GoldMoon
join:2004-01-30
|  [HELP] Minimal NAT TCP/UDP timeouts?
I see configs posted here with long timeouts (e.g. 3600), but my NAT timeouts are set much lower. Maybe I've missed something???
My router's NAT timeouts are 15 minutes for TCP, and 10 minutes for UDP. I think I can drop my TCP timeout to 10 minutes and UDP to 5 minutes without affecting any users inside or outside my network???
My router sucks (not Cisco) .. only 512 NAT table entries available. I'm posting here, because you guys are the "pro" class and probably know if I've overlooked something important.
1 Server behind NAT
=====================
POP3s/IMAPs
http/https
ssh
smtp
named
Several PC's behind NAT
==========================
wide variety of activities, but no externally accessible services |
|
dpocoroba
Premium
join:2000-11-14
224.0.0.5
| I know the default tcp timeout for cisco routers is 24 hours and UDP is around 5 mins. Not really sure if you would even notice any difference just by lowering it by a few mins. I would say it would put more work on the CPU. However I could be way off with this one just my 2 cents. HTH 
DP
--
"Knowledge is contagious, infect" |
|
GoldMoon
join:2004-01-30
| Most of the configs I saw posted in this forum had TCP timeouts for various protocols set to 3600 seconds or less.
As an example, there can be a rather large number of unique connections per minute caused by a single application running P2P software. Setting TCP timeouts from 30 minutes to 15 minutes greatly helped reduce the number of simultaneous NAT sessions (cut use of the NAT table by over 1/3).
However, I can't find any "expert" advice/knowledge posted regarding how low the timeouts can be set without undesireable side-effects for the protocols I listed above.
Frankly, I can't see any reason for anyone to set TCP timeouts even as high as 1 hour. Since its common practice to set the timeouts to at least 1 hour, and some system 1 day, maybe I'm missing some piece of information for why the timeouts are set so high? |
|
Covenant
Premium,MVM
join:2003-07-01
England
| Moving the default NAT timers has benefits, such as the utilisation of a small timer, will clean the table and flush translations that are not active. It will free memory within the router for other purposes. I know that sounds great, but if for some reason one of your applications needs a large timeout to finish the session, the router if configured with a small timer will flush them and new sessions would need to be established. The cpu utilization will be lower in general, but there will be an increase in cpu processing (occurs in peaks) when the table gets flushed and new sessions are established. After that, it will resort again back to its low level, hence my use of the word peaks.
Hope that helps.
--
If only my employers can see how much effort I put into this forum. They would then understand why I sleep at my desk.  |
|
GoldMoon
join:2004-01-30
| reply to GoldMoon
Yes it does help. I've been using 15 minutes for TCP and 5 minutes for UDP. Given the server processes and client programs on my network, I'm now convinced that the default settings so common to Linux, BSD, and various routers are off by orders of magnitude from my ideal settings.
It has just taken me a while to convince myself that my settings are actually right, given that nearly everything else I see is 10 to 100 times greater than my settings.
Interestingly enough though, it seems the ever popular $100 Linksys router (at least the version 2 BEFSR41 series) can not be altered from a setting of 2 hours. However, it seems to have its own "auto" expire algorithm in the event the NAT/session table fills up. With multiplayer games, this "auto" expire works great, allowing hundreds of servers to be polled for status within a minute, instead of filling up the table and then rejecting further connections. |
|
