Budget: 27000 UAH Deadline: 30 days
Hello, Ruslan! A magnificent and technically sound project brief. You are absolutely right: moving CGNAT from the router to a dedicated Linux server with Mellanox is the only correct way for stable operation at 25-40 Gbps.
I am a DevOps/Network engineer. An additional plus is that I am located in the Tulchyn district (Vinnytsia region), so we are in the same area. If necessary, I can come to Vinnytsia for physical work with the equipment or a personal meeting.
Here’s how I see the implementation of your architecture:
MikroTik CCR2216: I will configure BGP for 4 uplinks (proper traffic engineering through local-pref/prepend for balancing). We will set up Policy Routing so that the traffic of white IPs goes directly past the NAT server.
Linux CGNAT Server: Ubuntu/Debian. Here, the main thing is not just to write nftables rules, but to perform strict kernel tuning (Kernel tuning, Receive Packet Steering, IRQ affinity for Mellanox) so that the server does not "choke" on 2+ million sessions and does not cause packet loss.
Logging: I will configure the export of NAT session logs (NetFlow/IPFIX) so that you do not have problems with legislation.
I am ready to take the project turnkey: from hardware selection to client migration. The estimated budget for the full cycle is from $2000 (we will discuss in more detail after auditing the current pfSense configuration).
Shall we call to discuss the details?