Full NAT for 1000 users

KimC · March 16, 2006, 7:02pm

Hello guys !

If I want to make a full nat for 1000 users (we have plenty of global ip’s), then how should I do this the smart way (like the NAT on 2003-server).

I perfectly understand the netmap-feature, but adding 1000 /32 adresses doesn’t seem to be smart…

And no, we do not want to expose our quite complex infrastructure to the public net, so making the lan global is not an option.

Regards
KimC

aitsecurity · March 17, 2006, 12:51am

i have a little question, in NAT and PAT, share the public IP, my question is about performance, because 1000 user go to out with unique public IP

really no have problem about this, no need example two public IP and segment the user 500 user and other segment with 500 user ?

devrim · March 17, 2006, 12:06pm

You may use “same” action as descripbed http://www.mikrotik.com/docs/ros/2.9/ip/nat

/ip firewall nat add chain=srcnat src-address=192.168.0.0/16 action=same to-addresses=xxx.xxx.xxx.100-xxx.xxx.xxx.254

devrim

KimC · March 17, 2006, 6:42pm

We are actually NATting to these users today - but not with Mikrotik (using Windows server). We want to simplify the setup… And performance is not a problem at all.

But in order to do this with Mikrotik, you need to add 1000 global adresses to the public interface. This is errorprone and not elegant at all.

Any suggestions ???

changeip · March 17, 2006, 11:01pm

See devrim’s post above… you can do it without adding each ip.

KimC · May 14, 2006, 7:50am

On 2.9.23 I have made many attempts to make nat with action=same work without adding the many external adresses. Here are my results:

address, internal interface: 192.168.10.1/24
address, external interface: 10.76.20.10/24

src-nat:
chain=srcnat out-interface=Uplink src-address=192.168.10.0/24 action=same to-addresses=10.76.20.10-10.76.20.20 to-ports=0-65535 same-not-by-dst=yes

THIS DOES NOT WORK

however, if you add the 9 extra adresses (10.76.20.11 to 10.76.20.20) either as /24 or as /32 (I’m not sure what’s correct), the setup works immediately.

This may not be a real problem, as adding many adresses can be done with a simple script, BUT when trying, disaster strikes: Adding 1000 /32 or /24 addresses to an interface results in lockup of all interfaces. Only way in is the serial interface.

So, please help me correct this setup - or let us agree, that we found another bug, that MT will fix in due time.

Thanks in advance !

devrim · May 14, 2006, 7:14pm

KimC don’t use to-addresses with same action..

KimC · May 14, 2006, 8:02pm

Please, Devrim

I don’t understand what you ar saying. I just followed your previous post:

/ip firewall nat add chain=srcnat src-address=192.168.0.0/16 action=same to-addresses=xxx.xxx.xxx.100-xxx.xxx.xxx.254