On one location, where we have some 100 subscribers under NAT, recently we made some tests and noticed significant performance differences between nat'ed and public ip box. Load under nat was some 2-3 Mbps, 600 pps. Public ip box could get 2 Mbps more than under nat and had ~20 ms better latency.

What are your expeirences regarding that, ie, what is practical limitation of NAT (number of users/connections/traffic) and what you suggest, when to switch to public ips (or other solution)?
How much is this dependant on architecture (x86, mips)?

Nat requries a fair amount of horsepower. At first glance it seems like a simple task. Simply change the packet to appear as if it came from the nat system and ship it off. That unfortunately is the easy part and under the covers the system must keep track of the changes so that it can reverse them when the reply comes back.

So, when you examine and modify nearly every packet and have hundreds of subscribers, then the task of keeping track becomes HUGE and requires a powerful machine with LOTS of ram.

Can you quantify that a bit? How much RAM would you recommend for 400 customers? Not all are natted, maybe 200 are right now. Also has my fw rules on it.

I'm running an AMD Athlon 64 3800+ with 256 meg of RAM. It has ver 1.1.10 on it and the CPU never changes from 0.0

As long as you are using a Celeron class PC, with at least 128MB of RAM, you should be able to handle several hundred NAT clients.

Because there is overhead with NAT, the overall throughput with a NAT IP may be lower than that of a public (though not by much)

FWIW don't forget about the conenction tracking as well. I have around 150 NAT's and completely overlooked the connection tracking settings. After my NAT server ran for a couple days all the interfaces on it would start dropping packets. Make sure you adjust this to the amount of RAM you may need to track those connections.

Yes, that is correct. Ensure you configure it to match the traffic patterns of your network. If it's set too low, you will start dropping packets.

It's always safe to leave at a higher value than you expect to use, if you have the memory.

Note: The memory is not actually committed until you reach the amount of connections specified.

Thanks for the input. I get around 10% load on p3@1000 so this shouldnt be problematic.