Why NAT Is CPU-Intensive Without Hardware Offload
Network address translation rewrites IP addresses and port numbers on every packet passing between your local network and the internet. For a home with many active connections — streaming, browsing, gaming, and background sync all happening at once — the router may need to look up and rewrite millions of packets per minute. On a general-purpose CPU this is genuinely expensive work: each packet requires a connection table lookup, address rewrite, checksum recalculation, and forwarding decision. A single-core ARM CPU at 880 MHz running software NAT typically saturates well below gigabit speeds, let alone multi-gig.
Hardware NAT and NPU Engines
The solution is offloading. Modern router SoCs include dedicated network processing hardware that handles established flows entirely outside the CPU. Qualcomm's implementation is called the Network Sub-System, or NSS. MediaTek includes hardware flow acceleration, sometimes labelled HW-NAT. These engines intercept packets belonging to already-established connections and forward them at wire speed using dedicated logic, without waking the CPU for each one. When hardware offload is active, a router with a modest CPU can sustain gigabit or multi-gig NAT throughput while the CPU stays at low utilisation.
The catch is that features which require per-packet inspection or modification bypass the hardware fast path. VPN encryption, SQM queue management, deep packet inspection, and some firewall rules all require the CPU to examine or alter packet contents. Enabling these features on a router with a weak CPU reveals the true software routing ceiling, which can be far below the headline spec.
CPU Clock Speed vs Number of Cores for Router Workloads
Router firmware is not a desktop operating system. Most packet processing tasks are not easily parallelised across many cores. A router running simple NAT with hardware offload uses very little CPU at all. A router running SQM, VPN, or DPI uses the CPU heavily, but those tasks often run on one or two threads. This means a higher-clocked dual-core CPU often outperforms a lower-clocked quad-core for single-threaded router workloads like OpenVPN encryption or CAKE queue processing. Broadcom's BCM6750, Qualcomm's IPQ8074, and MediaTek's Filogic 880 all sit at the higher end of consumer CPU performance, but the clock speed and core architecture differ in ways that matter for specific workloads. Real-world benchmarks with your intended feature set are more useful than comparing core counts on a spec sheet.
| Feature | CPU Impact | RAM Impact | Uses Hardware Offload? |
|---|---|---|---|
| Basic NAT and routing | Very low with offload | Moderate (connection table) | Yes, on most modern SoCs |
| OpenVPN server or client | Very high (single-threaded) | Moderate | No |
| WireGuard VPN | High but more efficient than OpenVPN | Low to moderate | Partial on some SoCs |
| SQM / CAKE at gigabit | High (scales with line rate) | Low to moderate | No |
| Traffic analyzer / DPI | Moderate to high | Moderate to high | No |
| Many active clients (50+) | Moderate | High (state tables, DHCP, ARP) | Partial |
| Mesh coordination daemon | Low to moderate | Moderate (additional process) | No |
RAM's Role in Connection Tracking Tables
The NAT connection tracking table holds an entry for every active TCP or UDP session passing through the router. Each entry records source IP, source port, destination IP, destination port, protocol, and state. A home with 30 devices running streaming, gaming, social media, and background cloud sync can easily maintain 5,000 to 20,000 simultaneous connections. Routers with limited RAM must set small maximum connection table sizes. When the table fills, the router either drops new connections or aggressively evicts old ones, producing the intermittent connectivity failures that look like ISP problems but disappear after a reboot.
Most modern routers ship with 256 MB to 1 GB of DDR RAM. Budget models with 64 or 128 MB hit table limits under high peer-to-peer or streaming load. Custom firmware users running additional packages, ad-blocking lists, or VPN processes need even more headroom.
RAM's Effect on Buffering and QoS Queues
Quality of service systems such as CAKE and fq_codel maintain packet queues in RAM. At gigabit speeds, a large queue can represent significant memory. More importantly, if RAM is already under pressure from connection tables, running processes, and logs, the kernel may shrink queue allocations or become slow to manage them, degrading QoS effectiveness. Routers running SQM on fast plans benefit from having comfortable RAM headroom beyond what connection tracking alone needs.
What Happens When RAM Is Exhausted
When a Linux-based router runs out of free RAM, the kernel's out-of-memory killer begins terminating processes to reclaim memory. It may kill non-essential daemons first — logging, traffic analysis, or management UI processes — before eventually affecting routing or wireless management. Users typically see the admin web interface becoming unresponsive or very slow, followed by client drops, DNS failures, or the router rebooting spontaneously. These symptoms under sustained load with many clients almost always point to memory pressure rather than a Wi-Fi or ISP problem.
Checking CPU and Memory Usage
Most router admin interfaces include a basic system status page showing CPU load and free memory. Look for a dashboard or system information section. On OpenWrt and similar firmware, the status overview page shows real-time load averages and memory. If you have SSH access enabled, the top command shows per-process CPU and memory consumption, and free shows total, used, and available RAM. On stock firmware, some routers expose this via a diagnostics or advanced status tab. Sustained CPU load above 80 percent or free RAM below 20 percent under normal use indicates the router is near its practical limit for your workload.
When CPU and RAM Matter Most
- You run a VPN server or client on the router rather than on individual devices.
- You want SQM or CAKE active on a plan faster than 200 Mbps.
- You have more than 30–40 simultaneously active devices.
- You run custom firmware with added packages such as ad-blocking, monitoring, or additional firewall rules.
- You use traffic analysis, parental controls with deep inspection, or security scanning features.
- You run VLANs with per-VLAN firewall rules that cannot be hardware-offloaded.
Frequently Asked Questions
How much RAM does a router need?
Basic use with a small household is manageable with 128–256 MB. For modern feature sets, many clients, custom firmware, VPN, or SQM on a fast plan, 512 MB is a more comfortable floor and 1 GB provides genuine headroom for future load.
Does router CPU matter for Wi-Fi speed?
Indirectly. The Wi-Fi radio chip handles the wireless link. The CPU handles routing, NAT, firewalling, VPN, QoS, and management. Saturating the CPU degrades throughput and increases latency for all traffic flowing through the router, even when the radio itself is fine.
Why is my router CPU high during uploads?
Upload traffic passes through NAT, firewall rules, QoS queues, and potentially VPN or traffic analysis. If any of these bypass hardware offload, the CPU must process each packet. Heavy upload loads such as large cloud backups or video uploads are a common trigger for revealing CPU ceiling limits.