If i understand it right, the maximum number of NAT sessions is limited by the number of connections at IP-> Firewall-> Connections -> Max. Entries.
This value depends on installed amount of RAM and the maximum entry amount can increase if situation demands it and router still has free ram left.

So there is no realy limit in the number of NAT users, there is a limit by the max. entries that is limited by the free RAM. Is this right?

On a CCR1036-12G-4S i can see the max entries ist by default at 475.264 connections and if there is enough free RAM this number would be automaticly increased by the system.
Also I can decrease the "tcp-established-timeout" (default is 1 day).

Currently there are 5.100 NAT users and 65.500 connections. This means, if the users have all the same behavior it should be no problem to run with 10.000 or 15.000 NAT users if there is enough CPU power and bandwith.

Have somebody experience with such a number of NAT users?

Thank you!

65500 is about the maximum number of session per single NAT IP (in general your public IP). If you need to do more sessions, make shure you have more IP's to do NAT on.

65500 is about the maximum number of session per single NAT IP (in general your public IP). If you need to do more sessions, make shure you have more IP's to do NAT on.

This means I need multiple public IPs and for each one NAT rule?

Internal IP range for user 10.10.0.0/18 = 10.10.0.2 -10.10.63.254 (10.10.0.1 is the Default Gateway)
10.10.0.0/20 NAT to 1. public IP (4.093 user and 1 x Default Gateway)
10.10.16.0/20 NAT to 2. public IP (4.094 user)
10.10.32.0/20 NAT to 3. public IP (4.094 user)
10.10.47.0/20 NAT to 4. public IP (4.094 user)
One DHCP Server with 4 IP pools
pool 1 = 10.10.0.2 - 10.10.15.254
pool 2 = 10.10.16.1 - 10.10.31.254
pool 3 = 10.10.32.1 - 10.10.47.254
pool 4 = 10.10.48.1 - 10.10.63.254
One Default Gateway 10.10.0.1

Best regards,

Ivan

OBSOLETE, go to:
viewtopic.php?p=1010743#p1010743

If there are only 32767 ports at RouterOS for NAT and I have only one public IP for NAT, why I have more then 50.000 connections?
This router is only doing NAT and routing...
I will look at this the next days.

OBSOLETE, go to:
viewtopic.php?p=1010743#p1010743

Perhaps I do not understand your post...

If you mean "for each" there are 32767 ports for tcp and 32767 ports for udp = 65534 ports
If you mean "for both" there are 32767 ports for tcp & udp together

So, if it is 32767 ports for both and I have more than 50.000 connections @ 5.100 users, there
are more than 17.233 ports used not for NAT.

I hope to have tomorrow again this number of users, so I will look more detailed at the number and type of connections.

Best regards,

Ivan

The socket pair (both ends of the communication) has to be unique for a session but not the socket at one end. Clearly, one IP and port number on one system can have multiple sessions provided that those sessions are terminated into different sockets at the far end.

OBSOLETE, go to:
viewtopic.php?p=1010743#p1010743

OBSOLETE, go to:
viewtopic.php?p=1010743#p1010743

65500 is about the maximum number of session per single NAT IP (in general your public IP). If you need to do more sessions, make shure you have more IP's to do NAT on.

False, if you use RouterOS, you have only 32767 ports (for each tcp and udp), because the nat start at 32768 and end on 65534...
Port from 0 to 32767 and 65535 are reserved or not used.

But that number (65500) is not the number of tcp or udp connection used, but is the total
of udp+tcp+gre+icmp+igmp+...... connections present on the system, it count also non-nat connection, for example ping routerboard from wlan...

The only way to cunt natted connection, must filter result by src-address=nat ip pool

is this still true today ? about the only ports being used for nat are 32767 ?

Port from 0 to 32767 and 65535 are reserved or not used.

is this still true today ? about the only ports being used for nat are 32767 ?

No. That was a nine year old post.

You can use any port you like from 1 to 65534 for a NAT.

is a common missconception to think that you are limited to 65535 connections per "WAN" ip, you are limited to that only for a single Destination IP, you can reuse SRC port "numbers" for diferent destinations.

in case of MikroTik Mascarade Rule normaly uses SRC port Number From 32768-65535, but nothing prevents you from using custom SRC-NAT rules to use ports from 1024-32767 for example

Most the time the problem when doing NAT for many end users with a single or a few ip addresses is that Destination servers can see this like a spamming attack or something like that if some user has a bad behavior affecting all users using same WAN ip, most the time Carrier Grade NAT solves this issue allowing destination servers to individualize each customer by its SRC-PORT number range

is this still true today ? about the only ports being used for nat are 32767 ?

This topic gives rise to too many misunderstandings.

For example, if you have 2 devices A and B and the Gateway G:
A 192.168.0.11
B 192.168.0.12
G 192.0.2.1
and both try to contact website W "forum.mikrotik.com" obviously must be NATted, or the Privat IP can't reach the site.

When A (or B) try to connect W, do not use own 443 port, but a "like random" port from 32768 and 65534 (both numbers included), but obviously the destination port is 443.
G do the NAT on both connection
A:54859->W:443 to G:54859->W:443
B:45784->W:443 to G:45784->W:443
And when W reply, G correctly identify the connection if the reply packet is for A or for B.

If for same reason A & B try to use same random port (CAN HAPPEN), G NAT use another free port for that, still on range 32768 and 65534 (both numbers included)
A:54859->W:443 to G:54859->W:443
B:54859->W:443 to G:62154->W:443
On this way, when W reply, is still possible for G to identify the connection if the reply packet is for A or for B.

So, by default, if not set otherwise, the ports used by the NAT are 32767 for each protocol where you can specify ports, such as TCP and UDP.
RouterOS (at the tests of the time, but I don't think anything has changed) if it runs out of ports, it automatically doesn't use the other lower ones.

Instead, as far as the topic of the thread is concerned,
approximately 23,000 connections can be tracked for every 32MB of memory.
As already specified, we mean ALL the connections that are traced, THEN even those that are NOT NATted.
SO, the limit of NATted connections depends on memory.

But even if one had 1GB of memory, the NAT limit is not 32767 entries,
but 32767 entries multiplied by each public IP used, multiplied by each protocol used, multiplied for each different website...
For example, if one has 1 IPs, the NAT limit is 32767 connections per protocol, for each single combination of REMOTE IP and PORT...
So if you have 32768 users that at the same time try to connect to https://forum.mikrotik.com, only 32767 work,
the 32768th user only can not connect https://forum.mikrotik.com, but can connect any other site of the world.
(to be precise, since more TCP requests are opened to download web fonts, scripts, images, etc., the maximum number, at the same time, is actually much smaller)

Many sites use CDNs, so it's actually very rare that all users have the same IP address for youtube.com,
so this problem, for the most visited sites, is very rare, if not impossible, to happen.

In short: the only limit is the device's memory, ~23,000 total connections for every 32MB of memory.

EDIT: Thanks to @chechito: The MAX limit is hardcoded to 1048576, and is needed at least 512MB

a facts that I forgot to add to the topic

a few weeks ago in other topic was confirmed that connection-tracking max number of connections has a maximum limit of max-entries: 1048576 (aprox 1 millon) no matter what device you have you cant have more than that up to date in RouterOS

in production the max i have seen is aprox 700k on ccr1036 doing CG-NAT for 12 Gbit/s of traffic, tcp-established-timeout: 16m

Yes, 1048576 is hardcoded, and I have one high end CCR for each 512 users, all with Public IPs, so: no NAT...

IMO - I discovered a couple of years ago than when an ISP has a large number of users ( thousand + ) and you are using a Mikrotik to NAT tens of thousands of RFC-1918 ( 10.0.0.0/8 , 192.168.0.0/16, 172.16.0.0/12 , or carrier grade nat 100.64.0.0/10 ) do not use the normal Mikrotik NAT ( aka NAT44) , instead use NAT444 ( note NAT44 vs NAT444 ).

I have around 2k clients ( ~ 1k wireless & ~ 1k fiber ) , my internet feed is a couple of 10-Gig BGP connections. The bulk of my customer ISP to customer IP WANs are IP-numbered into carrier grade nat 100.64.0.0/10 address space. I was using a couple of Mikrotik CHR routers configured to use normal NAT44 so my clients could get to the Internet. We were starting to get some complaints about things not working correctly and some complaints about speed and video streaming issues. Sooo , I did a whole bunch of reading and searching and discovered NAT444. Sooo , I re-worked my NATting Mikrotik CHR routers to use NAT444 ( now longer use normal NAT44 ).

Wow !!! The increase in speed was fantastic and all complaints came to a complete halt - which made me, my staff and my customers very very happy

In my Mikrotik CHR NAT444 configuration , I use the following:
- 8 live IP address per /21 per 100.64.0.0/21 block ( I have many CGN /21 blocks I am performing NAT444 on ).
- 256 ports from a live IP per 100.64.0.0/32 inside IP address - ( Example part of CHR config below ):

/ip firewall nat
add action=src-nat chain=srcnat src-address=100.64.1.34 to-addresses=[Live-IP-x.y.x].182
add action=src-nat chain=srcnat src-address=100.64.1.2 to-addresses=[Live-IP-x.y.x].183
add action=jump chain=srcnat jump-target=NrWireless1 src-address=100.64.2.0/24
add action=jump chain=NrWireless1 jump-target=NrWireless1-0 src-address=100.64.2.0/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-1 src-address=100.64.2.16/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-2 src-address=100.64.2.32/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-3 src-address=100.64.2.48/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-4 src-address=100.64.2.64/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-5 src-address=100.64.2.80/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-6 src-address=100.64.2.96/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-7 src-address=100.64.2.112/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-8 src-address=100.64.2.128/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-9 src-address=100.64.2.144/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-10 src-address=100.64.2.160/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-11 src-address=100.64.2.176/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-12 src-address=100.64.2.192/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-13 src-address=100.64.2.208/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-14 src-address=100.64.2.224/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-15 src-address=100.64.2.240/28
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.0 to-addresses=[Live-IP-x.y.x].84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.0 to-addresses=[Live-IP-x.y.x].84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.0 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.1 to-addresses=[Live-IP-x.y.x].84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.1 to-addresses=[Live-IP-x.y.x].84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.1 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.2 to-addresses=[Live-IP-x.y.x].84 to-ports=1500-1749
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.2 to-addresses=[Live-IP-x.y.x].84 to-ports=1500-1749
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.2 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.3 to-addresses=[Live-IP-x.y.x].84 to-ports=1750-1999
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.3 to-addresses=[Live-IP-x.y.x].84 to-ports=1750-1999
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.3 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.4 to-addresses=[Live-IP-x.y.x].84 to-ports=2000-2249
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.4 to-addresses=[Live-IP-x.y.x].84 to-ports=2000-2249
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.4 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.5 to-addresses=[Live-IP-x.y.x].84 to-ports=2250-2499
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.5 to-addresses=[Live-IP-x.y.x].84 to-ports=2250-2499
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.5 to-addresses=[Live-IP-x.y.x].84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.6 to-addresses=[Live-IP-x.y.x].84 to-ports=2500-2749
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.6 to-addresses=[Live-IP-x.y.x].84 to-ports=2500-2749
... ... ...


As you can imagine , the config is huge and long - however it works much much faster than the normal Mikrotik NAT44. Response time is way faster and total bandwidth throughput is much faster and - ( very important here ... ) no more customer complaints ( zilch , nadda , zero

North Idaho Tom Jones

I don't use NAT, I just give REAL public IPs to clients, with IPv6 and MTU at 1500, because clients pay me for the service, so I give them The Service...

I don't use NAT, I only give REAL Public IPs to Customers, because customers pay me for the service, so I give them a service...

My ISP offers two types of accounts ;
Residential ( NAT444 )
Business ( Live IP addresses )

My ISP offers multiple account speed options also.

If a customer wants Live IP address ( or live IP port-forwards ) , there is an additional $10 monthly fee.

Note:
I originally started my ISP using Live IP address to all customer WANS.
I had often had thousands of port scans ( from the Internet ) scanning every IP in each of my /24 Live IP networks. Often the port scan attempted connections were hundreds or thousands of times larger/more than my customer connections were, which resulted in a heck of a lot of waisted wireless AP-client bandwidth. NAT44 fixed the port-scanning problems but created delay problems because the NAT44 ( normal NAT ) consumed high CPU resources on my CHR which also made customers start having some problems. Sooo , I went to NAT444 and now everything is fast and clean and has no problems.

Now my wireless and fiber customer all have screaming high bandwidth (providing they order faster accounts).

North Idaho Tom Jones

I don't use NAT, I just give REAL public IPs to clients, with IPv6 and MTU at 1500, because clients pay me for the service, so I give them The Service...

and a CCR by each 512 customers !!!

too much Bling-bling

@TomjNorthIdaho
I offer dynamic Public IPs as a normal service, paid fixed at 10€ + 250€ for change and "cleaning" IPs if they end up in some blacklist.

As for scans, there are canary IPs and honeypots scattered around, plus blocking in BGP of the ones already known...

I don't use NAT, I just give REAL public IPs to clients, with IPv6 and MTU at 1500, because clients pay me for the service, so I give them The Service...

and a CCR by each 512 customers !!!

too much Bling-bling

I don't use the one-machine-does-it-all concept...
If just one part of the network fails, it doesn't have much of an impact,
and two machines that manage 512 users certainly cost less than two machines that manage 5000 users...
¯\_( ͡° ͜ʖ ͡°)_/¯

nice

I don't use NAT, I just give REAL public IPs to clients, with IPv6 and MTU at 1500, because clients pay me for the service, so I give them The Service...

and a CCR by each 512 customers !!!

too much Bling-bling

re: ... and a CCR by each 512 customers !!! ...

Nope

I use two Mikrotik CHR routers to perform my NAT444.
One for my wireless customers
One for my fiber GPON customers.

Each CHR NAT444 router will easily sustain peak bandwidths up to about 7-Gig and averages 3+ Gig of traffic. ( thus the reason for two 10-Gig BGP feeds - and a reason I am now looking at upgrading to 40 to 100 Gig BGP feeds. )

edit - info: During normal peak full load ( 3 to 7-GIg ) , I will sometimes test how fast I can nat. Under testing , I can sustain NAT444 ( to a test fiber customer ) at 9+ Gig without having a negative or measurable impact on my existing NAT444 customers going through the same NAT444 CHR router.

North Idaho Tom Jones

@ chechito,

is a common missconception to think that you are limited to 65535 connections per "WAN" ip, you are limited to that only for a single Destination IP, you can reuse SRC port "numbers" for diferent destinations.

agreed to *reuse* src port part.

but, are you sure about that misconception to think 1 ip as 65535 port part?

for those 32000 limited nat port - i could say roughly calculated, 50 request - 50 reply. agreed - who can predict those request reply numbers?

IMO

I think NAT444 is often much faster with a far less CPU load than normal NAT44 is because :

- Normal NAT44 has to sequentially scan the NAT translation table for each inbound & outbound packet to/from a customer. This can be very CPU time consuming and memory consuming when under heavy NAT loads with 10s of thousands+ or hundreds of thousands of NAT customer connections.

- My NAT444 configuration uses jump rules/tables , If IP & port range is this then jump here and scan only a few lines to find what to IP& port translate ( NAT ) to/from.



North Idaho Tom Jones

@ tom,

My NAT444 configuration uses jump rules/tables , If IP & port range is this then jump here and scan only a few lines to find what to NAT to/from.

hmm, interesting

which platform did you use to perform this setup? i mean: MT or Linux boxes? since I read that jump statement.

in your current nat444 setup, how deep is the nat multiplication?

ie. for each 1 ip how many end device/ip can it represents?

FYI -

If you are a normal NAT44 customer , then there is really no way to be somewhere out on the Internet and connect to a server/router/device at your home. To do so would require a static port-forward or the use of a middle-man server.

If you are a NAT444 customer , then If you know the port range you are assigned and the Live-IP address used, then you can easily connect to a device on your home network ( providing you configure your home firewall to port-forward one of your assigned NAT444 ports to be port-forwarded to your inside RFC-1918 device ( aka a server , camera , TCP or UDP - no problem ).

You can also use UPnP ( Universal Plug and Play ) with NAT444 ( yes - UPnP works with NAT444 if you enable it )


North Idaho Tom Jones

I'm not questioning what you write, it's just a different way of providing customer service...

@ tom,

My NAT444 configuration uses jump rules/tables , If IP & port range is this then jump here and scan only a few lines to find what to NAT to/from.

hmm, interesting

which platform did you use to perform this setup? i mean: MT or Linux boxes? since I read that jump statement.

in your current nat444 setup, how deep is the nat multiplication?

ie. for each 1 ip how many end device/ip can it represents?

Re: ... for each 1 ip how many end device/ip can it represents? ...

For each 8-LIve IP addresses , I can NAT444 an entire CGN /21 network )
Using an entire Class C block of Live-IP-Addresses , I can NAT444 32 /21 networks ( 65-thousand customers WANS )

Re: ... which platform did you use to perform this setup? i mean: MT or Linux ...
After lots of testing , I found a Mikrotik CHR ( running on VmWare ESXi ) worked the best and had the best documentation I could find at the time.
* Huge long long config , almost to long to reliably cli paste into the config - but I got it in there using a .rsc file ).

Re: ... in your current nat444 setup, how deep is the nat multiplication? ...
I have 18 /21 NAT444 blocks configured ( enough to never run out of customer WAN IP space no matter how many new customers we add in the next 10+ years ).


North Idaho Tom Jones

OOOooo - and one huge, big advantage

All real ISPs with lots of customers will sometimes receive this notice:

Notice of Claimed Infringement - Case ID #######
With the document containing:
<IP_Address>x.y.z.227</IP_Address>
<Port>#####</Port>

WIth NAT444 , it is quick, simple & easy to find lookup which customer was the offending customer.

Also , if you ever get a judge signed cort ordered subpoena for what customer is on what IP address/port , still simple and quick to lookup.

With normal NAT44 , both of the above are impossible to lookup - unless you have a huge syslog server logging months of time-stampted NAT44 connections.

North Idaho Tom Jones

With Dynamic Public IP's is more easy, just put the IP and the date...

However I currently have 75% of my traffic over IPv6... On 2014, when this topic is open, 0%.....

However I currently have 75% of my traffic over IPv6... On 2014, when this topic is open, 0%.....

Every ISP should be doing dual-stack ( IPv4 and IPv6 ).

I have two /32 IPv6 arin assigned blocks.
That works out to ( 2 times ( 4,294,967,296 (2^32) )
I will never run out of IPv6 address space. And sometimes IPv6 is faster than IPv4

North Idaho Tom Jones

@ rextended,

However I currently have 75% of my traffic over IPv6... On 2014, when this topic is open, 0%.....

i would definitely say that is really a great achievement it is always about our team. when they are ready, everything looks easy. - but sometimes it was kinda 1 in 1000 momentum to deliver a new idea.

while my neighboring sp still struggles with non technically related - management mess

@ tom,

agreed. the dual stack should be started somewhere - just like @rextended did. but again, sometimes we need to get out off the comfort zone, just to wake the cat up stop that kpi this kpi that talks

IPv4 only should have a drop-dead date ( as in all IPv4 through the Internet will be turned off ).
Something like in 5 to 10 years max ( no exceptions ).

IPv6 has been out and running for 20+ years.

Re: IPv4 ; On 3 February 2011, the Internet Assigned Numbers Authority (IANA) issued the remaining five /8 address blocks in the global free pool equally to the five RIRs, and as such ARIN is no longer able to receive additional IPv4 resources from the IANA.

ARIN adopted a policy in 2010 in preparation for the day when it would be unable to fulfill qualified IPv4 requests.

On 24 September 2015, ARIN issued the final IPv4 addresses in its free pool.

Every manufacturer and network manager has had decades of time to dual-stack ( IPv4 and IPv6 ) their networks.

I would be happy to see all IPv4 BGP announcements have a forced termination in 1 year.

If you haven't already prepared for dual-stack ( added IPv6 ) , then you are definitely NOT a good network engineer.

North Idaho Tom Jones

Simply forcibly switching to IPv6 "suddenly" has a huge environmental cost.
You can't even imagine how much garbage it would create and how much it would cost to rebuild all the billions of devices that already exist that only go with IPv4.
ISPs could also forcefully switch to IPv6 and that's it, but then do you have any idea how many devices, even recently made, have only IPv4???

When we die IPv4 will still resist, maybe it will be only 1% of all traffic and the cost of IPv4 addresses will plummet because by now it will no longer be of any use to have them, apart from rare occasions.

Simply forcibly switching to IPv6 "suddenly" has a huge environmental cost.
You can't even imagine how much garbage it would create and how much it would cost to rebuild all the billions of devices that already exist that only go with IPv4.
ISPs could also forcefully switch to IPv6 and that's it, but then do you have any idea how many devices, even recently made, have only IPv4???

When we die IPv4 will still resist, maybe it will be only 1% of all traffic and the cost of IPv4 addresses will plummet because by now it will no longer be of any use to have them, apart from rare occasions.

Re: switching to IPv6 "suddenly"

What part of " On 24 September 2015, ARIN issued the final IPv4 addresses in its free pool " is suddenly ?

Hmmm , if somebody is driving their car/truck in the left lane and they drive past 1 or 2 miles of traffic signs indicating " Left Lane closed ahead " and they continue to stay in the left lane - do they suddenly hit traffic cones without any warnings ?

If there is no drop-dead date established , then there will always be those who continue to be IPv4 only.

If you have traffic signs for miles indicating " Left lane closed ahead " but no cones blocking the left lane , there will always be those who stay in the left lane.

IPv4 need to die with a set future drop-dead date.

North Idaho Tom Jones

As long as there is someone who keeps moving the construction site further...

When that 75% of IPv6 sites, which I mentioned earlier, will ONLY go by IPv6, maybe there will be a breakthrough...

However, the problem of pollution remains, which I understand you haven't addressed in the slightest...

RIPE: Today, at 15:35 (UTC+1) on 25 November 2019, we made our final /22 IPv4 allocation

Ok, next move: forbid IPv4 resell between AS....
Taking back the IPs of those who have it in a disproportionate way... For example Apple, a full 17.0.0.0/8 (16,777,216 IPv4) plus another 1,212,928...
Ford Motor company, another 19.0.0.0/8 (16,777,216 IPv4) and all the others...

in 10 years knowing how to use ipv4 will be like a hacking technique


look that old man!! he has the home network running with ipv4

I think of ISPs that have no plans to add IPv6 networks to their customers somewhat like those who use a 1998 Windows-95 computer.

They will only upgrade when their stuff quits working.

Same with IPv6 , there will always be ISPs & customers & web sites who will remain IPv4-only and will not upgrade until their stuff stops working.

*** any ways - sorry for posting IPv4 & IPv6 stuff in this "Maximum number of NAT users / sessions" thread.

North Idaho Tom Jones

I don't think it's a problem, by now my summary post I think says it all, except if present any error...

Hmmm , if somebody is driving their car/truck in the left lane and they drive past 1 or 2 miles of traffic signs indicating " Left Lane closed ahead " and they continue to stay in the left lane - do they suddenly hit traffic cones without any warnings ?

Your analogy may be lost... In Italy, if 3rd car can squeeze in-between two other ones, they do.

Now as to expropriating Apple's 17.0.0.0/8 good luck with that - plus, AFAIK they don't use NAT anywhere, only firewalls – everything there gets a public IP. And with IPv6 everyone can too now

any ways - sorry for posting IPv4 & IPv6 stuff in this "Maximum number of NAT users / sessions" thread.

@tom,

let us put those last ipv6 posts as a way to promote ipv6 usage and adoption

this one,

think of ISPs that have no plans to add IPv6 networks to their customers somewhat like those who use a 1998 Windows-95 computer.

in todays perspective, it wasn't isps fault to adopt the ipv6 at very late timing (compares to that classic *immature ipv6* excuses) - because many if not most - at the customers sites, they ran tons of 100 years old app with hardcoded ipv4 business apps, which are 24x7x365 money makers.

who can afford to disrupt that?

all the networkers have to do now is to socialize that ipv4 dead line to any software developer to start doing something with their hardcoded ipv4 apps, and replace them (ipv4) with dns pointers.

otherwise, cgnat too have limit - such as those forum members thread needed a cloud based vpn servers to remotely manage their cgnatted networks.

@ chechito

in 10 years knowing how to use ipv4 will be like a hacking technique

could be

@ amm0

Your analogy may be lost... In Italy, if 3rd car can squeeze in-between two other ones, they do.

beautiful life amm0,
can you smell the grass in the morning?

we should take some break from that noisy Datacenter - get a cup of espresso, go somewhere green fishing

is this still true today ? about the only ports being used for nat are 32767 ?

This topic gives rise to too many misunderstandings.

...

But even if one had 1GB of memory, the NAT limit is not 32767 entries,
but 32767 entries multiplied by each public IP used, multiplied by each protocol used, multiplied for each different website...
For example, if one has 1 IPs, the NAT limit is 32767 connections per protocol, for each single combination of REMOTE IP and PORT...
So if you have 32768 users that at the same time try to connect to https://forum.mikrotik.com, only 32767 work,
the 32768th user only can not connect https://forum.mikrotik.com, but can connect any other site of the world.
(to be precise, since more TCP requests are opened to download web fonts, scripts, images, etc., the maximum number, at the same time, is actually much smaller)

...

EDIT: Thanks to @chechito: The MAX limit is hardcoded to 1048576, and is needed at least 512MB

Hi, new user here. I had the same misconception and laded here googling for something like "CGNAT Maximum Number of Connection". The question that I have is: While technically feasible to track by the pair destination_ip+source_port, is this the common approach in CGNAT devices? Or is it a specific Mikrotik/RouterOS implementation?

The same google search landed me to this paper, where Table 6 states that different allocation port strategy exist in their test sample. In which one of the conclusion seems linked to the mentioned misconception. Here a quote from that paper

We find 6 ASes in which subscribers only receive a port chunk smaller than 1K; for 3 of them, the chunk size falls to 512 ports—a scarily small number given that loading a single Web page can result in many dozens of TCP connections to fetch its various objects [11], resulting in a sizeable overall number of concurrent connections in residential networks [4].
....
On the limiting end of the spectrum, we find ISPs allocating as little as 512 ephemeral ports per subscriber (§ 6.2), multiplexing up to 128 subscribers per public IP address.

You may wonder while I'm asking this, so: In a staging area where I'm working we got a FTTH 1 Gbps simmetric connection with CGNAT, where during peak hours we get around 40-50 devices connected and very sluggish connection. As we were originally using the router supplied by the ISP (an home router basing) I've offered my self to replace it with an x86 based one and a couple of access points (I'm not a network professional).
We didn't got performance benefit but at least have some diagnostic and see that during peak hours the overal throughput used in quite low (the maximum average is some tens of Mbps) and there are times in which someone is no longer able to connect to anything. While existing connection are not affected.

I've confirmed this myself using my home VPN where all traffic gets incapsulated into a fixed amount of connections. While in VPN I have excellent performances even during peak hours.

So, my guess is that somehow we get out of connections (not at our router, where we have pleanty of RAM and use few percentage of the available ones) but at CGNAT level. Probably because who subscribed did use a plan for home/very-small-office. But what I found in this topic have broken the confidence in my understanding.

As side note, the question has been raised to the ISP of course. But this post is for my personal understanding.

Thanks.