CGN NAT ( NAT444 ) help

RouterOS General
1

CGN NAT ( NAT444 ) help

I am asking for some help.
I need to configure NAT444.

I have found several examples to configure NAT444 using a “addNatRules” function.
Example: in the Mikrotik Wiki → https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444
There is a section in the Mikrotik Wiki that has some documentation about using the function “$addNatRules”.
I am having problems running the function ( either I am making mistakes and don’t know how to run configure and execute this function -or- the function is broken/not-functioning ).

So here are my questions:
Question #1 ; Is the Mikrotik Wiki documentation on the function “$addNatRules” correct and does it work ?
Question #2 ; Where can I find clean clear-cut easy-to-follow documentation to create this function and how do I execute this function ?


Here is what I have tried that is failing:
I add a script with the name of “addNatRules”. The body of the script is as follows:
:global sqrt do={
:for i from=0 to=$1 do={
:if (i * i > $1) do={ :return ($i - 1) }
}
}

:global addNatRules do={
/ip firewall nat add chain=srcnat action=jump jump-target=xxx
src-address=“$($srcStart)-$($srcStart + $count - 1)”

:local x [$sqrt $count]
:local y $x
:if ($x * $x = $count) do={ :set y ($x + 1) }
:for i from=0 to=$x do={
/ip firewall nat add chain=xxx action=jump jump-target=“xxx-$($i)”
src-address=“$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))”
}

:for i from=0 to=($count - 1) do={
:local prange “$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)”
/ip firewall nat add chain=“xxx-$($i / $x)” action=src-nat protocol=tcp src-address=($srcStart + $i)
to-address=$toAddr to-ports=$prange
/ip firewall nat add chain=“xxx-$($i / $x)” action=src-nat protocol=udp src-address=($srcStart + $i)
to-address=$toAddr to-ports=$prange
}
}


Then at the CLI prompt I paste in something like this ( and the script does not do anything ).
I have tried this with and without the “$” in the script - I am lost.
Function-addNatRules.png

High CPU Load on MikroTik CCR2216 with PPPoE and NAT
2

Related to my question addNatRule

What is a good working amount of ports to use ?
I have seen several documents about addNatRules that show 100 ports and some at 10,000 ports.
So , I ask, what is a decent number of ports that will probably work ( 250 ports per CGN IP address ? ) ??

3

The script die not work for me, as well.
I ended up using the idea and manually built a binary-tree of cascaded jumps to reduce CPU-Load. (Excel helped here for string manipulation).

At the end of each jump-cascade there will be the netmap/NAT to squeeze down the number of required ports.

For residential customers 1012 Ports (64 customers per IP) are sufficient.
For Hotspot/Wireless users you might squeeze it down to 63 ports per user (1024 Users per IP).

Limiting the ports per user does not mean there will be a hard limit of connections=ports. Mikrotik does port-overloading. This means it can re-use the same port for another destination.

Loading a bloated website full of ads and other stuff on a 63 port NAT resulted in approx. 300 successfully simultaneously open sessions.
Be aware that only 63 concurrent DNS requests are possible, still.
You might also want to aggressively time down your UDP timers in connection tracking, when using such a low amount of ports per user.

4

sup5 ,

thank you for your input

Yesterday , I said F-it with the script function and started typing the mt CGN-nat configuration into a txt file.
Then I had a thought:\

  • If I have 12 /21 CGN networks ( 100.64.x.x /21 ) and I am natting each /21 network to 8 or 16 Live-IP addresses , that is a whole lot of nat rules to go through. If the nat rule is at the bottom of a huge thousand+ line list, it might run slowwww.
  • Sooooo , I am now also thinking about the jump statement and I am going to try to make a configuration that has the least amount of lines to be processed by using jumps.
    ** If within x.y.x.0/25 jump to x.y.z.0-25
    ** if within x.y.x.127/25 jump to x.y.x.127-25
    The idea will be that processing each GCN-nat will use the the fewest lines of processing.

I am almost thinking about writing this in a Linux Shell program …

Note - right now I am just doing a simple NAT44 on my /21 networks ( nat each /21 into a /30 — but I am not doing any port ranges at this time ) , it works fast at multi-Gig nat throughput ( CHR ), I just hope I don’t kill it with a full NAT444 configuration.

North Idaho Tom Jones

5

You won’t because the NAT rules are only used when handling the initial packet of each connection. Once chains srcnat and dstnat give their verdicts (instructions) regarding the initial packet, these instructions get stored into the context data of that connection maintained by the conn(ection)track(ing) module, and all subsequent packets of the same connection are handled the same or reverse way depending on their direction. And the CPU load of this handling of mid-connection packets is always the same no matter how complex it was to find the instruction for the initial packet.

6

Frig, me thinks your knowledge is somehow not being utilized to its maximum potential.
Perhaps you should start your own Routing Company or RoS equivilant, SoS :wink:

Not being flippant (well only a little) but is there anything you do not know?
I am constantly amazed by the amount of detail you put into every post and the command of the english language (are you sure you are not Oxford trained?) :slight_smile:
No really I have a little Sindy obelisk in my study and every once in a while I genuflect in its direction.
Just sayin, glad you are here!! glad to know you!!

7

1’st , thanks for your input and thoughts.

I have two types of customer networks.

  • 1’st type is Live IP WANs with optional routed Live IPs ( for my static IP business accounts ).
  • 2’nd type is my standard CGN customers where:
    Close to 2-thousand DHCP ( Mikrotik wireless customer CPE DHCP-Client Wan routers with NATed 192.168.56.x/24 Lans -or- Fiber-to-the-home routers )
    19 different residential customer networks where each network is a unique CGN 100.64.x.y/21 ( 8 C CGN networks ) ((( I use a /21 so that we can grow and never need to renumber a network ))).
    Currently 1 CHR CGN Nat router (( I am considering breaking this up into 4 different CHR CGN Nat routers to spread the Nat CPU load ))

My 1’st question:
With CGN NAT444 , how many ports should I use per CGN customer ( total of 38,912 CGN IPs ) ? What works for 99-percent of the residential customers ?
1,000 ports ( 8 IPs needed per CGN /21 ) ?
500 ports ? ( 4 IPs needed per CGN /21 ) ?
250 ports ? ( 2 IPs needed per CGN /21 ) ?
100 ports ? ( 1 IP needed per CGN /21 ) ? ( I am considering trying 100 ports per CGN IP – is this a mistake ? )

My 2’nd question:
Where do thing start to break as I use fewer ports per CGN IP on the average residential customer ?

My 3’rd question:
When I change from NAT44 ( Normal NAT) to NAT444 ( with port ranges ) , how much of an additional CPU load does NAT444 place on a CHR verses NAT44 ?

Again , thank you and everybody else for your ideas and thoughts

North Idaho Tom Jones

8

Excuse my ignorance TOM, but do you mean that customers are limited to access only X number of ports (inbound and outbound)? Put in another way they can only run servers on a choice of 8000 ports or is this simply an allocation schema for WANIP and port association to the WANIP. I have no clue in general and even less about CGNAT.

9

anav.
Forgive me , I a still new to the idea and concept of NAT444 and port usage. I may be wrong in my answer - but I will give it a shot.

I believe that that NAT-overload will be used in this configuration.

Here is one example of a NAT-overload:
Let’s say you have a single port ( port 80 forwarded to a web server ), more than one remote client at a time ( hundreds/thousands ) of Internet remote located computers can pull up web pages ( http uses port 80 ) all at the same time.

I believe that NAT-overload can also work the other direction. So , let’s say I use 100 ports per CGN IP. I can have a potential of 100 connections to any single remote IP address. And it is possible to also have another 100 connections at the same time to a different remote IP address at the same time.
Thus , with NAT-overload and 100 ports per CGN IP, it is possible to have 100 ports connected to 10 different remote location ( a total of 1,000 ports )
and it is possible to have 100 connections with 100 ports each ( a total of 10,000 connections/ports )

10

@anav, you have to read that manual @TomjNorthIdaho refers to - the idea is to be able to link a particular connection to a particular client just by the public socket adress (IP:port) used, e.g. when searching for a source of a DDoS attack. You get a report from the attack victim and have to identify the actual source of the attack among your clients, but since the attack is not ongoing, there is no point in listing current connections to the victim. Another scenario could be a CSIS (FBI in Tom’s case) request for the same - here’s a connection from your public IP to this destination, identify the actual source.

So to facilitate this, you “translate” or “encode” the WAN address of the client (which is the “CGNAT” one) into the port number at the public address. And we talk only about outbound connections of the clients here, because for port forwarding, you obviously do know to which CGNAT address you forward which port on the public address.

If you allow only N ports to be chosen from for a given client, it means that that client can establish at most N connections to the same remote socket address, such as your hypothetical https server in the data center, not that they can establish only N connections in total. For most stock software like web browsers, and for most SOHO users, this will never cause a problem (except maybe dns as @sup5 suggests).

But there are cases when multiple actual users are connected via the same CGNAT address, so all of these actual users use a common pool of N ports. Now imagine a call center where tens of agents’ workstations connect to the same web server in the cloud. One would say a pool of N ports should be enough for N such workstations, but that’s not the case. If a client uses a port to establish a TCP session to a client and then terminates the session, it will not reuse that port for another connection for one to four minutes depending on the operating system settings. This is a precaution against delayed packets belonging to the old session getting handled as part of the new session, and this guard time of many tens of seconds comes from the times when TCP has been designed and network speeds were far lower. And here comes the issue with software - programmers are typically not network specialists, so the unexperienced ones often use a dedicated TCP session for each transaction rather than only closing a session a few minutes after the last transaction has been finished, and reusing it for any new transaction popping up before the timeout passes. So if the workstations in that hypothetical call center run some in-house application rather than a stock web browser, such an approach combined with the restricted pool of available ports will cost you the rest of your hair until you find the cause.

11

I will have to read this a few times over as the glazed eye phenomenal rapidly ensued.
Suffice to say I think I understood that TN wants to ensure with this technology that a single user can make at least 1000 connections outbound simultaneously on one port (like 443 or 80) as that is a practical number that most likely will not be breached by a single household. Understood if the problem is exacerbated by that CGN address being shared by 10 households then you quickly get into a problem if all attempting to use port 80 ??

12

Not just port 80 - all of them have to access port 80 at the same remote IP address to get into trouble (hit the limit of N ports in a common pool).

13

Hi, I found an old configuration. It compresses a private /18 into a public /24.
Thus compressing 6 bits means 64 customers have to share a single public ip address.

Using the binary tree there will always only be six jumps to reach the approriate netmap command.


/ip firewall nat
add action=jump   chain=srcnat     jump-target=000001-CGN src-address=100.64.0.0/18 comment=/18
add action=jump   chain=000001-CGN jump-target=000010-CGN src-address=100.64.0.0/19 comment=/19
add action=jump   chain=000001-CGN jump-target=000011-CGN src-address=100.64.32.0/19
add action=jump   chain=000010-CGN jump-target=000100-CGN src-address=100.64.0.0/20 comment=/20
add action=jump   chain=000010-CGN jump-target=000101-CGN src-address=100.64.16.0/20
add action=jump   chain=000011-CGN jump-target=000110-CGN src-address=100.64.32.0/20
add action=jump   chain=000011-CGN jump-target=000111-CGN src-address=100.64.48.0/20
add action=jump   chain=000100-CGN jump-target=001000-CGN src-address=100.64.0.0/21 comment=/21
add action=jump   chain=000100-CGN jump-target=001001-CGN src-address=100.64.8.0/21
add action=jump   chain=000101-CGN jump-target=001010-CGN src-address=100.64.16.0/21
add action=jump   chain=000101-CGN jump-target=001011-CGN src-address=100.64.24.0/21
add action=jump   chain=000110-CGN jump-target=001100-CGN src-address=100.64.32.0/21
add action=jump   chain=000110-CGN jump-target=001101-CGN src-address=100.64.40.0/21
add action=jump   chain=000111-CGN jump-target=001110-CGN src-address=100.64.48.0/21
add action=jump   chain=000111-CGN jump-target=001111-CGN src-address=100.64.56.0/21
add action=jump   chain=001000-CGN jump-target=010000-CGN src-address=100.64.0.0/22 comment=/22
add action=jump   chain=001000-CGN jump-target=010001-CGN src-address=100.64.4.0/22
add action=jump   chain=001001-CGN jump-target=010010-CGN src-address=100.64.8.0/22
add action=jump   chain=001001-CGN jump-target=010011-CGN src-address=100.64.12.0/22
add action=jump   chain=001010-CGN jump-target=010100-CGN src-address=100.64.16.0/22
add action=jump   chain=001010-CGN jump-target=010101-CGN src-address=100.64.20.0/22
add action=jump   chain=001011-CGN jump-target=010110-CGN src-address=100.64.24.0/22
add action=jump   chain=001011-CGN jump-target=010111-CGN src-address=100.64.28.0/22
add action=jump   chain=001100-CGN jump-target=011000-CGN src-address=100.64.32.0/22
add action=jump   chain=001100-CGN jump-target=011001-CGN src-address=100.64.36.0/22
add action=jump   chain=001101-CGN jump-target=011010-CGN src-address=100.64.40.0/22
add action=jump   chain=001101-CGN jump-target=011011-CGN src-address=100.64.44.0/22
add action=jump   chain=001110-CGN jump-target=011100-CGN src-address=100.64.48.0/22
add action=jump   chain=001110-CGN jump-target=011101-CGN src-address=100.64.52.0/22
add action=jump   chain=001111-CGN jump-target=011110-CGN src-address=100.64.56.0/22
add action=jump   chain=001111-CGN jump-target=011111-CGN src-address=100.64.60.0/22
add action=jump   chain=010000-CGN jump-target=100000-CGN src-address=100.64.0.0/23 comment=/23 
add action=jump   chain=010000-CGN jump-target=100001-CGN src-address=100.64.2.0/23
add action=jump   chain=010001-CGN jump-target=100010-CGN src-address=100.64.4.0/23
add action=jump   chain=010001-CGN jump-target=100011-CGN src-address=100.64.6.0/23
add action=jump   chain=010010-CGN jump-target=100100-CGN src-address=100.64.8.0/23
add action=jump   chain=010010-CGN jump-target=100101-CGN src-address=100.64.10.0/23
add action=jump   chain=010011-CGN jump-target=100110-CGN src-address=100.64.12.0/23
add action=jump   chain=010011-CGN jump-target=100111-CGN src-address=100.64.14.0/23
add action=jump   chain=010100-CGN jump-target=101000-CGN src-address=100.64.16.0/23
add action=jump   chain=010100-CGN jump-target=101001-CGN src-address=100.64.18.0/23
add action=jump   chain=010101-CGN jump-target=101010-CGN src-address=100.64.20.0/23
add action=jump   chain=010101-CGN jump-target=101011-CGN src-address=100.64.22.0/23
add action=jump   chain=010110-CGN jump-target=101100-CGN src-address=100.64.24.0/23
add action=jump   chain=010110-CGN jump-target=101101-CGN src-address=100.64.26.0/23
add action=jump   chain=010111-CGN jump-target=101110-CGN src-address=100.64.28.0/23
add action=jump   chain=010111-CGN jump-target=101111-CGN src-address=100.64.30.0/23
add action=jump   chain=011000-CGN jump-target=110000-CGN src-address=100.64.32.0/23
add action=jump   chain=011000-CGN jump-target=110001-CGN src-address=100.64.34.0/23
add action=jump   chain=011001-CGN jump-target=110010-CGN src-address=100.64.36.0/23
add action=jump   chain=011001-CGN jump-target=110011-CGN src-address=100.64.38.0/23
add action=jump   chain=011010-CGN jump-target=110100-CGN src-address=100.64.40.0/23
add action=jump   chain=011010-CGN jump-target=110101-CGN src-address=100.64.42.0/23
add action=jump   chain=011011-CGN jump-target=110110-CGN src-address=100.64.44.0/23
add action=jump   chain=011011-CGN jump-target=110111-CGN src-address=100.64.46.0/23
add action=jump   chain=011100-CGN jump-target=111000-CGN src-address=100.64.48.0/23
add action=jump   chain=011100-CGN jump-target=111001-CGN src-address=100.64.50.0/23
add action=jump   chain=011101-CGN jump-target=111010-CGN src-address=100.64.52.0/23
add action=jump   chain=011101-CGN jump-target=111011-CGN src-address=100.64.54.0/23
add action=jump   chain=011110-CGN jump-target=111100-CGN src-address=100.64.56.0/23
add action=jump   chain=011110-CGN jump-target=111101-CGN src-address=100.64.58.0/23
add action=jump   chain=011111-CGN jump-target=111110-CGN src-address=100.64.60.0/23
add action=jump   chain=011111-CGN jump-target=111111-CGN src-address=100.64.62.0/23
add action=netmap chain=100000-CGN protocol=tcp src-address=100.64.0.0/24 to-addresses=3.2.1.0/24 to-ports=1024-2031 comment=/24 
add action=netmap chain=100000-CGN protocol=tcp src-address=100.64.1.0/24 to-addresses=3.2.1.0/24 to-ports=2032-3039
add action=netmap chain=100001-CGN protocol=tcp src-address=100.64.2.0/24 to-addresses=3.2.1.0/24 to-ports=3040-4047
add action=netmap chain=100001-CGN protocol=tcp src-address=100.64.3.0/24 to-addresses=3.2.1.0/24 to-ports=4048-5055
add action=netmap chain=100010-CGN protocol=tcp src-address=100.64.4.0/24 to-addresses=3.2.1.0/24 to-ports=5056-6063
add action=netmap chain=100010-CGN protocol=tcp src-address=100.64.5.0/24 to-addresses=3.2.1.0/24 to-ports=6064-7071
add action=netmap chain=100011-CGN protocol=tcp src-address=100.64.6.0/24 to-addresses=3.2.1.0/24 to-ports=7072-8079
add action=netmap chain=100011-CGN protocol=tcp src-address=100.64.7.0/24 to-addresses=3.2.1.0/24 to-ports=8080-9087
add action=netmap chain=100100-CGN protocol=tcp src-address=100.64.8.0/24 to-addresses=3.2.1.0/24 to-ports=9088-10095
add action=netmap chain=100100-CGN protocol=tcp src-address=100.64.9.0/24 to-addresses=3.2.1.0/24 to-ports=10096-11103
add action=netmap chain=100101-CGN protocol=tcp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 to-ports=11104-12111
add action=netmap chain=100101-CGN protocol=tcp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 to-ports=12112-13119
add action=netmap chain=100110-CGN protocol=tcp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 to-ports=13120-14127
add action=netmap chain=100110-CGN protocol=tcp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 to-ports=14128-15135
add action=netmap chain=100111-CGN protocol=tcp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 to-ports=15136-16143
add action=netmap chain=100111-CGN protocol=tcp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 to-ports=16144-17151
add action=netmap chain=101000-CGN protocol=tcp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 to-ports=17152-18159
add action=netmap chain=101000-CGN protocol=tcp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 to-ports=18160-19167
add action=netmap chain=101001-CGN protocol=tcp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 to-ports=19168-20175
add action=netmap chain=101001-CGN protocol=tcp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 to-ports=20176-21183
add action=netmap chain=101010-CGN protocol=tcp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 to-ports=21184-22191
add action=netmap chain=101010-CGN protocol=tcp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 to-ports=22192-23199
add action=netmap chain=101011-CGN protocol=tcp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 to-ports=23200-24207
add action=netmap chain=101011-CGN protocol=tcp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 to-ports=24208-25215
add action=netmap chain=101100-CGN protocol=tcp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 to-ports=25216-26223
add action=netmap chain=101100-CGN protocol=tcp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 to-ports=26224-27231
add action=netmap chain=101101-CGN protocol=tcp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 to-ports=27232-28239
add action=netmap chain=101101-CGN protocol=tcp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 to-ports=28240-29247
add action=netmap chain=101110-CGN protocol=tcp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 to-ports=29248-30255
add action=netmap chain=101110-CGN protocol=tcp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 to-ports=30256-31263
add action=netmap chain=101111-CGN protocol=tcp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 to-ports=31264-32271
add action=netmap chain=101111-CGN protocol=tcp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 to-ports=32272-33279
add action=netmap chain=110000-CGN protocol=tcp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 to-ports=33280-34287
add action=netmap chain=110000-CGN protocol=tcp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 to-ports=34288-35295
add action=netmap chain=110001-CGN protocol=tcp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 to-ports=35296-36303
add action=netmap chain=110001-CGN protocol=tcp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 to-ports=36304-37311
add action=netmap chain=110010-CGN protocol=tcp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 to-ports=37312-38319
add action=netmap chain=110010-CGN protocol=tcp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 to-ports=38320-39327
add action=netmap chain=110011-CGN protocol=tcp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 to-ports=39328-40335
add action=netmap chain=110011-CGN protocol=tcp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 to-ports=40336-41343
add action=netmap chain=110100-CGN protocol=tcp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 to-ports=41344-42352
add action=netmap chain=110100-CGN protocol=tcp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 to-ports=42352-43359
add action=netmap chain=110101-CGN protocol=tcp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 to-ports=43360-44367
add action=netmap chain=110101-CGN protocol=tcp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 to-ports=44368-45375
add action=netmap chain=110110-CGN protocol=tcp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 to-ports=45376-46383
add action=netmap chain=110110-CGN protocol=tcp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 to-ports=46384-47391
add action=netmap chain=110111-CGN protocol=tcp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 to-ports=47392-48399
add action=netmap chain=110111-CGN protocol=tcp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 to-ports=48400-49407
add action=netmap chain=111000-CGN protocol=tcp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 to-ports=49408-50415
add action=netmap chain=111000-CGN protocol=tcp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 to-ports=50416-51423
add action=netmap chain=111001-CGN protocol=tcp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 to-ports=51424-52431
add action=netmap chain=111001-CGN protocol=tcp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 to-ports=52432-53439
add action=netmap chain=111010-CGN protocol=tcp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 to-ports=53440-54447
add action=netmap chain=111010-CGN protocol=tcp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 to-ports=54448-55455
add action=netmap chain=111011-CGN protocol=tcp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 to-ports=55456-56463
add action=netmap chain=111011-CGN protocol=tcp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 to-ports=56464-57471
add action=netmap chain=111100-CGN protocol=tcp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 to-ports=57472-58479
add action=netmap chain=111100-CGN protocol=tcp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 to-ports=58480-59487
add action=netmap chain=111101-CGN protocol=tcp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 to-ports=59488-60495
add action=netmap chain=111101-CGN protocol=tcp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 to-ports=60496-61503
add action=netmap chain=111110-CGN protocol=tcp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 to-ports=61504-62511
add action=netmap chain=111110-CGN protocol=tcp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 to-ports=62512-63519
add action=netmap chain=111111-CGN protocol=tcp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 to-ports=63520-64527
add action=netmap chain=111111-CGN protocol=tcp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24 to-ports=64528-65535

add action=netmap chain=100000-CGN protocol=udp src-address=100.64.0.0/24  to-addresses=3.2.1.0/24 to-ports=1024-2031
add action=netmap chain=100000-CGN protocol=udp src-address=100.64.1.0/24  to-addresses=3.2.1.0/24 to-ports=2032-3039
add action=netmap chain=100001-CGN protocol=udp src-address=100.64.2.0/24  to-addresses=3.2.1.0/24 to-ports=3040-4047
add action=netmap chain=100001-CGN protocol=udp src-address=100.64.3.0/24  to-addresses=3.2.1.0/24 to-ports=4048-5055
add action=netmap chain=100010-CGN protocol=udp src-address=100.64.4.0/24  to-addresses=3.2.1.0/24 to-ports=5056-6063
add action=netmap chain=100010-CGN protocol=udp src-address=100.64.5.0/24  to-addresses=3.2.1.0/24 to-ports=6064-7071
add action=netmap chain=100011-CGN protocol=udp src-address=100.64.6.0/24  to-addresses=3.2.1.0/24 to-ports=7072-8079
add action=netmap chain=100011-CGN protocol=udp src-address=100.64.7.0/24  to-addresses=3.2.1.0/24 to-ports=8080-9087
add action=netmap chain=100100-CGN protocol=udp src-address=100.64.8.0/24  to-addresses=3.2.1.0/24 to-ports=9088-10095
add action=netmap chain=100100-CGN protocol=udp src-address=100.64.9.0/24  to-addresses=3.2.1.0/24 to-ports=10096-11103
add action=netmap chain=100101-CGN protocol=udp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 to-ports=11104-12111
add action=netmap chain=100101-CGN protocol=udp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 to-ports=12112-13119
add action=netmap chain=100110-CGN protocol=udp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 to-ports=13120-14127
add action=netmap chain=100110-CGN protocol=udp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 to-ports=14128-15135
add action=netmap chain=100111-CGN protocol=udp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 to-ports=15136-16143
add action=netmap chain=100111-CGN protocol=udp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 to-ports=16144-17151
add action=netmap chain=101000-CGN protocol=udp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 to-ports=17152-18159
add action=netmap chain=101000-CGN protocol=udp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 to-ports=18160-19167
add action=netmap chain=101001-CGN protocol=udp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 to-ports=19168-20175
add action=netmap chain=101001-CGN protocol=udp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 to-ports=20176-21183
add action=netmap chain=101010-CGN protocol=udp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 to-ports=21184-22191
add action=netmap chain=101010-CGN protocol=udp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 to-ports=22192-23199
add action=netmap chain=101011-CGN protocol=udp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 to-ports=23200-24207
add action=netmap chain=101011-CGN protocol=udp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 to-ports=24208-25215
add action=netmap chain=101100-CGN protocol=udp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 to-ports=25216-26223
add action=netmap chain=101100-CGN protocol=udp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 to-ports=26224-27231
add action=netmap chain=101101-CGN protocol=udp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 to-ports=27232-28239
add action=netmap chain=101101-CGN protocol=udp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 to-ports=28240-29247
add action=netmap chain=101110-CGN protocol=udp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 to-ports=29248-30255
add action=netmap chain=101110-CGN protocol=udp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 to-ports=30256-31263
add action=netmap chain=101111-CGN protocol=udp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 to-ports=31264-32271
add action=netmap chain=101111-CGN protocol=udp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 to-ports=32272-33279
add action=netmap chain=110000-CGN protocol=udp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 to-ports=33280-34287
add action=netmap chain=110000-CGN protocol=udp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 to-ports=34288-35295
add action=netmap chain=110001-CGN protocol=udp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 to-ports=35296-36303
add action=netmap chain=110001-CGN protocol=udp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 to-ports=36304-37311
add action=netmap chain=110010-CGN protocol=udp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 to-ports=37312-38319
add action=netmap chain=110010-CGN protocol=udp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 to-ports=38320-39327
add action=netmap chain=110011-CGN protocol=udp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 to-ports=39328-40335
add action=netmap chain=110011-CGN protocol=udp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 to-ports=40336-41343
add action=netmap chain=110100-CGN protocol=udp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 to-ports=41344-42352
add action=netmap chain=110100-CGN protocol=udp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 to-ports=42352-43359
add action=netmap chain=110101-CGN protocol=udp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 to-ports=43360-44367
add action=netmap chain=110101-CGN protocol=udp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 to-ports=44368-45375
add action=netmap chain=110110-CGN protocol=udp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 to-ports=45376-46383
add action=netmap chain=110110-CGN protocol=udp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 to-ports=46384-47391
add action=netmap chain=110111-CGN protocol=udp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 to-ports=47392-48399
add action=netmap chain=110111-CGN protocol=udp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 to-ports=48400-49407
add action=netmap chain=111000-CGN protocol=udp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 to-ports=49408-50415
add action=netmap chain=111000-CGN protocol=udp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 to-ports=50416-51423
add action=netmap chain=111001-CGN protocol=udp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 to-ports=51424-52431
add action=netmap chain=111001-CGN protocol=udp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 to-ports=52432-53439
add action=netmap chain=111010-CGN protocol=udp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 to-ports=53440-54447
add action=netmap chain=111010-CGN protocol=udp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 to-ports=54448-55455
add action=netmap chain=111011-CGN protocol=udp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 to-ports=55456-56463
add action=netmap chain=111011-CGN protocol=udp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 to-ports=56464-57471
add action=netmap chain=111100-CGN protocol=udp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 to-ports=57472-58479
add action=netmap chain=111100-CGN protocol=udp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 to-ports=58480-59487
add action=netmap chain=111101-CGN protocol=udp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 to-ports=59488-60495
add action=netmap chain=111101-CGN protocol=udp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 to-ports=60496-61503
add action=netmap chain=111110-CGN protocol=udp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 to-ports=61504-62511
add action=netmap chain=111110-CGN protocol=udp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 to-ports=62512-63519
add action=netmap chain=111111-CGN protocol=udp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 to-ports=63520-64527
add action=netmap chain=111111-CGN protocol=udp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24 to-ports=64528-65535

add action=netmap chain=100000-CGN protocol=icmp src-address=100.64.0.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100000-CGN protocol=icmp src-address=100.64.1.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100001-CGN protocol=icmp src-address=100.64.2.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100001-CGN protocol=icmp src-address=100.64.3.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100010-CGN protocol=icmp src-address=100.64.4.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100010-CGN protocol=icmp src-address=100.64.5.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100011-CGN protocol=icmp src-address=100.64.6.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100011-CGN protocol=icmp src-address=100.64.7.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100100-CGN protocol=icmp src-address=100.64.8.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100100-CGN protocol=icmp src-address=100.64.9.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100101-CGN protocol=icmp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100101-CGN protocol=icmp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100110-CGN protocol=icmp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100110-CGN protocol=icmp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100111-CGN protocol=icmp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100111-CGN protocol=icmp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101000-CGN protocol=icmp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101000-CGN protocol=icmp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101001-CGN protocol=icmp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101001-CGN protocol=icmp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101010-CGN protocol=icmp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101010-CGN protocol=icmp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101011-CGN protocol=icmp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101011-CGN protocol=icmp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101100-CGN protocol=icmp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101100-CGN protocol=icmp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101101-CGN protocol=icmp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101101-CGN protocol=icmp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101110-CGN protocol=icmp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101110-CGN protocol=icmp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101111-CGN protocol=icmp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101111-CGN protocol=icmp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110000-CGN protocol=icmp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110000-CGN protocol=icmp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110001-CGN protocol=icmp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110001-CGN protocol=icmp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110010-CGN protocol=icmp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110010-CGN protocol=icmp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110011-CGN protocol=icmp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110011-CGN protocol=icmp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110100-CGN protocol=icmp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110100-CGN protocol=icmp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110101-CGN protocol=icmp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110101-CGN protocol=icmp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110110-CGN protocol=icmp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110110-CGN protocol=icmp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110111-CGN protocol=icmp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110111-CGN protocol=icmp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111000-CGN protocol=icmp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111000-CGN protocol=icmp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111001-CGN protocol=icmp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111001-CGN protocol=icmp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111010-CGN protocol=icmp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111010-CGN protocol=icmp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111011-CGN protocol=icmp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111011-CGN protocol=icmp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111100-CGN protocol=icmp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111100-CGN protocol=icmp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111101-CGN protocol=icmp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111101-CGN protocol=icmp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111110-CGN protocol=icmp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111110-CGN protocol=icmp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111111-CGN protocol=icmp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111111-CGN protocol=icmp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24

This CGNAT solution only takes care of tcp, udp and icmp.
If you wish to use other protocols, you might need to experiment. Or ad a final catch all rule. (but that might break legal stuff):

add action=netmap chain=srcnat src-address=100.64.0.0/18 to-addresses=3.2.1.0/24

Further optimization might be done using harsh timings with the connection tracking, especially if you’re going to hand out less than 250 ports per customer:

/ip firewall connection tracking
set generic-timeout=1m tcp-established-timeout=1h tcp-max-retrans-timeout=1m tcp-unacked-timeout=1m udp-stream-timeout=10s udp-timeout=3m

To automatically clear hung UDP-DNS-Connections you might find a regulary scheduled script helpful:

/system scheduler
add interval=2s name=Clear-DNS on-event="/ip firewall connection remove [find protocol=udp dst-address~\":53\" timeout<2m57s]" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jun/29/2018 start-time=07:46:54

A final suggestion. Do NOT terminale the private space on the router, which has to do the CGNAT translation.
Create two interfaces with transfer networks.
The first facing the internet, and the second facing your Access conentrator.
On the Access concentration you’ll then have to route all CGNAT-customers via policy based routing to the CGNAT-router.

14

If anybody wants to take a look at this , I created a Linus shell program ( a draft early beta version ) of the addNatRules

This runs on a Linux system - not on a Mikrotik

At this time - I do not have any action=jump lines in my code ( so if it works , it might be slow )

If beta version appears to want to work, then I will re-work it to use action=jump lines in my code.
And add the ability to use larger GGN network ( example /21 ) and NAT to multiple live IP addresses ( some big stuff ).
And possibly the ability to save and modify configurations and auto telnet/ssh to a Mikrotik to auto update the configuration

That said - here is the shell program - please give it a look-see
North Idaho Tom Jones


Linux shell program

  • create a file named ( addNatRules-Beta-Version024.sh ) on your Linux ( Ubuntu ) machine

  • insert the the following code into this file ( addNatRules-Beta-Version024.sh )

------------------- Cut below this line -------------------
#!/bin/sh
clear

echo "This is a Beta program --> addNatRules-Beta-Version024.sh created on January 11 2022 "
echo
echo "This program is by North Idaho Tom Jones "
echo
echo "This program is a script to build a CGN Nat configuration which can then be inserted into a Mikrotik NAT router"
echo
echo "This program is a Beta program. This is not a finished, completed or fully working program at this time."
echo
echo "Use this program and the output text at your own risk."
echo
echo
echo
echo -n "Push the ENTER button to continue :"
read dummy

i=0
StartPort=2000
EndPort=2099
clear
echo "What is the first number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 100 ( then push the ENTER button "
echo -n " Input your first number : "
read n1
echo " OK - the first number is going to be $n1"
echo
echo
echo "Note: so far we have $n1"
echo

echo
echo "What is the second number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 64 ( then push the ENTER button "
echo -n " Input your second number : "
read n2
echo " OK - the second is going to be $n2"
echo
echo
echo "Note: so far we have $n1.$n2."
echo

echo
echo "What is the third number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 0 ( then push the ENTER button "
echo -n " Input your third number : "
read n3
echo " OK - the third is going to be $n3"
echo
echo
echo "Note: so far we have $n1.$n2.$n3"
echo

echo
echo "What is the fourth number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 0 ( then push the ENTER button "
echo -n " Input your fourth number : "
read n4
echo " OK - the fourth second is going to be $n4"
echo
echo
echo "Note: so far we have $n1.$n2.$n3.$n4"
echo

echo "Push the ENTER button to continue"
read dummy
clear
echo "Note: so far we have $n1.$n2.$n3.$n4"
echo "Note: I will use $n1.$n2.$n3.$n4 as your starting CGN-NAT IP address"

echo "Push the ENTER button to continue"
read dummy
clear

echo i-n "What is the outside Live-IP address you will be CGN Natting to : "
read OutSideLiveIP
echo
echo "This program will use outside Live-IP address of $OutSideLiveIP"

echo "Push the ENTER button to continue"
read dummy
clear

echo " What is your Starting Port Number "
echo " Note: there are 65,536 ports ( 0 through 65,535 )"
echo " I would like to suggest a starting port number of 1000 or 2000 or 3000 "
echo
echo -n "Enter your Starting Port Number "
read StartPort
echo
echo "I will use a starting port number of : $StartPort "
echo
echo "Push the ENTER button to continue"
read dummy

clear
echo "How many ports do you want to use ?"
echo "Note: answers can be 100 or 1000 ( or some other valid number "
echo
echo -n "How many ports do you want to use for each Internal NATted to a live IP address : "
read PortsPerTranslation
echo
echo "OK - I will use $PortsPerTranslation per translation"
echo
echo
echo "Push the ENTER button to continue"
read dummy
clear

while [ $i -ne 256 ]
do
EndPort=$(($StartPort+$PortsPerTranslation-1))
echo "#"
echo "#$i Inside NAT IP address $n1.$n2.$n3.$i will translate to outside IP address $OutSideLiveIP using ports $StartPort-$EndPort"
echo "add action=src-nat chain=srcnat protocol=tcp src-address=$n1.$n2.$n3.$i to-addresses=$OutSideLiveIP to-ports=$StartPort-$EndPort"
echo "add action=src-nat chain=srcnat protocol=udp src-address=$n1.$n2.$n3.$i to-addresses=$OutSideLiveIP to-ports=$StartPort-$EndPort"
echo "add action=src-nat chain=srcnat src-address=$n1.$n2.$n3.$i to-addresses=$OutSideLiveIP to-ports=$StartPort-$EndPort"
i=$(($i+1))
StartPort=$(($StartPort+$PortsPerTranslation))
done

------------------- Cut above this line -------------------

  • Make this program executable ( example: chmod 777 addNatRules-Beta-Version024.sh )

  • Run the shell program ( example: ./addNatRules-Beta-Version024.sh )

Output: This is a Beta program --> addNatRules-Beta-Version024.sh created on January 11 2022
Push the ENTER button

Output: What is the first number in your starting CGN-Nat block
Enter: 100 then push the ENTER button

Output: What is the second number in your starting CGN-Nat block
Enter: 64 then push the ENTER button

Output: What is the third number in your starting CGN-Nat block
Enter: 0 then push the ENTER button

Output: What is the fourth number in your starting CGN-Nat block
Enter: 0 then push the ENTER button

Output: Note: so far we have 100.64.0.0
Enter: Push the ENTER button

Output: Note: so far we have 100.64.0.0
Enter: Push the ENTER button

Output: What is the outside Live-IP address you will be CGN Natting to :

  • Here - you type in the full outside IP address you are going to NAT to that the outside world sees
  • In my example , I will use: 23.162.144.120 (( this is the outside IP address of my btest server )).
    Enter: Push the ENTER button

Output: This program will use outside Live-IP address of 23.162.144.120
Enter: Push the ENTER button

Output: What is your Starting Port Number
Enter: 1000 then push the ENTER button

Output: I will use a starting port number of : 1000
Enter: Push the ENTER button

Output: How many ports do you want to use for each Internal NATted to a live IP address :
Enter: 250 then push the ENTER button

Output: OK - I will use 250 per translation
Enter: Push the ENTER button

************* the program is now running and printing out the Mikrotik NAT444 configuration we want ******

This is the shell program output below:

#0 Inside NAT IP address 100.64.0.0 will translate to outside IP address 23.162.144.120 using ports 1000-1249
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.0 to-addresses=23.162.144.120 to-ports=1000-1249
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.0 to-addresses=23.162.144.120 to-ports=1000-1249
add action=src-nat chain=srcnat src-address=100.64.0.0 to-addresses=23.162.144.120 to-ports=1000-1249

#1 Inside NAT IP address 100.64.0.1 will translate to outside IP address 23.162.144.120 using ports 1250-1499
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.1 to-addresses=23.162.144.120 to-ports=1250-1499
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.1 to-addresses=23.162.144.120 to-ports=1250-1499
add action=src-nat chain=srcnat src-address=100.64.0.1 to-addresses=23.162.144.120 to-ports=1250-1499

#2 Inside NAT IP address 100.64.0.2 will translate to outside IP address 23.162.144.120 using ports 1500-1749
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.2 to-addresses=23.162.144.120 to-ports=1500-1749
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.2 to-addresses=23.162.144.120 to-ports=1500-1749
add action=src-nat chain=srcnat src-address=100.64.0.2 to-addresses=23.162.144.120 to-ports=1500-1749

#3 Inside NAT IP address 100.64.0.3 will translate to outside IP address 23.162.144.120 using ports 1750-1999
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.3 to-addresses=23.162.144.120 to-ports=1750-1999
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.3 to-addresses=23.162.144.120 to-ports=1750-1999
add action=src-nat chain=srcnat src-address=100.64.0.3 to-addresses=23.162.144.120 to-ports=1750-1999

#4 Inside NAT IP address 100.64.0.4 will translate to outside IP address 23.162.144.120 using ports 2000-2249
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.4 to-addresses=23.162.144.120 to-ports=2000-2249
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.4 to-addresses=23.162.144.120 to-ports=2000-2249
add action=src-nat chain=srcnat src-address=100.64.0.4 to-addresses=23.162.144.120 to-ports=2000-2249

--- through ----

#251 Inside NAT IP address 100.64.0.251 will translate to outside IP address 23.162.144.120 using ports 63750-63999
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.251 to-addresses=23.162.144.120 to-ports=63750-63999
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.251 to-addresses=23.162.144.120 to-ports=63750-63999
add action=src-nat chain=srcnat src-address=100.64.0.251 to-addresses=23.162.144.120 to-ports=63750-63999

#252 Inside NAT IP address 100.64.0.252 will translate to outside IP address 23.162.144.120 using ports 64000-64249
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.252 to-addresses=23.162.144.120 to-ports=64000-64249
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.252 to-addresses=23.162.144.120 to-ports=64000-64249
add action=src-nat chain=srcnat src-address=100.64.0.252 to-addresses=23.162.144.120 to-ports=64000-64249

#253 Inside NAT IP address 100.64.0.253 will translate to outside IP address 23.162.144.120 using ports 64250-64499
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.253 to-addresses=23.162.144.120 to-ports=64250-64499
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.253 to-addresses=23.162.144.120 to-ports=64250-64499
add action=src-nat chain=srcnat src-address=100.64.0.253 to-addresses=23.162.144.120 to-ports=64250-64499

#254 Inside NAT IP address 100.64.0.254 will translate to outside IP address 23.162.144.120 using ports 64500-64749
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.254 to-addresses=23.162.144.120 to-ports=64500-64749
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.254 to-addresses=23.162.144.120 to-ports=64500-64749
add action=src-nat chain=srcnat src-address=100.64.0.254 to-addresses=23.162.144.120 to-ports=64500-64749

#255 Inside NAT IP address 100.64.0.255 will translate to outside IP address 23.162.144.120 using ports 64750-64999
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.255 to-addresses=23.162.144.120 to-ports=64750-64999
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.255 to-addresses=23.162.144.120 to-ports=64750-64999
add action=src-nat chain=srcnat src-address=100.64.0.255 to-addresses=23.162.144.120 to-ports=64750-64999

15

you really have to have a look at the netmap. single translations will kill your router’s cpu.

Netmap for CGNAT is some sort of Brainfuck, sure. But it’s worth the effort.

16

I am re-looking at doing this with Netmap.
I sure wish I could find a working script

North Idaho Tom Jones

17

I did some reading on Netmap.
From what I read , it looks like Netmap is better suited for a 1:1 translation.

I am trying to do something like this:
add action=src-nat chain=PlGpon8-15 protocol=tcp src-address=100.64.103.255 to-addresses=x.y.z.223 to-ports=64750-64999
add action=src-nat chain=PlGpon8-15 protocol=udp src-address=100.64.103.255 to-addresses=x.y.z.223 to-ports=64750-64999

where my src-address is each and every IP address in a 100.64.0.0/21 block
where I am NATting each /24 in the /21 block to a live IP address
where each IP in my /21 100.64 block has a port range of 250 ports in a live IP address

Thus , when I get a copyright notice ( where some customer downloaded a movie ) , I get a notice that shows the IP address and the port that was used.

O and by the way - I did configuration working ( whewwww )

North Idaho Tom Jones

18

Well - I think I finally got my NAT444 working

I was able to get the Mikrotik terminal-function addNatRules working.
** I did not know what a terminal-function was or how to use one - but I kinda know now … ***

Here is what I have done that is now working:

  • At this time , I have two /21 CGN (100.64.x.y) networks working now with NAT444
  • Each NAT configuration of a CGN /21 is uses 8 live-ip-addresses
  • Each CGN translation to live IP address is configured to use 250 ports

Each CGN /21 NAT444 to a /29 live IP address has 4,300+ lines of code I has to put into the Mikrotik nat section.

I currently have two CGN /21 networks ( so I have a total of over 8,600 lines of code in the Mikrotik nat section.

What is really interesting is my original CGN /21 nat to a /30 live-ip-address was originally using only 1 line of in the Mikrotik nat section.
So , it was remove 1 line ( NAT44 ) and add 4,300 lines in the nat section - per /21 network I converted to NAT444

What really surprised me is I was expecting my Mikrotik NAT router to die or start running really slow when I put in 8-thousand lines in the nat configuration. But - to my surprise , my testers on the now NAT444 networks informed me that their Internet appeared much faster when making connections out on the Internet. :smiley:

So now I have another 10+ /21 CGN networks to convert from NAT44 to NAT444 ( which will require another 43-thousand lines of code in the nat section ( I hope it still works ? ).

Now I am ready to get another batch of those annoying emails with a subject line of : Notice of Claimed Infringement - Case ID that contains the IP address and port , and quickly and easily find which customer(s) this notice applies to :sunglasses:

North Idaho Tom Jones

EDIT-more info:
To add additional NAT444 to my 2’nd use of the terminal-function , I had to change the “xxx” in the addNatRules to something unique such as “PlGpon”.
This way , I don’t break the original “jump-target=xxx” from the 1’st time a ran the addNatRules
** I guess it would be nice to be able to call the terminal-function “addNatRules” and include a jump name to use that is not-already-used & unique to any other jump names already in use.

O - and by the way - my original backup config only used 41.2 KiB of disk space. I am now using 1.136 Meg in disk space when I make a Mikrotik backup.
The good thing is , I am using a Mikrotik CHR with 16-Gig of disk ( 44.2 MiB used of 15.9 GiB with 99% free ).

19

It actually makes little difference whether you use action=netmap or action=src-nat because you have to set the new address and the new range of ports in the same rule, and the combination of the new public address and the new range of ports is unique for each CGNAT address, that’s the whole point of this exercise. So one rule in chain srcnat per each individual CGNAT address cannot be avoided unless you would pass the traffic through the router twice, doing the port translation during the first pass and the address translation during the second one. But that would indeed double the load of the router, so not a good idea.

So what you can only do is to speed up processing of the initial packet of each connection by making it pass as few rules as possible, which leads to a binary tree implementation, i.e. one jump rule per each bit of the address at each level. For splitting the linear rules for 256 CGNAT addresses into 16 groups of 16 linear rules, it would look as follows:

chain=srcnat src-address=x.x.x.128/25 action=jump jump-target=128.25
chain=srcnat src-address=x.x.x.64/26 action=jump jump-target=64-26
chain=srcnat src-address=x.x.x.32/27 action=jump jump-target=32-27
chain=srcnat src-address=x.x.x.16/28 action=jump jump-target=16-28
chain=srcnat src-address=x.x.x.0 action=src-nat to-addresses=y.y.y.y to-ports=F0-L0
:
chain=srcnat src-address=x.x.x.15 action=src-nat to-addresses=y.y.y.y to-ports=F15-L15

chain=128-25 src-address=x.x.x.192/26 action=jump jump-target=192-26
chain=128-25 src-address=x.x.x.160/27 action=jump jump-target=160-27
chain=128-25 src-address=x.x.x.144/28 action=jump jump-target=144-28
chain=srcnat src-address=x.x.x.128 action=src-nat to-addresses=y.y.y.y to-ports=F128-L128
:
chain=srcnat src-address=x.x.x.143 action=src-nat to-addresses=y.y.y.y to-ports=F143-L143

chain=64-26 src-address=x.x.x.96/27 action=jump jump-target=96-27
chain=64-26 src-address=x.x.x.80/28 action=jump jump-target=80-28
chain=64-26 src-address=x.x.x.64 action=src-nat to-addresses=y.y.y.y to-ports=F64-L64
:
chain=64-26 src-address=x.x.x.79 action=src-nat to-addresses=y.y.y.y to-ports=F79-L79

chain=96-27 src-address=x.x.x.112/28 action=jump jump-target=112-28
chain=96-27 src-address=x.x.x.96 action=src-nat to-addresses=y.y.y.y to-ports=F96-L96
:
chain=96-27 src-address=x.x.x.111 action=src-nat to-addresses=y.y.y.y to-ports=F111-L111

chain=112-28 src-address=x.x.x.112 action=src-nat to-addresses=y.y.y.y to-ports=F112-L112
:
chain=112-28 src-address=x.x.x.127 action=src-nat to-addresses=y.y.y.y to-ports=F127-L127

etc. (still 10 or 11 chains to add).

So for 256 action=src-nat rules in total, instead of passing through 128 of them on average, each initial packet of a connection would pass through just 8 action=src-nat ones on average and just 4 action=jump ones.

20

I don’t know if it’s the appropriate place to ask, but what happens if a customer consumes too much TCP or UDP ports ?

  1. Is this something that is logged ?
  2. From end user perspective, does it trigger some 5XX HTTP error code ?
  3. What are the network usages that consumes the most TCP/UDP ports ? VOD ? Web browsing ?