You can engineer around that as well. There are many things you can do with multiples of those types of units. Simple to do and failover can be easy if setup correctly.
Dennis Burgess – Network Solution Engineer – Consultant MikroTik Certified Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/> Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/> Office: 314-735-0270 E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net> From: Af [mailto:af-boun...@afmug.com] On Behalf Of Mathew Howard Sent: Monday, January 15, 2018 3:15 PM To: af <af@afmug.com> Subject: Re: [AFMUG] IPv4 exhaust again Yeah, personally, I'd split it between multiple boxes and do something like one /21 per box. It makes things a bit more complex, but it also means that if one of those boxes does happen to croak, you're only have to deal with a quarter of the subscribers going down instead of the whole works. On Mon, Jan 15, 2018 at 3:02 PM, Adam Moffett <dmmoff...@gmail.com<mailto:dmmoff...@gmail.com>> wrote: Thanks for the tip. I don't know why I didn't think to use the filter. I guess 1,000 or so subscribers equals 26,000 or so connections. That's good to know. In this instance I have a private /21 NAT'd onto a public /28 with the ccr 1036 and have plenty of spare room on the CPU. Just an idea for Chuck's case, but the 1036 with 4 10G ports and 12 1G ports is only about $800 from Baltic. You could get 4 of those for your 8,000 user load and have 4 hot spares in the rack. Assign a private /21 to each unit. You could create a LAG for the 4 10G ports to get a 40G uplink. ------ Original Message ------ From: "Steve Jones" <thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>> To: af@afmug.com<mailto:af@afmug.com> Sent: 1/15/2018 3:40:37 PM Subject: Re: [AFMUG] IPv4 exhaust again filter by reply destination address and then by tcp state established is what i did On Mon, Jan 15, 2018 at 2:35 PM, Adam Moffett <dmmoff...@gmail.com<mailto:dmmoff...@gmail.com>> wrote: I took him to mean subscribers when he said 8000 connections. As far as Layer4 connections we're performing NAT for, I'm not totally sure how to tell. If I torch the LTE PDN interface, it counts up for awhile and then freezes. Connection tracking is showing something like 120,000 items but that isn't strictly stuff we're NAT'ing. Some traffic just passes through. ------ Original Message ------ From: "Steve Jones" <thatoneguyst...@gmail.com<mailto:thatoneguyst...@gmail.com>> To: af@afmug.com<mailto:af@afmug.com> Sent: 1/15/2018 2:21:54 PM Subject: Re: [AFMUG] IPv4 exhaust again srcnat is what we use. 1800 connections right now from one section of the network On Mon, Jan 15, 2018 at 1:10 PM, Chuck McCown <ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote: What flavor of NAT does mikrotik implement? From: Chuck McCown Sent: Monday, January 15, 2018 12:07 PM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] IPv4 exhaust again Wonder how heavy we can load that... I would want it to be able to handle 8000 connections. From: Steve Jones Sent: Monday, January 15, 2018 12:05 PM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] IPv4 exhaust again ccr1072 On Mon, Jan 15, 2018 at 12:59 PM, Chuck McCown <ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote: What are you using? Router NAT or a server or ? From: Steve Jones Sent: Monday, January 15, 2018 11:48 AM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] IPv4 exhaust again Im not going to lie, we are natting at 1:300 across a handful of publics and have little to no issue, though we really should since the customer router double NATs On Mon, Jan 15, 2018 at 12:39 PM, Chuck McCown <ch...@wbmfg.com<mailto:ch...@wbmfg.com>> wrote: I need to have about /19 worth of customers natted to as few V4s as is needed to make it work properly. We currently have about 3 /21s I think. Don’t want to have to buy a fourth. From: Dennis Burgess Sent: Monday, January 15, 2018 11:34 AM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] IPv4 exhaust again Mikrotik can do that, I have a router with 20k NAT rules natting two /21s to less than 254 ips .:) Dennis Burgess – Network Solution Engineer – Consultant MikroTik Certified Trainer/Consultant<http://www.linktechs.net/productcart/pc/viewcontent.asp?idpage=5> – MTCNA, MTCRE, MTCWE, MTCTCE, MTCINE For Wireless Hardware/Routers visit www.linktechs.net<http://www.linktechs.net/> Radio Frequency Coverages: www.towercoverage.com<http://www.towercoverage.com/> Office: 314-735-0270<tel:(314)%20735-0270> E-Mail: dmburg...@linktechs.net<mailto:dmburg...@linktechs.net> From: Af [mailto:af-boun...@afmug.com] On Behalf Of George Skorup Sent: Monday, January 15, 2018 12:28 PM To: af@afmug.com<mailto:af@afmug.com> Subject: Re: [AFMUG] IPv4 exhaust again Dual-stack and CGN? You can get 8:1, 16:1 or even 32:1 out of a single public IPv4 address. Give 8 customers 8k ports each, or 16 customer 4k ports each, 32 customers 2k ports each. That's *source* ports, so they're not limited to 8k, 4k or 2k connections total. You have to look at in both directions. 10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.8.8:53<http://8.8.8.8:53> and 10.10.10.10:1024<http://10.10.10.10:1024> -> 8.8.4.4:53<http://8.8.4.4:53> mappings are both valid, and it obviously goes a lot deeper than that. Seems to be a whole lot easier than some crazy NAT appliance that's running the whole network. I haven't done anything like this, but I'm considering it. I think Juniper even lets you do this with a couple commands? Yeah, I'm too cheap for that. Something else to keep in mind is that most consumer grade routers still have a fairly limited connection table. My Cambium cnPilot router I have at home lets you adjust the max table size (up to 8192). Most are 2k or 4k. While even a low-end MikroTik will give you >100k. On 1/15/2018 11:35 AM, Chuck McCown wrote: Planning to buy another /21 or some such thing .... again ...... � So going to attempt to NAT the whole frigging company. � Seems like I am going in reverse here. � If we can make NAT work for most customers, then that will buy us time to build our magic V4 translator gateway box for a V6 only network.� � Any suggestions on the best way to do this?
