Re: "Carrier Grade" NAT44 setup

Linux Netfilter discussions
 help / color / mirror / Atom feed

From: trentbuck@gmail.com (Trent W. Buck)
To: netfilter@vger.kernel.org
Subject: Re: "Carrier Grade" NAT44 setup
Date: Thu, 11 Jun 2020 15:51:37 +1000	[thread overview]
Message-ID: <87h7vi880m.fsf@goll.lan> (raw)
In-Reply-To: 5c2c7d45-ea99-0f70-04ee-544f9837b8a8@rfc2324.org

Maximilian Wilhelm <max@rfc2324.org> writes:
> Did anyone here already build such a setup [linux as CGNAT router]?

I have some derpy non-expert comments, below.

> What resources would be required on the Linux box? I would assume any
> decent server CPU with 6+ cores will be fine and 16-32GB of RAM would
> suffice for storing the conntrack mappings?

Obligatory question whenever CGNAT comes up:
Can you just use IPv6 instead? ;-)

When I was doing NAT for up to 1000 desktops,
I looked into conntrack table size, and
concluded it was not worth even worrying about.

From first principles, the NAT record is basically a struct like

    (orig_ip, orig_port, nat_ip, nat_port)

Which for IPv4 is only like 10 bytes or something.
So in 10MiB you can remember 10Mi concurrent flows.

I looked for a quick sanity-check of that and I found this old post
which reckons 32K concurrent flows in 512MB:

    https://wiki.khnet.info/index.php/Conntrack_tuning

Another old post estimates about 350b/flow, so about 10MB = 28K flows:

    https://www.cyberciti.biz/faq/ip_conntrack-table-ful-dropping-packet-error/

Obviously those numbers don't line up too well.
Next step is probably to dig through the kernel's Documentation/ tree
for notes about conntrack limits.

next prev parent reply	other threads:[~2020-06-11  5:51 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-06-05 16:23 "Carrier Grade" NAT44 setup Maximilian Wilhelm
2020-06-11  5:51 ` Trent W. Buck [this message]
2020-06-14 19:27   ` Maximilian Wilhelm
2020-06-15  5:05 ` n3ph

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87h7vi880m.fsf@goll.lan \
    --to=trentbuck@gmail.com \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox