Sent: Monday, January 15, 2018 12:21 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of the 
network

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What flavor of NAT does mikrotik implement?

From: Chuck McCown
Sent: Monday, January 15, 2018 12:07 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to handle 8000 
connections.

From: Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What are you using?  Router NAT or a server or ?

From: Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a fourth.

From: Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:)


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270<tel:(314)%20735-0270>
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.8.8:53<http://8.8.8.8:53> and 
10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.4.4:53<http://8.8.4.4:53> 
mappings are both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's running the 
whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that.

Something else to keep in mind is that most consumer grade routers still have a 
fairly limited connection table. My Cambium cnPilot router I have at home lets 
you adjust the max table size (up to 8192). Most are 2k or 4k. While even a 
low-end MikroTik will give you >100k.
On 1/15/2018 11:35 AM, Chuck McCown wrote:
Planning to buy another /21 or some such thing  again ..
�
So going to attempt to NAT the whole frigging company.
�
Seems like I am going in reverse here.
�
If we can make NAT work for most customers, then that will buy us time to build 
our magic V4 translator gateway box for a V6 only network.�
�
Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

Whatever you program it for ☺


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chuck McCown
Sent: Monday, January 15, 2018 1:10 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

What flavor of NAT does mikrotik implement?

From: Chuck McCown
Sent: Monday, January 15, 2018 12:07 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to handle 8000 
connections.

From: Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
What are you using?  Router NAT or a server or ?

From: Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown 
<ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote:
I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a fourth.

From: Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:)


Dennis Burgess – Network Solution Engineer – Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270<tel:(314)%20735-0270>
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv4 exhaust again

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.8.8:53<http://8.8.8.8:53> and 
10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.4.4:53<http://8.8.4.4:53> 
mappings are both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's running the 
whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that.

Something else to keep in mind is that most consumer grade routers still have a 
fairly limited connection table. My Cambium cnPilot router I have at home lets 
you adjust the max table size (up to 8192). Most are 2k or 4k. While even a 
low-end MikroTik will give you >100k.
On 1/15/2018 11:35 AM, Chuck McCown wrote:
Planning to buy another /21 or some such thing  again ..
�
So going to attempt to NAT the whole frigging company.
�
Seems like I am going in reverse here.
�
If we can make NAT work for most customers, then that will buy us time to build 
our magic V4 translator gateway box for a V6 only network.�
�
Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Mathew Howard]

You can't get x86 Miktorik boxes that are will handle more. I think
Linktechs and Balticnetworks both sell some decent ones (not built by
Mikrotik, but they use hardware that's well tested with routerOS).

On Mon, Jan 15, 2018 at 1:20 PM, Chuck McCown <ch...@wbmfg.com> wrote:

> Does MT have something larger?
>
> I would need two for redundancy.  I presume use policy based routing
> sending all the 10.x.x.x source IP traffic to one of the two NAT boxes that
> will be set up for load sharing.  Core would send everything else to the
> edge.
>
> Details details, I let the router experts sweat that stuff.
>
> *From:* Adam Moffett
> *Sent:* Monday, January 15, 2018 12:17 PM
> *To:* af@afmug.com ; af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
> the 1072 has 72 cores.  We have a 1036 (36 core) doing NAT for over a
> thousand LTE+Wimax customers.  CPU usage is like 30%. The "firewall" and
> "networking" processes account for most of the usage.
>
> We could extrapolate that to say a 1072 could maybe 4,000 with 60% CPU
> usage.just a guess obviously.  There's nothing to say it would scale
> linearly.
>
>
>
> -- Original Message --
> From: "Chuck McCown" <ch...@wbmfg.com>
> To: af@afmug.com
> Sent: 1/15/2018 2:07:39 PM
> Subject: Re: [AFMUG] IPv4 exhaust again
>
>
> Wonder how heavy we can load that... I would want it to be able to handle
> 8000 connections.
>
> *From:* Steve Jones
> *Sent:* Monday, January 15, 2018 12:05 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
> ccr1072
>
> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
>> What are you using?  Router NAT or a server or ?
>>
>> *From:* Steve Jones
>> *Sent:* Monday, January 15, 2018 11:48 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> Im not going to lie, we are natting at 1:300 across a handful of publics
>> and have little to no issue, though we really should since the customer
>> router double NATs
>>
>> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>
>>> I need to have about /19 worth of customers natted to as few V4s as is
>>> needed to make it work properly.
>>>
>>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>>> fourth.
>>>
>>> *From:* Dennis Burgess
>>> *Sent:* Monday, January 15, 2018 11:34 AM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>>
>>> Mikrotik can do that, I have a router with 20k NAT rules natting two
>>> /21s to less than 254 ips .:)
>>>
>>>
>>>
>>>
>>>
>>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>>
>>> MikroTik Certified Trainer/Consultant
>>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>>
>>>
>>>
>>> For Wireless Hardware/Routers visit www.linktechs.net
>>>
>>> Radio Frequency Coverages: www.towercoverage.com
>>>
>>> Office: 314-735-0270 <(314)%20735-0270>
>>>
>>> E-Mail: dmburg...@linktechs.net
>>>
>>>
>>>
>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
>>> *Sent:* Monday, January 15, 2018 12:28 PM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>>
>>>
>>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
>>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
>>> ports each, 32 customers 2k ports each. That's *source* ports, so they're
>>> not limited to 8k, 4k or 2k connections total. You have to look at in both
>>> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
>>> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
>>> than that.
>>>
>>> Seems to be a whole lot easier than some crazy NAT appliance that's
>>> running the whole network. I haven't done anything like this, but I'm
>>> considering it. I think Juniper even lets you do this with a couple
>>> commands? Yeah, I'm too cheap for that.
>>>
>>> Something else to keep in mind is that most consumer grade routers still
>>> have a fairly limited connection table. My Cambium cnPilot router I have at
>>> home lets you adjust the max table size (up to 8192). Most are 2k or 4k.
>>> While even a low-end MikroTik will give you >100k.
>>>
>>> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>>>
>>> Planning to buy another /21 or some such thing  again ..
>>>
>>> �
>>>
>>> So going to attempt to NAT the whole frigging company.
>>>
>>> �
>>>
>>> Seems like I am going in reverse here.
>>>
>>> �
>>>
>>> If we can make NAT work for most customers, then that will buy us time
>>> to build our magic V4 translator gateway box for a V6 only network.�
>>>
>>> �
>>>
>>> Any suggestions on the best way to do this?
>>>
>>>
>>>
>>
>>
>
>
>

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

I wonder if it would handle two boxes, sync them and have a nice stateful 
failover mechanism?

From: Steve Jones 
Sent: Monday, January 15, 2018 12:21 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

srcnat is what we use. 1800 connections right now from one section of the 
network

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  What flavor of NAT does mikrotik implement?

  From: Chuck McCown 
  Sent: Monday, January 15, 2018 12:07 PM
  To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  Wonder how heavy we can load that... I would want it to be able to handle 
8000 connections.  

  From: Steve Jones 
  Sent: Monday, January 15, 2018 12:05 PM
  To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  ccr1072

  On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

What are you using?  Router NAT or a server or ?

From: Steve Jones 
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com 
    Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics 
and have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  I need to have about /19 worth of customers natted to as few V4s as is 
needed to make it work properly.

  We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.  

  From: Dennis Burgess 
  Sent: Monday, January 15, 2018 11:34 AM
  To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  Mikrotik can do that, I have a router with 20k NAT rules natting two /21s 
to less than 254 ips .:) 





  Dennis Burgess – Network Solution Engineer – Consultant 

  MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, 
MTCINE



  For Wireless Hardware/Routers visit www.linktechs.net

  Radio Frequency Coverages: www.towercoverage.com 

  Office: 314-735-0270

  E-Mail: dmburg...@linktechs.net 



  From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
  Sent: Monday, January 15, 2018 12:28 PM
  To: af@afmug.com
  Subject: Re: [AFMUG] IPv4 exhaust again



  Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single 
public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports 
each, 32 customers 2k ports each. That's *source* ports, so they're not limited 
to 8k, 4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

  Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but I'm 
considering it. I think Juniper even lets you do this with a couple commands? 
Yeah, I'm too cheap for that.

  Something else to keep in mind is that most consumer grade routers still 
have a fairly limited connection table. My Cambium cnPilot router I have at 
home lets you adjust the max table size (up to 8192). Most are 2k or 4k. While 
even a low-end MikroTik will give you >100k.

  On 1/15/2018 11:35 AM, Chuck McCown wrote:

Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company. 

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us time 
to build our magic V4 translator gateway box for a V6 only network.� 

�

Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Steve Jones]

srcnat is what we use. 1800 connections right now from one section of the
network

On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com> wrote:

> What flavor of NAT does mikrotik implement?
>
> *From:* Chuck McCown
> *Sent:* Monday, January 15, 2018 12:07 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
> Wonder how heavy we can load that... I would want it to be able to handle
> 8000 connections.
>
> *From:* Steve Jones
> *Sent:* Monday, January 15, 2018 12:05 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
> ccr1072
>
> On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
>> What are you using?  Router NAT or a server or ?
>>
>> *From:* Steve Jones
>> *Sent:* Monday, January 15, 2018 11:48 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>> Im not going to lie, we are natting at 1:300 across a handful of publics
>> and have little to no issue, though we really should since the customer
>> router double NATs
>>
>> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>>
>>> I need to have about /19 worth of customers natted to as few V4s as is
>>> needed to make it work properly.
>>>
>>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>>> fourth.
>>>
>>> *From:* Dennis Burgess
>>> *Sent:* Monday, January 15, 2018 11:34 AM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>>
>>> Mikrotik can do that, I have a router with 20k NAT rules natting two
>>> /21s to less than 254 ips .:)
>>>
>>>
>>>
>>>
>>>
>>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>>
>>> MikroTik Certified Trainer/Consultant
>>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>>
>>>
>>>
>>> For Wireless Hardware/Routers visit www.linktechs.net
>>>
>>> Radio Frequency Coverages: www.towercoverage.com
>>>
>>> Office: 314-735-0270 <(314)%20735-0270>
>>>
>>> E-Mail: dmburg...@linktechs.net
>>>
>>>
>>>
>>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
>>> *Sent:* Monday, January 15, 2018 12:28 PM
>>> *To:* af@afmug.com
>>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>>
>>>
>>>
>>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
>>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
>>> ports each, 32 customers 2k ports each. That's *source* ports, so they're
>>> not limited to 8k, 4k or 2k connections total. You have to look at in both
>>> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
>>> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
>>> than that.
>>>
>>> Seems to be a whole lot easier than some crazy NAT appliance that's
>>> running the whole network. I haven't done anything like this, but I'm
>>> considering it. I think Juniper even lets you do this with a couple
>>> commands? Yeah, I'm too cheap for that.
>>>
>>> Something else to keep in mind is that most consumer grade routers still
>>> have a fairly limited connection table. My Cambium cnPilot router I have at
>>> home lets you adjust the max table size (up to 8192). Most are 2k or 4k.
>>> While even a low-end MikroTik will give you >100k.
>>>
>>> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>>>
>>> Planning to buy another /21 or some such thing  again ..
>>>
>>> �
>>>
>>> So going to attempt to NAT the whole frigging company.
>>>
>>> �
>>>
>>> Seems like I am going in reverse here.
>>>
>>> �
>>>
>>> If we can make NAT work for most customers, then that will buy us time
>>> to build our magic V4 translator gateway box for a V6 only network.�
>>>
>>> �
>>>
>>> Any suggestions on the best way to do this?
>>>
>>>
>>>
>>
>>
>
>

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

Does MT have something larger?

I would need two for redundancy.  I presume use policy based routing sending 
all the 10.x.x.x source IP traffic to one of the two NAT boxes that will be set 
up for load sharing.  Core would send everything else to the edge.  

Details details, I let the router experts sweat that stuff.  

From: Adam Moffett 
Sent: Monday, January 15, 2018 12:17 PM
To: af@afmug.com ; af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

the 1072 has 72 cores.  We have a 1036 (36 core) doing NAT for over a thousand 
LTE+Wimax customers.  CPU usage is like 30%. The "firewall" and "networking" 
processes account for most of the usage.

We could extrapolate that to say a 1072 could maybe 4,000 with 60% CPU 
usage.just a guess obviously.  There's nothing to say it would scale 
linearly.



-- Original Message --
From: "Chuck McCown" <ch...@wbmfg.com>
To: af@afmug.com
Sent: 1/15/2018 2:07:39 PM
Subject: Re: [AFMUG] IPv4 exhaust again

  Wonder how heavy we can load that... I would want it to be able to handle 
8000 connections.  

  From: Steve Jones 
  Sent: Monday, January 15, 2018 12:05 PM
  To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  ccr1072

  On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

What are you using?  Router NAT or a server or ?

From: Steve Jones 
Sent: Monday, January 15, 2018 11:48 AM
    To: af@afmug.com 
    Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics 
and have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  I need to have about /19 worth of customers natted to as few V4s as is 
needed to make it work properly.

  We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.  

  From: Dennis Burgess 
  Sent: Monday, January 15, 2018 11:34 AM
      To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  Mikrotik can do that, I have a router with 20k NAT rules natting two /21s 
to less than 254 ips .:) 





  Dennis Burgess – Network Solution Engineer – Consultant 

  MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, 
MTCINE



  For Wireless Hardware/Routers visit www.linktechs.net

  Radio Frequency Coverages: www.towercoverage.com 

  Office: 314-735-0270

  E-Mail: dmburg...@linktechs.net 



  From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
  Sent: Monday, January 15, 2018 12:28 PM
  To: af@afmug.com
  Subject: Re: [AFMUG] IPv4 exhaust again



  Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single 
public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports 
each, 32 customers 2k ports each. That's *source* ports, so they're not limited 
to 8k, 4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

  Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but I'm 
considering it. I think Juniper even lets you do this with a couple commands? 
Yeah, I'm too cheap for that.

  Something else to keep in mind is that most consumer grade routers still 
have a fairly limited connection table. My Cambium cnPilot router I have at 
home lets you adjust the max table size (up to 8192). Most are 2k or 4k. While 
even a low-end MikroTik will give you >100k.

  On 1/15/2018 11:35 AM, Chuck McCown wrote:

Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company. 

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us time 
to build our magic V4 translator gateway box for a V6 only network.� 

�

Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Adam Moffett]

the 1072 has 72 cores.  We have a 1036 (36 core) doing NAT for over a 
thousand LTE+Wimax customers.  CPU usage is like 30%. The "firewall" and 
"networking" processes account for most of the usage.


We could extrapolate that to say a 1072 could maybe 4,000 with 60% CPU 
usage.just a guess obviously.  There's nothing to say it would scale 
linearly.




-- Original Message --
From: "Chuck McCown" <ch...@wbmfg.com>
To: af@afmug.com
Sent: 1/15/2018 2:07:39 PM
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to 
handle 8000 connections.


From:Steve Jones
Sent: Monday, January 15, 2018 12:05 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

What are you using?  Router NAT or a server or ?

From:Steve Jones
Sent: Monday, January 15, 2018 11:48 AM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of 
publics and have little to no issue, though we really should since the 
customer router double NATs


On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> 
wrote:
I need to have about /19 worth of customers natted to as few V4s as 
is needed to make it work properly.


We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.


From:Dennis Burgess
Sent: Monday, January 15, 2018 11:34 AM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two 
/21s to less than 254 ips .:)






Dennis Burgess – Network Solution Engineer – Consultant

MikroTik Certified Trainer/Consultant 
<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> – 
MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE




For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com

Office: 314-735-0270 <tel:(314)%20735-0270>

E-Mail: dmburg...@linktechs.net



From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To:af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again



Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a 
single public IPv4 address. Give 8 customers 8k ports each, or 16 
customer 4k ports each, 32 customers 2k ports each. That's *source* 
ports, so they're not limited to 8k, 4k or 2k connections total. You 
have to look at in both directions. 10.10.10.10:1024 -> 8.8.8.8:53 
and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are both valid, and it 
obviously goes a lot deeper than that.


Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but I'm 
considering it. I think Juniper even lets you do this with a couple 
commands? Yeah, I'm too cheap for that.


Something else to keep in mind is that most consumer grade routers 
still have a fairly limited connection table. My Cambium cnPilot 
router I have at home lets you adjust the max table size (up to 
8192). Most are 2k or 4k. While even a low-end MikroTik will give you 
>100k.


On 1/15/2018 11:35 AM, Chuck McCown wrote:


Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company.

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us 
time to build our magic V4 translator gateway box for a V6 only 
network.�


�

Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

What flavor of NAT does mikrotik implement?

From: Chuck McCown 
Sent: Monday, January 15, 2018 12:07 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

Wonder how heavy we can load that... I would want it to be able to handle 8000 
connections.  

From: Steve Jones 
Sent: Monday, January 15, 2018 12:05 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  What are you using?  Router NAT or a server or ?

  From: Steve Jones 
  Sent: Monday, January 15, 2018 11:48 AM
  To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

  On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

I need to have about /19 worth of customers natted to as few V4s as is 
needed to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.  

From: Dennis Burgess 
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com 
    Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s 
to less than 254 ips .:) 





Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE



For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 



From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com
    Subject: Re: [AFMUG] IPv4 exhaust again



Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single 
public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports 
each, 32 customers 2k ports each. That's *source* ports, so they're not limited 
to 8k, 4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's running 
the whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that.

Something else to keep in mind is that most consumer grade routers still 
have a fairly limited connection table. My Cambium cnPilot router I have at 
home lets you adjust the max table size (up to 8192). Most are 2k or 4k. While 
even a low-end MikroTik will give you >100k.

On 1/15/2018 11:35 AM, Chuck McCown wrote:

  Planning to buy another /21 or some such thing  again ..

  �

  So going to attempt to NAT the whole frigging company. 

  �

  Seems like I am going in reverse here.

  �

  If we can make NAT work for most customers, then that will buy us time to 
build our magic V4 translator gateway box for a V6 only network.� 

  �

  Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

Wonder how heavy we can load that... I would want it to be able to handle 8000 
connections.  

From: Steve Jones 
Sent: Monday, January 15, 2018 12:05 PM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  What are you using?  Router NAT or a server or ?

  From: Steve Jones 
  Sent: Monday, January 15, 2018 11:48 AM
  To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

  On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

I need to have about /19 worth of customers natted to as few V4s as is 
needed to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a 
fourth.  

From: Dennis Burgess 
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com 
    Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s 
to less than 254 ips .:) 





Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE



For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 



From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com
    Subject: Re: [AFMUG] IPv4 exhaust again



Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single 
public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports 
each, 32 customers 2k ports each. That's *source* ports, so they're not limited 
to 8k, 4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's running 
the whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that.

Something else to keep in mind is that most consumer grade routers still 
have a fairly limited connection table. My Cambium cnPilot router I have at 
home lets you adjust the max table size (up to 8192). Most are 2k or 4k. While 
even a low-end MikroTik will give you >100k.

On 1/15/2018 11:35 AM, Chuck McCown wrote:

  Planning to buy another /21 or some such thing  again ..

  �

  So going to attempt to NAT the whole frigging company. 

  �

  Seems like I am going in reverse here.

  �

  If we can make NAT work for most customers, then that will buy us time to 
build our magic V4 translator gateway box for a V6 only network.� 

  �

  Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Steve Jones]

ccr1072

On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com> wrote:

> What are you using?  Router NAT or a server or ?
>
> *From:* Steve Jones
> *Sent:* Monday, January 15, 2018 11:48 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
> Im not going to lie, we are natting at 1:300 across a handful of publics
> and have little to no issue, though we really should since the customer
> router double NATs
>
> On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
>> I need to have about /19 worth of customers natted to as few V4s as is
>> needed to make it work properly.
>>
>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>> fourth.
>>
>> *From:* Dennis Burgess
>> *Sent:* Monday, January 15, 2018 11:34 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>>
>> Mikrotik can do that, I have a router with 20k NAT rules natting two /21s
>> to less than 254 ips .:)
>>
>>
>>
>>
>>
>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>
>> MikroTik Certified Trainer/Consultant
>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>
>>
>>
>> For Wireless Hardware/Routers visit www.linktechs.net
>>
>> Radio Frequency Coverages: www.towercoverage.com
>>
>> Office: 314-735-0270 <(314)%20735-0270>
>>
>> E-Mail: dmburg...@linktechs.net
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
>> *Sent:* Monday, January 15, 2018 12:28 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>>
>>
>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
>> ports each, 32 customers 2k ports each. That's *source* ports, so they're
>> not limited to 8k, 4k or 2k connections total. You have to look at in both
>> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
>> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
>> than that.
>>
>> Seems to be a whole lot easier than some crazy NAT appliance that's
>> running the whole network. I haven't done anything like this, but I'm
>> considering it. I think Juniper even lets you do this with a couple
>> commands? Yeah, I'm too cheap for that.
>>
>> Something else to keep in mind is that most consumer grade routers still
>> have a fairly limited connection table. My Cambium cnPilot router I have at
>> home lets you adjust the max table size (up to 8192). Most are 2k or 4k.
>> While even a low-end MikroTik will give you >100k.
>>
>> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>>
>> Planning to buy another /21 or some such thing  again ..
>>
>> �
>>
>> So going to attempt to NAT the whole frigging company.
>>
>> �
>>
>> Seems like I am going in reverse here.
>>
>> �
>>
>> If we can make NAT work for most customers, then that will buy us time to
>> build our magic V4 translator gateway box for a V6 only network.�
>>
>> �
>>
>> Any suggestions on the best way to do this?
>>
>>
>>
>
>

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

What are you using?  Router NAT or a server or ?

From: Steve Jones 
Sent: Monday, January 15, 2018 11:48 AM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

Im not going to lie, we are natting at 1:300 across a handful of publics and 
have little to no issue, though we really should since the customer router 
double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

  I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly.

  We currently have about 3 /21s I think.  Don’t want to have to buy a fourth.  

  From: Dennis Burgess 
  Sent: Monday, January 15, 2018 11:34 AM
  To: af@afmug.com 
  Subject: Re: [AFMUG] IPv4 exhaust again

  Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:) 





  Dennis Burgess – Network Solution Engineer – Consultant 

  MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE



  For Wireless Hardware/Routers visit www.linktechs.net

  Radio Frequency Coverages: www.towercoverage.com 

  Office: 314-735-0270

  E-Mail: dmburg...@linktechs.net 



  From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
  Sent: Monday, January 15, 2018 12:28 PM
  To: af@afmug.com
  Subject: Re: [AFMUG] IPv4 exhaust again



  Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

  Seems to be a whole lot easier than some crazy NAT appliance that's running 
the whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that.

  Something else to keep in mind is that most consumer grade routers still have 
a fairly limited connection table. My Cambium cnPilot router I have at home 
lets you adjust the max table size (up to 8192). Most are 2k or 4k. While even 
a low-end MikroTik will give you >100k.

  On 1/15/2018 11:35 AM, Chuck McCown wrote:

Planning to buy another /21 or some such thing  again ..

�

So going to attempt to NAT the whole frigging company. 

�

Seems like I am going in reverse here.

�

If we can make NAT work for most customers, then that will buy us time to 
build our magic V4 translator gateway box for a V6 only network.� 

�

Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[Mathew Howard]

I'm assuming not, but I think the Xbox does support IPv6 now, so if you're
doing dual-stack, that would hopefully take care of that issue to some
extent, anyway.

I don't think that the xbox NAT issues are nearly as bad as they used to be
anyway... I haven't heard from any of our customers complaining about it in
a long time, and since we have our SM's all in NAT mode, there should still
be a lot of people that aren't getting things forwarded properly (even with
uPNP running on everything).

On Mon, Jan 15, 2018 at 12:45 PM, Kurt Fankhauser <lists.wavel...@gmail.com>
wrote:

> does CG-NAT work with the Xbox people?
>
> On Mon, Jan 15, 2018 at 1:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:
>
>> I need to have about /19 worth of customers natted to as few V4s as is
>> needed to make it work properly.
>>
>> We currently have about 3 /21s I think.  Don’t want to have to buy a
>> fourth.
>>
>> *From:* Dennis Burgess
>> *Sent:* Monday, January 15, 2018 11:34 AM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>>
>> Mikrotik can do that, I have a router with 20k NAT rules natting two /21s
>> to less than 254 ips .:)
>>
>>
>>
>>
>>
>> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>>
>> MikroTik Certified Trainer/Consultant
>> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
>> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>>
>>
>>
>> For Wireless Hardware/Routers visit www.linktechs.net
>>
>> Radio Frequency Coverages: www.towercoverage.com
>>
>> Office: 314-735-0270 <(314)%20735-0270>
>>
>> E-Mail: dmburg...@linktechs.net
>>
>>
>>
>> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
>> *Sent:* Monday, January 15, 2018 12:28 PM
>> *To:* af@afmug.com
>> *Subject:* Re: [AFMUG] IPv4 exhaust again
>>
>>
>>
>> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
>> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
>> ports each, 32 customers 2k ports each. That's *source* ports, so they're
>> not limited to 8k, 4k or 2k connections total. You have to look at in both
>> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
>> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
>> than that.
>>
>> Seems to be a whole lot easier than some crazy NAT appliance that's
>> running the whole network. I haven't done anything like this, but I'm
>> considering it. I think Juniper even lets you do this with a couple
>> commands? Yeah, I'm too cheap for that.
>>
>> Something else to keep in mind is that most consumer grade routers still
>> have a fairly limited connection table. My Cambium cnPilot router I have at
>> home lets you adjust the max table size (up to 8192). Most are 2k or 4k.
>> While even a low-end MikroTik will give you >100k.
>>
>> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>>
>> Planning to buy another /21 or some such thing  again ..
>>
>> �
>>
>> So going to attempt to NAT the whole frigging company.
>>
>> �
>>
>> Seems like I am going in reverse here.
>>
>> �
>>
>> If we can make NAT work for most customers, then that will buy us time to
>> build our magic V4 translator gateway box for a V6 only network.�
>>
>> �
>>
>> Any suggestions on the best way to do this?
>>
>>
>>
>
>

Re: [AFMUG] IPv4 exhaust again

[Steve Jones]

Im not going to lie, we are natting at 1:300 across a handful of publics
and have little to no issue, though we really should since the customer
router double NATs

On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

> I need to have about /19 worth of customers natted to as few V4s as is
> needed to make it work properly.
>
> We currently have about 3 /21s I think.  Don’t want to have to buy a
> fourth.
>
> *From:* Dennis Burgess
> *Sent:* Monday, January 15, 2018 11:34 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
> Mikrotik can do that, I have a router with 20k NAT rules natting two /21s
> to less than 254 ips .:)
>
>
>
>
>
> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>
> MikroTik Certified Trainer/Consultant
> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>
>
>
> For Wireless Hardware/Routers visit www.linktechs.net
>
> Radio Frequency Coverages: www.towercoverage.com
>
> Office: 314-735-0270 <(314)%20735-0270>
>
> E-Mail: dmburg...@linktechs.net
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
> *Sent:* Monday, January 15, 2018 12:28 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
> ports each, 32 customers 2k ports each. That's *source* ports, so they're
> not limited to 8k, 4k or 2k connections total. You have to look at in both
> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
> than that.
>
> Seems to be a whole lot easier than some crazy NAT appliance that's
> running the whole network. I haven't done anything like this, but I'm
> considering it. I think Juniper even lets you do this with a couple
> commands? Yeah, I'm too cheap for that.
>
> Something else to keep in mind is that most consumer grade routers still
> have a fairly limited connection table. My Cambium cnPilot router I have at
> home lets you adjust the max table size (up to 8192). Most are 2k or 4k.
> While even a low-end MikroTik will give you >100k.
>
> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>
> Planning to buy another /21 or some such thing  again ..
>
> �
>
> So going to attempt to NAT the whole frigging company.
>
> �
>
> Seems like I am going in reverse here.
>
> �
>
> If we can make NAT work for most customers, then that will buy us time to
> build our magic V4 translator gateway box for a V6 only network.�
>
> �
>
> Any suggestions on the best way to do this?
>
>
>

Re: [AFMUG] IPv4 exhaust again

[Kurt Fankhauser]

does CG-NAT work with the Xbox people?

On Mon, Jan 15, 2018 at 1:39 PM, Chuck McCown <ch...@wbmfg.com> wrote:

> I need to have about /19 worth of customers natted to as few V4s as is
> needed to make it work properly.
>
> We currently have about 3 /21s I think.  Don’t want to have to buy a
> fourth.
>
> *From:* Dennis Burgess
> *Sent:* Monday, January 15, 2018 11:34 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
> Mikrotik can do that, I have a router with 20k NAT rules natting two /21s
> to less than 254 ips .:)
>
>
>
>
>
> *Dennis Burgess** –** Network Solution Engineer – Consultant *
>
> MikroTik Certified Trainer/Consultant
> <http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> –
> MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE
>
>
>
> For Wireless Hardware/Routers visit www.linktechs.net
>
> Radio Frequency Coverages: www.towercoverage.com
>
> Office: 314-735-0270 <(314)%20735-0270>
>
> E-Mail: dmburg...@linktechs.net
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *George Skorup
> *Sent:* Monday, January 15, 2018 12:28 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv4 exhaust again
>
>
>
> Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single
> public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k
> ports each, 32 customers 2k ports each. That's *source* ports, so they're
> not limited to 8k, 4k or 2k connections total. You have to look at in both
> directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 ->
> 8.8.4.4:53 mappings are both valid, and it obviously goes a lot deeper
> than that.
>
> Seems to be a whole lot easier than some crazy NAT appliance that's
> running the whole network. I haven't done anything like this, but I'm
> considering it. I think Juniper even lets you do this with a couple
> commands? Yeah, I'm too cheap for that.
>
> Something else to keep in mind is that most consumer grade routers still
> have a fairly limited connection table. My Cambium cnPilot router I have at
> home lets you adjust the max table size (up to 8192). Most are 2k or 4k.
> While even a low-end MikroTik will give you >100k.
>
> On 1/15/2018 11:35 AM, Chuck McCown wrote:
>
> Planning to buy another /21 or some such thing  again ..
>
> �
>
> So going to attempt to NAT the whole frigging company.
>
> �
>
> Seems like I am going in reverse here.
>
> �
>
> If we can make NAT work for most customers, then that will buy us time to
> build our magic V4 translator gateway box for a V6 only network.�
>
> �
>
> Any suggestions on the best way to do this?
>
>
>

Re: [AFMUG] IPv4 exhaust again

[Chuck McCown]

I need to have about /19 worth of customers natted to as few V4s as is needed 
to make it work properly.

We currently have about 3 /21s I think.  Don’t want to have to buy a fourth.  

From: Dennis Burgess 
Sent: Monday, January 15, 2018 11:34 AM
To: af@afmug.com 
Subject: Re: [AFMUG] IPv4 exhaust again

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:) 

 

 

Dennis Burgess – Network Solution Engineer – Consultant 

MikroTik Certified Trainer/Consultant – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

 

For Wireless Hardware/Routers visit www.linktechs.net

Radio Frequency Coverages: www.towercoverage.com 

Office: 314-735-0270

E-Mail: dmburg...@linktechs.net 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

 

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's running the 
whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that.

Something else to keep in mind is that most consumer grade routers still have a 
fairly limited connection table. My Cambium cnPilot router I have at home lets 
you adjust the max table size (up to 8192). Most are 2k or 4k. While even a 
low-end MikroTik will give you >100k.

On 1/15/2018 11:35 AM, Chuck McCown wrote:

  Planning to buy another /21 or some such thing  again ..

  �

  So going to attempt to NAT the whole frigging company. 

  �

  Seems like I am going in reverse here.

  �

  If we can make NAT work for most customers, then that will buy us time to 
build our magic V4 translator gateway box for a V6 only network.� 

  �

  Any suggestions on the best way to do this?

 

Re: [AFMUG] IPv4 exhaust again

[Dennis Burgess]

Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to 
less than 254 ips .:)


Dennis Burgess - Network Solution Engineer - Consultant
MikroTik Certified 
Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5>
 - MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE

For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/>
Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/>
Office: 314-735-0270
E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net>

From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup
Sent: Monday, January 15, 2018 12:28 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv4 exhaust again

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public 
IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 
customers 2k ports each. That's *source* ports, so they're not limited to 8k, 
4k or 2k connections total. You have to look at in both directions. 
10.10.10.10:1024 -> 8.8.8.8:53 and 10.10.10.10:1024 -> 8.8.4.4:53 mappings are 
both valid, and it obviously goes a lot deeper than that.

Seems to be a whole lot easier than some crazy NAT appliance that's running the 
whole network. I haven't done anything like this, but I'm considering it. I 
think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap 
for that.

Something else to keep in mind is that most consumer grade routers still have a 
fairly limited connection table. My Cambium cnPilot router I have at home lets 
you adjust the max table size (up to 8192). Most are 2k or 4k. While even a 
low-end MikroTik will give you >100k.
On 1/15/2018 11:35 AM, Chuck McCown wrote:
Planning to buy another /21 or some such thing  again ..
�
So going to attempt to NAT the whole frigging company.
�
Seems like I am going in reverse here.
�
If we can make NAT work for most customers, then that will buy us time to build 
our magic V4 translator gateway box for a V6 only network.�
�
Any suggestions on the best way to do this?

Re: [AFMUG] IPv4 exhaust again

[George Skorup]

Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single 
public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k 
ports each, 32 customers 2k ports each. That's *source* ports, so 
they're not limited to 8k, 4k or 2k connections total. You have to look 
at in both directions. 10.10.10.10:1024 -> 8.8.8.8:53 and 
10.10.10.10:1024 -> 8.8.4.4:53 mappings are both valid, and it obviously 
goes a lot deeper than that.


Seems to be a whole lot easier than some crazy NAT appliance that's 
running the whole network. I haven't done anything like this, but I'm 
considering it. I think Juniper even lets you do this with a couple 
commands? Yeah, I'm too cheap for that.


Something else to keep in mind is that most consumer grade routers still 
have a fairly limited connection table. My Cambium cnPilot router I have 
at home lets you adjust the max table size (up to 8192). Most are 2k or 
4k. While even a low-end MikroTik will give you >100k.


On 1/15/2018 11:35 AM, Chuck McCown wrote:

Planning to buy another /21 or some such thing  again ..
So going to attempt to NAT the whole frigging company.
Seems like I am going in reverse here.
If we can make NAT work for most customers, then that will buy us time 
to build our magic V4 translator gateway box for a V6 only network.

Any suggestions on the best way to do this?