It seems odd that an ISP would give you both a CGNat IP and a public IP directly at your router. (Seems to defeat the purpose of CGNat).
Do you know if they are simply telling you what public IP is mapped to your CGNat IP, or if they’re actually routing it to you?
If they’re routing it, then your outbound NAT rule shouldn’t use masquerade as the action, but srcnat with to-address=your.public.ip.address
Any dstnat you’d do should be done just using dst-address=your.public.ip.address dst-port=x action=dst-nat to-address=internal.host.private.ip to-port=y
If they’re just letting you know what public IP is being mapped to your CGNat IP, then you do the same as above, but use the CGNat IP as if it were your public IP.
I use a ton of Carrier-Grade-Nat in lots of my networks.
Going by what you posted, It will not work.
Your WAN ip address is: 62.28.108.xxx/32
Your WAN subnet mask is: 100.64.139.xxx/30
Your gateway is: 100.64.139.xxx
This information is wrong or this is not all of the information.
If your WAN is a 62.28.108.002 /yy number, (Often a /30 but could be a /24 or something else) …
I will use for explanation purposes a wan of 62.28.108.002 /30
then your wan network IP address is: 62.28.108.0
then your wan broadcast IP address is: 62.28.108.3
then your default gateway out through your wan would be 62.28.108.1
Then you could setup a natted network to use CGN ip addresses on your LAN (providing you are natting your lan to your wan).
Now if your WAN (from your upstream ISP) is using a CGN ip address network to you, then your wan ip address would also be a CGN number. And your LAN IP address could not be in the same network boundary ( ip block - aka- ip ranges) as your CGN wan IP address.
If your WAN IP address is a CGN, and you have a live IP internet address, then your ISP could be giving you the live IP address via a few different methods over your CGN WAN. #1 Your ISP could be doing a NAT translation of your CGN wan ip address to a live ip address
-or- #2 Your ISP could be routing a single live ip address to your wan CGN device. Then you route or port forward the single live IP address to what ever you want to do with it. If your ISP is using this common second method, then you do this: #2a - Nat your LAN to your WAN ip address #2b - Do not nat the live ip address.
In the #2 method, you would have a total of two IP address from your network to your ISP, your CGN wan (which your lan is natted to) -and- the second live ip address which is non-natted.
starting with a default configuration, perform these extra configurations: (use the terminal window to enter the commands)
/interface vlan add name=wan vlan-id=20 interface=ether1
/ip address add address=100.64.139.40/30 interface=wan
/ip route add dst=0.0.0.0/0 gateway=100.64.139.39
/ip firewall nat
add chain=srcnat out-interface=wan action=src-nat to-address=62.28.108.38
And finally, make sure that in the firewall filter rules, the input chain in particular, make sure the rules reference in-interface=wan (litterally wan if you named the vlan interface ‘wan’ as above) and not ether1-gateway or whatever the physical interface’s name is in your configuration.
I’m not entirely sure the underlying behavior that the Draytek router is performing - and there could be something I’ve missed, but this is what I guess is going on. Otherwise, you could set up your Mikrotik as a pass-through bridge and put it between the Draytek and the ISP connection, and use the Mikrotik to sniff some traffic to see what’s actually going on on the wire itself, which would help understand anything needed for the Mikrotik.
You need to find out exactly what the other router is doing that your Mikrotik is not doing, and then we can help figure out how to make the Mikrotik do the same.
The ultimate thing to know is: what happens on the wire?
Is any kind of tunnel being established?
Does the working router send/receive packets using the public IP address directly or does it tunnel or what?
Does the CGNat IP appear on tagged/untagged ethernet frames? What about the public IP?
On your WAN Ethernet port… Create a VLAN with VLANID 20
On the VLAN interface, assign 100.64.139.40/30
Add default route to 100.64.139.39
Confirm that you can ping 100.64.139.39 (or at least see the MAC address under /ip arp), if not, there’s no point in going further…
If you can then;
Create loopback bridge interface, and assign 62.28.108.38/32
Add your NAT rule, as ZeroByte posted (just ensure you use the correct out-interface)
They have the config backwards. Your CGN range is 100.64.139.40/30, on a tagged vlan Your PUBLIC ip, is 62.28.108.38/32. From the ISP side, they just have a static route to send your Public IP over CGN to your private IP.
There shouldn’t be anything complicated about this.. It’s actually an interesting way to do it… No need for the actual NAT part in CGN.
I was assuming that the carrier has that /32 routed at the GCNat WAN address, in which case the packet would be processed as a “forwarding” candidate - which would match the connection state tracking, so any previously-established outbound connections in the table should cause the replies to get mapped through, no problem.
I based this assumption on the fact that in the given configuration for the ISP’s own router that the address never appears to be applied as an interface IP address but is specified as a NAT address, hence the lack of dummy interfaces. Heck, it doesn’t even need to be on a loop interface - it could just be applied as a /32 to the vlan20 subinterface and do the same thing.
You’re just missing a loopback.