Network core modernization
Network modernization from consultation, hardware selection, transfer of current settings, configuration of ready-made equipment.
Provider network modernization up to 25 Gbps
1. General Information
Project goal: Modernization of the existing provider network to ensure stable operation at speeds of up to 25-40 Gbps with support for ~3000 subscribers, CGNAT, and multiple uplinks.
Current issue: Using pfSense as the main NAT/edge solution does not provide the necessary performance and scalability.
2. System Requirements
2.1 Load Requirements
Total bandwidth: up to 25-40 Gbps
Number of subscribers: up to 3000
Number of uplinks: 4 (BGP)
Support:
CGNAT
public IPs (without NAT)
2.2 Functional Requirements
The system must provide:
BGP routing (4 uplinks)
Policy-based routing (separation of NAT / non-NAT traffic)
CGNAT (PAT)
Stateful firewall
NAT session logging
High availability (in the future)
3. Solution Architecture
3.1 General Scheme
[ Upstream ISP x4 ] ↓ [ CCR2216 (BGP Router) ] ↓ [ NAT Server (Linux) ] ↓ [ Access Network / Clients ]
3.2 Function Separation
CCR2216:
BGP (4 uplinks)
routing
policy routing
handling public IPs
NAT server:
CGNAT (100.64.0.0/10)
firewall
logging
4. Equipment
4.1 Main Router
Model: MikroTik CCR2216-1G-12XS-2XQ
Functions:
BGP routing
ECMP
policy routing
4.2 NAT Server
Minimum requirements:
CPU: AMD Ryzen 9 / EPYC (high frequency)
RAM: 64 GB
NIC: Mellanox ConnectX-4/5 (25G)
Storage: NVMe SSD
Software:
Linux (Ubuntu/Debian)
nftables
5. Network Addressing
CGNAT pool: 100.64.0.0/10
Transit network CCR ↔ NAT: /30
Public IP pool: allocated range
6. Routing
6.1 BGP
Configuration of 4 uplinks
Priorities (local-pref)
Failover
6.2 Policy Routing
Traffic from CGNAT addresses → NAT server
Traffic from public IP → directly
7. NAT Requirements
Type: PAT (masquerading)
Support: ≥ 3000 clients
Limits:
≥ 2 million sessions
Public IP pool: ≥ 50–100 IPs
8. Logging
9. High Availability (recommended)
10. Limitations
Do not use pfSense as the main NAT
Do not use MikroTik for CGNAT at 25G
11. Implementation Stages
Installation of CCR2216
Configuration of BGP
Deployment of NAT server
Configuration of nftables
Client migration
Load testing
12. Acceptance Criteria
stable operation at 25 Gbps
no packet loss
correct operation of NAT
stable BGP
13. Conclusion
As a result of modernization, the network should:
withstand the current load
have room for growth
be scalable and fault-tolerant
-
30 days601 USD
500 2 0 30 days601 USD
Hello, Ruslan! A magnificent and technically sound project brief. You are absolutely right: moving CGNAT from the router to a dedicated Linux server with Mellanox is the only correct way for stable operation at 25-40 Gbps.
I am a DevOps/Network engineer. An additional plus is that I am located in the Tulchyn district (Vinnytsia region), so we are in the same area. If necessary, I can come to Vinnytsia for physical work with the equipment or a personal meeting.
Here’s how I see the implementation of your architecture:
MikroTik CCR2216: I will configure BGP for 4 uplinks (proper traffic engineering through local-pref/prepend for balancing). We will set up Policy Routing so that the traffic of white IPs goes directly past the NAT server.
Linux CGNAT Server: Ubuntu/Debian. Here, the main thing is not just to write nftables rules, but to perform strict kernel tuning (Kernel tuning, Receive Packet Steering, IRQ affinity for Mellanox) so that the server does not "choke" on 2+ million sessions and does not cause packet loss.
…
Logging: I will configure the export of NAT session logs (NetFlow/IPFIX) so that you do not have problems with legislation.
I am ready to take the project turnkey: from hardware selection to client migration. The estimated budget for the full cycle is from $2000 (we will discuss in more detail after auditing the current pfSense configuration).
Shall we call to discuss the details?
-
15 days334 USD
776 11 2 15 days334 USD
Good day, I will develop a package of technical documentation for you, essentially this will be a ready project for implementation in the provider's network, I will select a set of equipment and prepare a budget.
-
1 day25 USD
1618 18 1 1 1 day25 USD
Hello.
I can complete the task. I have extensive experience in this area. Deadlines and costs will be discussed after the details are clarified.
Write to me, I will do everything quickly and efficiently.
-
3 days89 USD
1558 54 1 1 3 days89 USD
Hello!
I have extensive experience in designing, implementing, scaling, and supporting provider networks. Experience in building both b2b (provider for providers, 20+ BGP sessions, own IX, own cable infrastructure) and b2c (provider for home and business) infrastructures, own data centers. I work with Mikrotik, Cisco, Juniper, Aruba, ExtremeNetworks, A10, HPE, Huawei, BDCOM, Linux, FreeBSD.
I am ready to process and execute your technical specifications; there are aspects that may hinder achieving the result.
The rate is the average cost of completing tasks in this profile. The final scope of work that you will be comfortable delegating and the budget will be agreed upon separately.
-
1 day22 USD
594 6 0 1 day22 USD
Good day, I have created provider cores, including on CCRs. I have a lot of questions regarding your technical specifications. If you are interested, we can discuss.
Vinnytsia