What is a "connection"?

On the homepage of LuCI, I can see the number of "Active Connections".

My questions are:

  1. What is a connection? Does it mean TCP connections? If it does, then if a game use a random UDP port to connect to its server, does it count as a connection?
  2. When is a connection considered "active"?
  3. Why is it limited to 16384 (aka 2¹⁴)? Can I increase that limit?
  4. If the connection count is high, which hardware component shall become the bottleneck, CPU or RAM or what?
  • Tracked NAT connections (or any Kernel-tracked connection for that matter)
  • Yes
  • Yes, UDP has to be tracked for this purpose too

Within the time limit.

It's been a forum discussion regarding this - the best answer I can give is: "In OpenWrt it's arbitrary so that the default number isn't made too large for devices that can't handle it."

Depends, likely RAM, see the forum post.

# /etc/sysctl.conf

net.netfilter.nf_conntrack_max=16384
net.ipv4.tcp_keepalive_time=120
net.netfilter.nf_conntrack_udp_timeout=60
4 Likes

I have another question which is not about OpenWrt, but related to this topic.

I've seen TP-Link and Cisco claimed the maximum of "concurrent sessions" of their routers. Is it the same thing? For example, here is the specifications of the TP-Link TL-R480T+ which claims to be capable of 30,000 sessions.

And how much RAM per NAT table record does OpenWrt consume? On Cisco IOS, it consumes only 312 bytes per record:

Q. How many concurrent NAT sessions are supported in Cisco IOS NAT?

A. The NAT session limit is bounded by the amount of available DRAM in the router. Each NAT translation consumes about 312 bytes in DRAM. As a result, 10,000 translations (more than would generally be handled on a single router) consume about 3 MB. Therefore, typical routing hardware has more than enough memory to support thousands of NAT translations.

If OpenWrt does the same, then a device with 64MiB of RAM should be able to handle a large enterprise network with ease (100,000 NATed connections).

hold your horses cowboy, entries in a state table != 'handle'... sure you can fill it up... but what is servicing it?

1 Like

Ummmmm...in addition to what @anon50098793 noted, there's only 65,535 ports per TCP and UDP per IP (most of which are not used to establish NAT connections). You'll also have to perform more advanced NATing with at least 2 Public IPs to accomplish this without running out of number resources (i.e. usable ports in NAT).

Also, recall I stated:

Masquerade (NAT) also takes a little overhead in addition to the tracking.

Isn't the linux kernel smarter than that? It's the local public IPv4 address+port and remote public IPv4 address+port combination that has to be unique, which means you should be able to reuse ports (on a single public IPv4 address) if they are connected to different remote IPv4 addresses or ports.

1 Like

True...

I use the assumption of an Enterprise Network use case, where e.g. all users may have to watch the same stream, same collaboration system, etc.

cisco, coming from a predominantly hardware angle will quote the 'maximum number feasable given hardware / os constraints'... they won't add a disclaimer or 'typical load' figure... run a few ipsec tunnels + nat XYZ'000 sessions in your state table and there are performance implication ... that said... their traditional enterprise hardware is geared to dominate at this level.

from an 'embedded + software' based session table point of view... the upper limit is more of a 'if we get to this number we are in trouble'...

if you run many (many) lightweight connections ( usually seen on reverse proxy or load balancing ) and/or alter your session timeouts then, yes... you might need to 'up' the max value... which comes with added ddos exposure.

i'd be surprised of more than 1-2% of OpenWrt devices ever encroached on the default value under normal operation... and the ones that did were probably being ddos'd...

1 Like

I had an upper level manager...I quoted the hardware specs and the possible total routing plane...

He said:

"Why do you believe they even include enough resources to run all ports at plane speed???"

@anon50098793, very true. :wink:

Back in the day...having a few home users running peer-to-peer software...I could hit that. I actually realized an older kernel would crash because it didn't handle it well (didn't get fully resolved til OpenWrt 18).

1 Like

With proper firewalling (and no open services or ports), it would be difficult to DDoS your specific use case (i.e. making the router run out of resources by remotely creating established connection states via the unsolicited traffic on WAN).

If you simply mean the admn could mess up the timers - leaving connections open unnecessarily long (hence DoSing themselves), etc...that's possible too.

:bulb: EDIT: I think this is important to note given the context of @Livy's original post and inquiry: If you do not NAT/firewall and have a use case where one simply routes traffic (e.g. enterprise or in infrastructure), you do not have to maintain connection states and it could be turned off, saving resources.

1 Like

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.