In my case i’m using CGNAT, which is working well!
I’m sharing only one public ip-address for my clinets.
What im trying to do now is, port forwarding for the server (client).
E.g. is simple, CPE01 is the end user and they have some server , and they what to use port forwarding fot that.
Any tip how can i do that?
Just note here, the publis ip-address is terminated on CGNAT router, I can do port forwarding to the CPE01(if ill do nat rule on cgnat router),. but i want to be able to get server on it.
Please see the topology
Are you saying that your ISP is using CGNAT? If that is the case then you won’t be able to do what you want.
If your ISP is providing you with a fixed external IP address then you just need to put in a Firewall/NAT rule to forward the port traffic to your client’s server IP address (Check this link).
im not saying that.
let say CGNAT is R2 which is connected to the gateway router (R1), and i have assigned only one public ip-address (R1==>R2) for some customers (i’m sharing the public ip-address,that is the purpose of cgnat).
Everything works fine, just im wondering whether i can do port forwarding for the server (client), which by theory is hard to say yes.
OK, I think I understand what you’re doing now. The short answer is yes, you can port forward to the client.
What I would do (based on your picture) is to forward the port for the external IP address from R1 to R2 and then R2 forwards the port to CPE01. The client (or you if you have access) will need to forward the port from CPE01 to the server. I’ve usually seen these arrangements called Double-NAT (although it looks more like Triple-NAT in this case with the client having a router) rather than CGNAT but the principle of the forwarding is the same.
I’ve never used a MikroTik configured for CGNAT but, given how versatile the MikroTiks are and that you have full access to configure the units, you should be able to get it working. The real issue is having a public IP address, once you’ve got that it’s just a matter of getting the firewall and NAT rules correct.
give me an example.
How the rule should look like?
I cna do PF to the CPE01 , if i conf that rule on CGNAT-router.
My goal is how to involve the server on that
I did not understand what you mean by “involving the server”.
On the router with public address, there must be a action=dst-nat rule with to-address=the.cgnat.address.of.customer.router
On the customer router, which has a CGNAT address on its WAN, there must be an action=dst-nat rule with to-address=the.lan.address.of.the.server.
The server itself doesn’t need to do anything except listening at the private address.
If you want it complex and dangerous, you can permit UPnP on the customer router, and teach the server to request dynamic creation of a dst-nat rule on the customer router using UPnP.
"I did not understand what you mean by “involving the server”.
that was bad explanation.
I was trying to say that i want to be able to do port forwarding to the Server.
On the router with public address, there must be a > action=dst-nat > rule with > to-address=the.cgnat.address.of.customer.router
i did try, that will allow me to do PF to the CPE01 only
On the customer router, which has a CGNAT address on its WAN, there must be an > action=dst-nat > rule with > to-address=the.lan.address.of.the.server> .
on the CPE uplink ip-add is 10.0.10.x and the server is 192.168.1.x
that why im getting stuck
If you want it complex and dangerous, you can permit UPnP on the customer router, and teach the server to request dynamic creation of a dst-nat rule on the customer router using UPnP.
It means there was some error in one of the dst-nat rules, or in some filter rules.
Of course you cannot use the same port for both the web access to the CPE and the web access to the server (the dst-nat rule handles the incoming traffic first, so if you port forward cpe.wan.i.p:80 to a LAN host, you lose access to port 80 of the CPE from the wan side, which should not be permitted anyway), but as you are port forwarding from the public IP, I guess you don’t forward pub.lic.i.p:80 anyway, so that should not be a surprise.
These days, CGNAT usually means not only the setup but also the use of a particular address range for the CPE WAN IPs, namely, 100.64.0.0/10 (RFC 6598). The purpose is to avoid conflict with any RFC1918 range the client may choose to use in their internal network.
It means there was some error in one of the dst-nat rules, or in some filter rules.
im using different ports that is not an issue.
The issue is from CGNAT i can’t ping the server ip-ad (192.168.1.x) which is logical.
That why i can make it work.
This is basik e.g.
