Router NAT Table Overflow — Miners Drop From Pool

Cold-cycle the router for 60 full seconds. Power off, wait one minute, power on. Wait 5 minutes for the LAN to reconnect. The NAT/conntrack table lives in volatile RAM — only a cold reboot flushes every entry. If pool drops vanish for 30+ minutes after this, NAT exhaustion is confirmed. Schedule a daily 3 AM reboot via the router's built-in scheduler as a band-aid until you replace the router.

Disable cloud-monitoring agents on every miner. Hiveon Agent, Awesome Miner cloud sync, MinerStat agent, ASIChub, AntMonitor — kill them all temporarily across the fleet. Each agent holds 1-3 long-lived TCP connections plus periodic UDP telemetry. Re-enable one at a time over a week and watch which one re-introduces drops. That's your culprit.

Close every miner web-UI tab on every device. Browser tabs pointed at AxeOS, AntMiner web, WhatsMiner BTMiner, NerdAxe AxeOS each hold a WebSocket consuming a NAT entry indefinitely. A household with two laptops × five open miner tabs = 10 entries doing nothing. Close them all; only open when actively making changes.

Move WiFi-only miners to Ethernet. Each WiFi miner adds AP-side conntrack on combined router/AP devices. Bitaxes and most ASICs ship Ethernet — use it. Twelve devices on a 24-port wired switch produces less conntrack churn than twelve devices on the WiFi radio.

Remove unused backup pool entries from miner configs. Miners support 2-3 pool slots; if you only mine one and the others are vestigial, delete them. Some firmware opens warm-standby connections to backup pools every 5-10 minutes, eating NAT entries for nothing. Single primary pool, no untested backups.

Increase `nf_conntrack_max` on Linux-based router firmware. SSH into the router and run `sysctl -w net.netfilter.nf_conntrack_max=32768`. Persist via `/etc/sysctl.conf` or the firmware's startup-script field. Each conntrack entry costs ~350 bytes of kernel RAM (32k entries ≈ 11 MB). If `sysctl` errors out, the firmware build has stripped the knob — flash OpenWRT/Merlin or replace the hardware.

Tune NAT timeouts: `sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close=10` and `sysctl -w net.netfilter.nf_conntrack_tcp_timeout_close_wait=15` to clear half-closed sockets faster, plus `sysctl -w net.netfilter.nf_conntrack_udp_timeout=30` to flush zombie UDP entries from monitoring telemetry. Do NOT reduce `nf_conntrack_tcp_timeout_established` below 7200 sec — stratum's silent windows can run 10-15 min between `mining.notify` pushes, and a too-aggressive timeout will evict live connections.

Enable TCP keepalive on Linux-based miners. On DCENT_OS / Braiins OS+ / LuxOS / stock Antminer, edit `/etc/sysctl.conf` to add `net.ipv4.tcp_keepalive_time = 60`, `net.ipv4.tcp_keepalive_intvl = 30`, `net.ipv4.tcp_keepalive_probes = 4`. The miner sends a keepalive packet every 60 seconds, refreshing the NAT entry. Pool servers ignore keepalive payloads, so this is invisible to mining performance — but it prevents NAT-timeout-driven evictions.

Move monitoring on-LAN. Run Prometheus + Grafana on a Raspberry Pi inside your LAN. Every miner's exporter (Bitaxe `/api/system/info`, Antminer `cgminer-api` JSON, Whatsminer `btminer-api`) gets scraped locally. The Pi is the only thing reaching out to the WAN — for NTP and a single Tailscale/WireGuard tunnel for remote dashboard access. Net effect: outbound mining-monitoring flows drop from N×M to 0.

Replace the consumer router with a MikroTik hEX (RB750Gr3) or Ubiquiti EdgeRouter X (~$80-110 CAD). Default conntrack table is 65,536+ on both, tunable to 250,000+. Migrate WiFi to a dedicated access point (UniFi U6-Lite ~$130 CAD or any decent dumb AP). Configure: WAN on ether1, LAN on ether2-5, basic NAT masquerade. RouterOS / EdgeOS ship sane defaults; minimal initial config.

For 30+ miner home mines, run pfSense or OPNsense on a Protectli or Netgate appliance (~$200-450 CAD). Conntrack capacity is RAM-limited — default state table is 800,000+, can scale to millions. pfSense gives you full IDS/IPS, traffic-shaping, VLAN segmentation, and proper firewall rule engine. Overkill for 5 miners; correct for 30+.

VLAN-segment the mining traffic. Once you have an enterprise-class router, put miners on a dedicated VLAN with no IoT, no laptops, no smart TVs. Conntrack pressure on that VLAN's path is now only mining traffic — predictable, monitorable, alertable. Bonus: if a miner's firmware ever phones home to somewhere you don't trust, block it at the firewall without affecting the rest of the house.

Deploy a stratum proxy on your LAN. Braiins Farm Proxy (or self-hosted `stratum-proxy` / `stratum-mining-proxy`) takes one outbound connection to your chosen pool and multiplexes every miner's submitted shares through it. NAT pressure on the WAN drops from `2N` to `1`. For a 30-miner home mine, this single change solves the NAT problem permanently. Bonus: Braiins's proxy translates Stratum V1 ↔ V2 and gives per-miner share statistics.

Add monitoring of `nf_conntrack_count` itself to your Grafana dashboard. MikroTik exposes it via SNMP; pfSense via the default dashboard; OpenWRT via collectd. Alert at 70% of `nf_conntrack_max`. Catch the wall before you hit it instead of after the pool already showed offline workers.

Capture a 24-hour packet trace during a drop event for any future support escalation. On a Linux router: `tcpdump -i wan0 -w drop-event.pcap`. Open in Wireshark, filter by stratum host IPs, find the exact moment NAT entries were dropped. This artifact accelerates any consultation — D-Central or otherwise — from 4 hours to 1.

Stop DIY and book a D-Central mining consultation when: fleet is 30+ miners with drops persisting after enterprise router and stratum proxy; ISP throttling of long-lived TCP is suspected; you need VLAN-segmented design between mining / IoT / household; or you're moving from home mining to a small farm and the network needs proper architecture review.

What D-Central does in the consultation: full network audit (router, switch, AP roles), conntrack profiling, packet capture during a drop event, ISP uplink test, recommended layout (router model, VLAN plan, monitoring stack, pool-proxy if appropriate). Output is a one-page network architecture diagram and a procurement list — typically $400-1,500 CAD in hardware for a midsize home mine plus the consult fee.

Document your fleet network: every device on the LAN (model, firmware, IP, MAC), current router model and firmware, ISP service tier, 24-hour packet capture during a drop. Bring that to the consultation and it's 1 hour of work, not 4. The same document is your foundation for self-diagnosis the next time something breaks — and there will be a next time as the fleet grows.