how to minimize CGNAT LOGGING

aacable · January 6, 2020, 4:18am

I deployed the CGNAT at small ISP network (1000 pppoe users) who is using Mikrotik RouterOS as PPPoE Server for LAN users authentication & Linux base SYSLOG-NG server [with SSD disk] to store the CGNAT LOG. I have modified the syslog-ng code to LOG entries which have NAT word in the message, this have reduced unwanted entries.

But problem is that DB size is getting very large & any query to search for IP/Port takes long time. Typical LOG lines that are stores on the remote syslog server.

Jan/03/2020 10:48:43 firewall,info forward: in: out:ether1-wan, src-mac d0:bf:9c:f7:88:76, proto TCP (ACK), 172.16.0.199:54326->179.60.194.35:443, NAT (172.16.0.199:54326->101.11.11.252:41636)->179.60.194.35:443, len 40
Jan/03/2020 10:48:43 firewall,info forward: in: out:ether1-wan, src-mac d0:bf:9c:f7:88:76, proto TCP (ACK), 172.16.0.199:54326->179.60.194.35:443, NAT (172.16.0.199:54326->101.11.11.252:41636)->179.60.194.35:443, len 52

Mikrotik Firewall LOG rule (for pppoe users) is

/ip firewall filter
add action=log chain=forward connection-nat-state="" connection-state=new out-interface=ether1-wan protocol=tcp src-address=172.16.0.0/16

How can I minimize the Query/log size ? can some one please share what is typical LOG size . Appreciate for any tips.

aacable · January 17, 2020, 6:24am

can anyone please share some experience/advice for this topic?

jvanhambelgium · January 17, 2020, 7:14am

Hi,
Don’t think you can do anything on the Mikrotik side. The fields of logging etc are what they are and you cannot mangle with it as far as I know.
I’m not sure if some script running on the Mikrotik side could be an “alternative” source and pre-process some logging. This will for sure take resources on Mikrotik box.

You are logging so much for regulatory/law compliance I guess ?
What are you using as a DB ? Howmany MBytes/day are you generating purely for NAT Logging ?

Try a product like SPLUNK that is designed/engineered for that ? With the free version you can process 500MBytes/day.
I use Splunk (free) also for all my Mikrotik events.

vilpalu · January 17, 2020, 8:46am

I am storing NAT syslog entries to file. ~2k devices generate around 20GB of data. every night these files are compressed . for short time log checking I am using graylog.

sup5 · January 17, 2020, 1:02pm

Simply use fixed-NAT / alogrithmic-NAT / deterministic-NAT.

This code compresses /18 adresses into one /24 Prefix. By statically assigning 1008 Ports to each internal User.
Limitations: only UDP and TCP ist being NATed in a fixed way. ICMP is being NATed in the loose way.
GRE and other protocols aren’t NATed at all in this example. This might be added by someone else.

/ip firewall nat

add action=jump chain=srcnat jump-target=000001-CGN src-address=100.64.0.0/18 comment=/18

add action=jump chain=000001-CGN jump-target=000010-CGN src-address=100.64.0.0/19 comment=/19
add action=jump chain=000001-CGN jump-target=000011-CGN src-address=100.64.32.0/19

add action=jump chain=000010-CGN jump-target=000100-CGN src-address=100.64.0.0/20 comment=/20
add action=jump chain=000010-CGN jump-target=000101-CGN src-address=100.64.16.0/20
add action=jump chain=000011-CGN jump-target=000110-CGN src-address=100.64.32.0/20
add action=jump chain=000011-CGN jump-target=000111-CGN src-address=100.64.48.0/20

add action=jump chain=000100-CGN jump-target=001000-CGN src-address=100.64.0.0/21 comment=/21
add action=jump chain=000100-CGN jump-target=001001-CGN src-address=100.64.8.0/21
add action=jump chain=000101-CGN jump-target=001010-CGN src-address=100.64.16.0/21
add action=jump chain=000101-CGN jump-target=001011-CGN src-address=100.64.24.0/21
add action=jump chain=000110-CGN jump-target=001100-CGN src-address=100.64.32.0/21
add action=jump chain=000110-CGN jump-target=001101-CGN src-address=100.64.40.0/21
add action=jump chain=000111-CGN jump-target=001110-CGN src-address=100.64.48.0/21
add action=jump chain=000111-CGN jump-target=001111-CGN src-address=100.64.56.0/21

add action=jump chain=001000-CGN jump-target=010000-CGN src-address=100.64.0.0/22 comment=/22
add action=jump chain=001000-CGN jump-target=010001-CGN src-address=100.64.4.0/22
add action=jump chain=001001-CGN jump-target=010010-CGN src-address=100.64.8.0/22
add action=jump chain=001001-CGN jump-target=010011-CGN src-address=100.64.12.0/22
add action=jump chain=001010-CGN jump-target=010100-CGN src-address=100.64.16.0/22
add action=jump chain=001010-CGN jump-target=010101-CGN src-address=100.64.20.0/22
add action=jump chain=001011-CGN jump-target=010110-CGN src-address=100.64.24.0/22
add action=jump chain=001011-CGN jump-target=010111-CGN src-address=100.64.28.0/22
add action=jump chain=001100-CGN jump-target=011000-CGN src-address=100.64.32.0/22
add action=jump chain=001100-CGN jump-target=011001-CGN src-address=100.64.36.0/22
add action=jump chain=001101-CGN jump-target=011010-CGN src-address=100.64.40.0/22
add action=jump chain=001101-CGN jump-target=011011-CGN src-address=100.64.44.0/22
add action=jump chain=001110-CGN jump-target=011100-CGN src-address=100.64.48.0/22
add action=jump chain=001110-CGN jump-target=011101-CGN src-address=100.64.52.0/22
add action=jump chain=001111-CGN jump-target=011110-CGN src-address=100.64.56.0/22
add action=jump chain=001111-CGN jump-target=011111-CGN src-address=100.64.60.0/22

add action=jump chain=010000-CGN jump-target=100000-CGN src-address=100.64.0.0/23 comment=/23
add action=jump chain=010000-CGN jump-target=100001-CGN src-address=100.64.2.0/23
add action=jump chain=010001-CGN jump-target=100010-CGN src-address=100.64.4.0/23
add action=jump chain=010001-CGN jump-target=100011-CGN src-address=100.64.6.0/23
add action=jump chain=010010-CGN jump-target=100100-CGN src-address=100.64.8.0/23
add action=jump chain=010010-CGN jump-target=100101-CGN src-address=100.64.10.0/23
add action=jump chain=010011-CGN jump-target=100110-CGN src-address=100.64.12.0/23
add action=jump chain=010011-CGN jump-target=100111-CGN src-address=100.64.14.0/23
add action=jump chain=010100-CGN jump-target=101000-CGN src-address=100.64.16.0/23
add action=jump chain=010100-CGN jump-target=101001-CGN src-address=100.64.18.0/23
add action=jump chain=010101-CGN jump-target=101010-CGN src-address=100.64.20.0/23
add action=jump chain=010101-CGN jump-target=101011-CGN src-address=100.64.22.0/23
add action=jump chain=010110-CGN jump-target=101100-CGN src-address=100.64.24.0/23
add action=jump chain=010110-CGN jump-target=101101-CGN src-address=100.64.26.0/23
add action=jump chain=010111-CGN jump-target=101110-CGN src-address=100.64.28.0/23
add action=jump chain=010111-CGN jump-target=101111-CGN src-address=100.64.30.0/23
add action=jump chain=011000-CGN jump-target=110000-CGN src-address=100.64.32.0/23
add action=jump chain=011000-CGN jump-target=110001-CGN src-address=100.64.34.0/23
add action=jump chain=011001-CGN jump-target=110010-CGN src-address=100.64.36.0/23
add action=jump chain=011001-CGN jump-target=110011-CGN src-address=100.64.38.0/23
add action=jump chain=011010-CGN jump-target=110100-CGN src-address=100.64.40.0/23
add action=jump chain=011010-CGN jump-target=110101-CGN src-address=100.64.42.0/23
add action=jump chain=011011-CGN jump-target=110110-CGN src-address=100.64.44.0/23
add action=jump chain=011011-CGN jump-target=110111-CGN src-address=100.64.46.0/23
add action=jump chain=011100-CGN jump-target=111000-CGN src-address=100.64.48.0/23
add action=jump chain=011100-CGN jump-target=111001-CGN src-address=100.64.50.0/23
add action=jump chain=011101-CGN jump-target=111010-CGN src-address=100.64.52.0/23
add action=jump chain=011101-CGN jump-target=111011-CGN src-address=100.64.54.0/23
add action=jump chain=011110-CGN jump-target=111100-CGN src-address=100.64.56.0/23
add action=jump chain=011110-CGN jump-target=111101-CGN src-address=100.64.58.0/23
add action=jump chain=011111-CGN jump-target=111110-CGN src-address=100.64.60.0/23
add action=jump chain=011111-CGN jump-target=111111-CGN src-address=100.64.62.0/23

add action=netmap chain=100000-CGN protocol=tcp src-address=100.64.0.0/24 to-addresses=3.2.1.0/24 to-ports=1024-2031 comment=/24TCP
add action=netmap chain=100000-CGN protocol=tcp src-address=100.64.1.0/24 to-addresses=3.2.1.0/24 to-ports=2032-3039
add action=netmap chain=100001-CGN protocol=tcp src-address=100.64.2.0/24 to-addresses=3.2.1.0/24 to-ports=3040-4047
add action=netmap chain=100001-CGN protocol=tcp src-address=100.64.3.0/24 to-addresses=3.2.1.0/24 to-ports=4048-5055
add action=netmap chain=100010-CGN protocol=tcp src-address=100.64.4.0/24 to-addresses=3.2.1.0/24 to-ports=5056-6063
add action=netmap chain=100010-CGN protocol=tcp src-address=100.64.5.0/24 to-addresses=3.2.1.0/24 to-ports=6064-7071
add action=netmap chain=100011-CGN protocol=tcp src-address=100.64.6.0/24 to-addresses=3.2.1.0/24 to-ports=7072-8079
add action=netmap chain=100011-CGN protocol=tcp src-address=100.64.7.0/24 to-addresses=3.2.1.0/24 to-ports=8080-9087
add action=netmap chain=100100-CGN protocol=tcp src-address=100.64.8.0/24 to-addresses=3.2.1.0/24 to-ports=9088-10095
add action=netmap chain=100100-CGN protocol=tcp src-address=100.64.9.0/24 to-addresses=3.2.1.0/24 to-ports=10096-11103
add action=netmap chain=100101-CGN protocol=tcp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 to-ports=11104-12111
add action=netmap chain=100101-CGN protocol=tcp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 to-ports=12112-13119
add action=netmap chain=100110-CGN protocol=tcp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 to-ports=13120-14127
add action=netmap chain=100110-CGN protocol=tcp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 to-ports=14128-15135
add action=netmap chain=100111-CGN protocol=tcp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 to-ports=15136-16143
add action=netmap chain=100111-CGN protocol=tcp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 to-ports=16144-17151
add action=netmap chain=101000-CGN protocol=tcp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 to-ports=17152-18159
add action=netmap chain=101000-CGN protocol=tcp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 to-ports=18160-19167
add action=netmap chain=101001-CGN protocol=tcp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 to-ports=19168-20175
add action=netmap chain=101001-CGN protocol=tcp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 to-ports=20176-21183
add action=netmap chain=101010-CGN protocol=tcp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 to-ports=21184-22191
add action=netmap chain=101010-CGN protocol=tcp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 to-ports=22192-23199
add action=netmap chain=101011-CGN protocol=tcp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 to-ports=23200-24207
add action=netmap chain=101011-CGN protocol=tcp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 to-ports=24208-25215
add action=netmap chain=101100-CGN protocol=tcp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 to-ports=25216-26223
add action=netmap chain=101100-CGN protocol=tcp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 to-ports=26224-27231
add action=netmap chain=101101-CGN protocol=tcp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 to-ports=27232-28239
add action=netmap chain=101101-CGN protocol=tcp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 to-ports=28240-29247
add action=netmap chain=101110-CGN protocol=tcp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 to-ports=29248-30255
add action=netmap chain=101110-CGN protocol=tcp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 to-ports=30256-31263
add action=netmap chain=101111-CGN protocol=tcp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 to-ports=31264-32271
add action=netmap chain=101111-CGN protocol=tcp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 to-ports=32272-33279
add action=netmap chain=110000-CGN protocol=tcp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 to-ports=33280-34287
add action=netmap chain=110000-CGN protocol=tcp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 to-ports=34288-35295
add action=netmap chain=110001-CGN protocol=tcp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 to-ports=35296-36303
add action=netmap chain=110001-CGN protocol=tcp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 to-ports=36304-37311
add action=netmap chain=110010-CGN protocol=tcp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 to-ports=37312-38319
add action=netmap chain=110010-CGN protocol=tcp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 to-ports=38320-39327
add action=netmap chain=110011-CGN protocol=tcp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 to-ports=39328-40335
add action=netmap chain=110011-CGN protocol=tcp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 to-ports=40336-41343
add action=netmap chain=110100-CGN protocol=tcp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 to-ports=41344-42352
add action=netmap chain=110100-CGN protocol=tcp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 to-ports=42352-43359
add action=netmap chain=110101-CGN protocol=tcp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 to-ports=43360-44367
add action=netmap chain=110101-CGN protocol=tcp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 to-ports=44368-45375
add action=netmap chain=110110-CGN protocol=tcp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 to-ports=45376-46383
add action=netmap chain=110110-CGN protocol=tcp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 to-ports=46384-47391
add action=netmap chain=110111-CGN protocol=tcp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 to-ports=47392-48399
add action=netmap chain=110111-CGN protocol=tcp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 to-ports=48400-49407
add action=netmap chain=111000-CGN protocol=tcp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 to-ports=49408-50415
add action=netmap chain=111000-CGN protocol=tcp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 to-ports=50416-51423
add action=netmap chain=111001-CGN protocol=tcp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 to-ports=51424-52431
add action=netmap chain=111001-CGN protocol=tcp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 to-ports=52432-53439
add action=netmap chain=111010-CGN protocol=tcp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 to-ports=53440-54447
add action=netmap chain=111010-CGN protocol=tcp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 to-ports=54448-55455
add action=netmap chain=111011-CGN protocol=tcp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 to-ports=55456-56463
add action=netmap chain=111011-CGN protocol=tcp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 to-ports=56464-57471
add action=netmap chain=111100-CGN protocol=tcp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 to-ports=57472-58479
add action=netmap chain=111100-CGN protocol=tcp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 to-ports=58480-59487
add action=netmap chain=111101-CGN protocol=tcp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 to-ports=59488-60495
add action=netmap chain=111101-CGN protocol=tcp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 to-ports=60496-61503
add action=netmap chain=111110-CGN protocol=tcp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 to-ports=61504-62511
add action=netmap chain=111110-CGN protocol=tcp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 to-ports=62512-63519
add action=netmap chain=111111-CGN protocol=tcp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 to-ports=63520-64527
add action=netmap chain=111111-CGN protocol=tcp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24 to-ports=64528-65535

add action=netmap chain=100000-CGN protocol=udp src-address=100.64.0.0/24 to-addresses=3.2.1.0/24 to-ports=1024-2031 comment=/24UDP
add action=netmap chain=100000-CGN protocol=udp src-address=100.64.1.0/24 to-addresses=3.2.1.0/24 to-ports=2032-3039
add action=netmap chain=100001-CGN protocol=udp src-address=100.64.2.0/24 to-addresses=3.2.1.0/24 to-ports=3040-4047
add action=netmap chain=100001-CGN protocol=udp src-address=100.64.3.0/24 to-addresses=3.2.1.0/24 to-ports=4048-5055
add action=netmap chain=100010-CGN protocol=udp src-address=100.64.4.0/24 to-addresses=3.2.1.0/24 to-ports=5056-6063
add action=netmap chain=100010-CGN protocol=udp src-address=100.64.5.0/24 to-addresses=3.2.1.0/24 to-ports=6064-7071
add action=netmap chain=100011-CGN protocol=udp src-address=100.64.6.0/24 to-addresses=3.2.1.0/24 to-ports=7072-8079
add action=netmap chain=100011-CGN protocol=udp src-address=100.64.7.0/24 to-addresses=3.2.1.0/24 to-ports=8080-9087
add action=netmap chain=100100-CGN protocol=udp src-address=100.64.8.0/24 to-addresses=3.2.1.0/24 to-ports=9088-10095
add action=netmap chain=100100-CGN protocol=udp src-address=100.64.9.0/24 to-addresses=3.2.1.0/24 to-ports=10096-11103
add action=netmap chain=100101-CGN protocol=udp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 to-ports=11104-12111
add action=netmap chain=100101-CGN protocol=udp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 to-ports=12112-13119
add action=netmap chain=100110-CGN protocol=udp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 to-ports=13120-14127
add action=netmap chain=100110-CGN protocol=udp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 to-ports=14128-15135
add action=netmap chain=100111-CGN protocol=udp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 to-ports=15136-16143
add action=netmap chain=100111-CGN protocol=udp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 to-ports=16144-17151
add action=netmap chain=101000-CGN protocol=udp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 to-ports=17152-18159
add action=netmap chain=101000-CGN protocol=udp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 to-ports=18160-19167
add action=netmap chain=101001-CGN protocol=udp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 to-ports=19168-20175
add action=netmap chain=101001-CGN protocol=udp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 to-ports=20176-21183
add action=netmap chain=101010-CGN protocol=udp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 to-ports=21184-22191
add action=netmap chain=101010-CGN protocol=udp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 to-ports=22192-23199
add action=netmap chain=101011-CGN protocol=udp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 to-ports=23200-24207
add action=netmap chain=101011-CGN protocol=udp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 to-ports=24208-25215
add action=netmap chain=101100-CGN protocol=udp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 to-ports=25216-26223
add action=netmap chain=101100-CGN protocol=udp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 to-ports=26224-27231
add action=netmap chain=101101-CGN protocol=udp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 to-ports=27232-28239
add action=netmap chain=101101-CGN protocol=udp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 to-ports=28240-29247
add action=netmap chain=101110-CGN protocol=udp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 to-ports=29248-30255
add action=netmap chain=101110-CGN protocol=udp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 to-ports=30256-31263
add action=netmap chain=101111-CGN protocol=udp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 to-ports=31264-32271
add action=netmap chain=101111-CGN protocol=udp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 to-ports=32272-33279
add action=netmap chain=110000-CGN protocol=udp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 to-ports=33280-34287
add action=netmap chain=110000-CGN protocol=udp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 to-ports=34288-35295
add action=netmap chain=110001-CGN protocol=udp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 to-ports=35296-36303
add action=netmap chain=110001-CGN protocol=udp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 to-ports=36304-37311
add action=netmap chain=110010-CGN protocol=udp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 to-ports=37312-38319
add action=netmap chain=110010-CGN protocol=udp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 to-ports=38320-39327
add action=netmap chain=110011-CGN protocol=udp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 to-ports=39328-40335
add action=netmap chain=110011-CGN protocol=udp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 to-ports=40336-41343
add action=netmap chain=110100-CGN protocol=udp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 to-ports=41344-42352
add action=netmap chain=110100-CGN protocol=udp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 to-ports=42352-43359
add action=netmap chain=110101-CGN protocol=udp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 to-ports=43360-44367
add action=netmap chain=110101-CGN protocol=udp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 to-ports=44368-45375
add action=netmap chain=110110-CGN protocol=udp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 to-ports=45376-46383
add action=netmap chain=110110-CGN protocol=udp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 to-ports=46384-47391
add action=netmap chain=110111-CGN protocol=udp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 to-ports=47392-48399
add action=netmap chain=110111-CGN protocol=udp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 to-ports=48400-49407
add action=netmap chain=111000-CGN protocol=udp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 to-ports=49408-50415
add action=netmap chain=111000-CGN protocol=udp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 to-ports=50416-51423
add action=netmap chain=111001-CGN protocol=udp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 to-ports=51424-52431
add action=netmap chain=111001-CGN protocol=udp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 to-ports=52432-53439
add action=netmap chain=111010-CGN protocol=udp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 to-ports=53440-54447
add action=netmap chain=111010-CGN protocol=udp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 to-ports=54448-55455
add action=netmap chain=111011-CGN protocol=udp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 to-ports=55456-56463
add action=netmap chain=111011-CGN protocol=udp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 to-ports=56464-57471
add action=netmap chain=111100-CGN protocol=udp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 to-ports=57472-58479
add action=netmap chain=111100-CGN protocol=udp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 to-ports=58480-59487
add action=netmap chain=111101-CGN protocol=udp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 to-ports=59488-60495
add action=netmap chain=111101-CGN protocol=udp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 to-ports=60496-61503
add action=netmap chain=111110-CGN protocol=udp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 to-ports=61504-62511
add action=netmap chain=111110-CGN protocol=udp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 to-ports=62512-63519
add action=netmap chain=111111-CGN protocol=udp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 to-ports=63520-64527
add action=netmap chain=111111-CGN protocol=udp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24 to-ports=64528-65535

add action=netmap chain=srcnat protocol=icmp src-address=100.64.0.0/18 to-addresses=3.2.1.0/24 comment=/18ICMP

The only thing your NATing Router needs to have besides the code above is two transfer networks (in and out) as well as a Default route for the internet-facing side (out).
The customer traffic needs to be pushed into the internal side interface.