Re: [WISPA] NAT Limits on StarOS/Mikrotik
On Mon, Sep 28, 2009 at 11:30:55PM -0600, Matt Larsen - Lists wrote: connections coming into it. This server is running StarOS. We have about 1700 subs NATted behind a single IP address on this server. Behind it, I have a Mikrotik server that is handling all traffic coming into that server from the private network side. Looking at the IP/Firewall/Connections listing on this server, I see 69000-71000 items Time to use more IPs. The one server may be able to handle the load, but you need a pool of IPs. I'd go for 8 or 16 IPs to start with and try to get down to 1 IP for 100 or 200 hosts. Then I'd go get a /20 from ARIN, to start, and work on doing it without the NAT. You have the hosts to justify it. That many subs on PPPoE would probably only need a /21, but with DHCP subnets per sector, you could need a /19 or more. I dislike NAT at the ISP level. It's not horrible at the SOHO level. Has IPv6 come to the Mikrotik/StarOS world? -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] NAT Limits on StarOS/Mikrotik
I would assume its possible, On the mikrotik router under connection tracking, Maybe drop some of the times? No clue if that will really hurt something or not, but it should make your connections clear faster. Nat at the ISP level sounds like a nightmare. Like Scott said, get yourself a real block and start moving people over to it. Well define come to It will do IPv6 on alot of things. I'm running a 6to4 tunnel, addressing by neighbor discovery. And OSPFv3. So far the only thing that gets me is torch doesn't work on ipv6, rather you don't see and of the traffic. With your lan side of the router, if your address space is a /64 you can just click advertise and computers find themselves a address (vista and xp (with ipv6 package)). Linux will also get a address, but I still prefer static ipv6. Nick Olsen Brevard Wireless (321) 205-1100 x106 From: Scott Lambert lamb...@lambertfam.org Sent: Tuesday, September 29, 2009 2:47 AM To: WISPA General List wireless@wispa.org Subject: Re: [WISPA] NAT Limits on StarOS/Mikrotik On Mon, Sep 28, 2009 at 11:30:55PM -0600, Matt Larsen - Lists wrote: connections coming into it. This server is running StarOS. We have about 1700 subs NATted behind a single IP address on this server. Behind it, I have a Mikrotik server that is handling all traffic coming into that server from the private network side. Looking at the IP/Firewall/Connections listing on this server, I see 69000-71000 items Time to use more IPs. The one server may be able to handle the load, but you need a pool of IPs. I'd go for 8 or 16 IPs to start with and try to get down to 1 IP for 100 or 200 hosts. Then I'd go get a /20 from ARIN, to start, and work on doing it without the NAT. You have the hosts to justify it. That many subs on PPPoE would probably only need a /21, but with DHCP subnets per sector, you could need a /19 or more. I dislike NAT at the ISP level. It's not horrible at the SOHO level. Has IPv6 come to the Mikrotik/StarOS world? -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] NAT Limits on StarOS/Mikrotik
On Tue, 2009-09-29 at 01:47 -0500, Scott Lambert wrote: Has IPv6 come to the Mikrotik/StarOS world? Mikrotik, yes. StarOS, I don't know. -- * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/* Network Engineering * * http://www.wispa.org/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] NAT Limits on StarOS/Mikrotik
You could also simply take blocks of IPs, so 10.0.0.0/12 or something, and go out one IP, and the next one, go out another IP :) --- Dennis Burgess, CCNA, A+, Mikrotik Certified Trainer WISPA Board Member - wispa.org Link Technologies, Inc -- Mikrotik WISP Support Services WISPA Vendor Member Office: 314-735-0270 Website: http://www.linktechs.net LIVE On-Line Mikrotik Training Author of Learn RouterOS -Original Message- From: wireless-boun...@wispa.org [mailto:wireless-boun...@wispa.org] On Behalf Of Nick Olsen Sent: Tuesday, September 29, 2009 8:24 AM To: WISPA General List Subject: Re: [WISPA] NAT Limits on StarOS/Mikrotik I would assume its possible, On the mikrotik router under connection tracking, Maybe drop some of the times? No clue if that will really hurt something or not, but it should make your connections clear faster. Nat at the ISP level sounds like a nightmare. Like Scott said, get yourself a real block and start moving people over to it. Well define come to It will do IPv6 on alot of things. I'm running a 6to4 tunnel, addressing by neighbor discovery. And OSPFv3. So far the only thing that gets me is torch doesn't work on ipv6, rather you don't see and of the traffic. With your lan side of the router, if your address space is a /64 you can just click advertise and computers find themselves a address (vista and xp (with ipv6 package)). Linux will also get a address, but I still prefer static ipv6. Nick Olsen Brevard Wireless (321) 205-1100 x106 From: Scott Lambert lamb...@lambertfam.org Sent: Tuesday, September 29, 2009 2:47 AM To: WISPA General List wireless@wispa.org Subject: Re: [WISPA] NAT Limits on StarOS/Mikrotik On Mon, Sep 28, 2009 at 11:30:55PM -0600, Matt Larsen - Lists wrote: connections coming into it. This server is running StarOS. We have about 1700 subs NATted behind a single IP address on this server. Behind it, I have a Mikrotik server that is handling all traffic coming into that server from the private network side. Looking at the IP/Firewall/Connections listing on this server, I see 69000-71000 items Time to use more IPs. The one server may be able to handle the load, but you need a pool of IPs. I'd go for 8 or 16 IPs to start with and try to get down to 1 IP for 100 or 200 hosts. Then I'd go get a /20 from ARIN, to start, and work on doing it without the NAT. You have the hosts to justify it. That many subs on PPPoE would probably only need a /21, but with DHCP subnets per sector, you could need a /19 or more. I dislike NAT at the ISP level. It's not horrible at the SOHO level. Has IPv6 come to the Mikrotik/StarOS world? -- Scott LambertKC5MLE Unix SysAdmin lamb...@lambertfam.org WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] NAT Limits on StarOS/Mikrotik
I'd argue that if you are running with 69000 connections, you could be running into multiple problems. I cant comment on StarOS specifically, but one of the reasons we upgarded our servers from 2.4Kernal to 2.6 kernel was because of connection tracking table size. 2.6 kernels allowed management of the number of connection (able to delete from table) without rebooting and terminating all connections. By the way, performance degragation was limited due to Clocking (# of ticks per second), that was not updated until kernel 2.6. One of the issues is that poorly written applications or virus/spyware dont close sessions properly, so they stay there in the table as inactive state but still in the table for the specified duration (it might be 7 days by default?). (its purposely designed to do that). Linux doesn't work fast with tons of connections in its tables, and when you get tons of connections it will show heavy speed degregation for users. My point is that you might not only be running into a NAT issue and available ports, but also a problem of low performance when to many connections in the table. In our deployments we turned connection tracking off on all our Staros APs, because they didn't have enough memory or processing power to deal with it, and then upgraded our Kernels on our core Linux routers that we used connection tracking on. There are other reason why having 1700 subs to a single NATted IP might be a bad idea, so I'd recommend changing that regardless of the cause of the problem you are currently troubleshooting. For example, what do you do if a user's IP gets blacklisted due to AUP report? You then have 1700 customers blacklisted. If the core router fails, you have 1700 people down. Etc, etc. If one user gets a virus, all uses get hammered when all teh connections are terminated. We had one car dealership that added 120,000 entries to the connection table within about 8 hours. It was due to a poorly written WAN application. They fixed it, and it curred the problem. But it was tough to deal with the problem, and identify why it was occuring. But my point is... why risk all the subs, if all it takes is a single customer to create a connection problem issue? What you'll likely want to do is write some scripts to analyze the content of the connection table. To determine if the majority of connections are getting eaten up by just a few customers, or equally distributed between customers? And determine the percentage that are active sessions versus inactive sessions?. Tom DeReggi RapidDSL Wireless, Inc 301-515-7774 IntAirNet - Fixed Wireless Broadband WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
[WISPA] NAT Limits on StarOS/Mikrotik
Hello all, We've been doing some troubleshooting of some occasional issues with NATed customers and started to wonder if we have reached the limits of what we can do with a single NAT server. Right now, I have one NAT server that has two Internet backbone connections coming into it. This server is running StarOS. We have about 1700 subs NATted behind a single IP address on this server. Behind it, I have a Mikrotik server that is handling all traffic coming into that server from the private network side. Looking at the IP/Firewall/Connections listing on this server, I see 69000-71000 items in the list. My lead tech is concerned that we only have 65536 ports to use on a single IP address, and we might be using all of them and having connection issues. Anyone on the list more versed in Mikrotik/Linux/routing etc that might be able to shed some light on this? Thanks! Matt Larsen vistabeam.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
Re: [WISPA] NAT Limits on StarOS/Mikrotik
Never seen a lot of people behind NAT so I don't know what you would see. If you're concerned about socket capacity you can srcnat different IP ranges to a different public IP. On 9/29/09, Matt Larsen - Lists li...@manageisp.com wrote: Hello all, We've been doing some troubleshooting of some occasional issues with NATed customers and started to wonder if we have reached the limits of what we can do with a single NAT server. Right now, I have one NAT server that has two Internet backbone connections coming into it. This server is running StarOS. We have about 1700 subs NATted behind a single IP address on this server. Behind it, I have a Mikrotik server that is handling all traffic coming into that server from the private network side. Looking at the IP/Firewall/Connections listing on this server, I see 69000-71000 items in the list. My lead tech is concerned that we only have 65536 ports to use on a single IP address, and we might be using all of them and having connection issues. Anyone on the list more versed in Mikrotik/Linux/routing etc that might be able to shed some light on this? Thanks! Matt Larsen vistabeam.com WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/ -- Josh Luthman Office: 937-552-2340 Direct: 937-552-2343 1100 Wayne St Suite 1337 Troy, OH 45373 When you have eliminated the impossible, that which remains, however improbable, must be the truth. --- Sir Arthur Conan Doyle WISPA Wants You! Join today! http://signup.wispa.org/ WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/