I have been looking exhaustively for information regarding to have Open Nat at “multiple clients”. I’ve seen UPnP, 1:1 (which I am doing to one client) with netmap.
But what I am looking is to open full ports so my devices could have Open Nat while playing online. So far, I know that it’s possible but for one device. If I activate UPnP Nat type becomes 2 but moderate while playing.
My setup is like the following:
ISP —> RB —> Linksys Switch ----> LAN
Some lan devices are connected directly to the RB due to a DumbAP.
Any ideas will be appreciated. I have been going through this for almost two years and haven’t found a concrete solution.
NAT hides multiple addresses behind one and it works for outgoing connections. But if there’s incoming connection to external address, router must decide where to send it. With NAT 1:1, everything to external address is sent to one internal address. Ports stay the same, only destination address changes, it’s easy. UPnP is for selected ports. So internal device A tells router that it needs ports a, b, c forwarded to it, device B tell router that it needs x, y, z. And it also works, because if incoming connection is to port a, it goes to device A, if for port x, it goes to device B, also easy.
You want some magic where incoming connection to port x would go to device A and another incoming connection to same port x would go to device B. That’s generally impossible, it could only work with other conditions, e.g. if you could tell that connections to port x that should go to device A will be from address X, while connections to port x that should go to device B will be from elsewhere. That would be possible. But you don’t know from where it will come.
There’s only one long-term solution and it’s IPv6. It allows every device to have own public address, there’s no NAT, so all NAT troubles go away.
Thanks for the reply.
I see. The problem is that my ISP does not provide IPv6 yet.
Putting aside the destination stuff you’ve mentioning, when I dstnat all ports in tcp/udp for a given list of addresses, the thing does not work. It only works when I netmap one client but I am in the necessity to open more than one.
There relies the issue.
I understand what you want. But think about poor router. It has one external address, let’s say 1.2.3.4. If a new connection comes to e.g. 1.2.3.4:5678, how can it know if it should send it to internal 192.168.88.10, 192.168.88.20, or some other one? It can’t. It’s like wanting to hit two completely different targets with one bullet.
Yes, probably I haven’t made me clear. The context is online gaming. PSN/XBOX sets NAT Type based on the network. If I connect the PS4/XBOX directly to the modem, they receive NAT Type 1 and in-game Nat Open.
If I connect those consoles through the RB, they receive NAT Type 2 and in-game Nat Moderate. Even if I open all ports with dst-nat ports 1-65535 due to mascarading.
If I assign that console’s static IP with the Netmap to send the Public IP, I am able to get the same as connecting the console directly to the modem. The downside is that only one client is possible.
My main questions is: How can I do Netmapping to multiple clients (the ones who want open nat while playing online)?
edit removed
Good question, what is going on with MT NAT that is different from a consumer router that just works for this scenari0?
I am thinking the extra granularity of MT should provide a config that works!!
The thing is that I cannot open all ports to a few clients. If I assign Netmap to a client, I lose VPN of my MT and that’s not the case.
The main concern is to have all ports open to a client (let’s say a router) and that client assigns private IP to console with its DMZ to that console.
Like this:
MT–>Switch → AP—AP ← Router —PS4
Do you say that when you connect two consoles to the modem directly (i.e. without Mikrotik in between the modem and the consoles) at the same time, both consoles indicate the same NAT type “open” and you can use both simultaneously (with two players playing the same online game each on one of those two consoles)?
Good question Sindy, are you trying to establish if one gaming console is being used or two being used at the same time?
Q1: Does one gaming console work with normal consumer router to modem (or isp supplied combo router/modem)?
Q2: Do two gaming consoles work at the same time with normal consumer router to modem (or isp supplied combo router/modem)?
Q3: Does one gaming console work with MT router?
Q4: Do two gaming consoles work at the same time with the MT router?
Q5: In any scenario where both consoles are connected at the same time, are players at each console able to play the same game concurrently (online)?
So you want Mikrotik to forward packets coming to its public address to the private one of the console on the LAN, but choose the right one depending on which console is connected at the time?
Because the DMZ approach (1:1 NAT) should be enough to make the console think that the NAT is the “open” type, and the private address can be updated using a script whenever one of the consoles gets an address from Tik’s DHCP server. And the VPN access can be preserved using exceptions from the 1:1 dst-nat rule for the ports used for the VPN, unless the console uses the very same ports for its own purposes.
A1: The gaming console should connect to internet just fine with a router even if assigned a private IP. Opened ports (directly to the modem) works best.
A2: Should work in a private IP environment. Not sure for public IP assignments. May depend on ISP.
A3: It works but if given an IP from the MT, it might say NAT moderate. Even if dsnat all TCP/UDP ports to that console’s IP. (Might be MT’s mistake).
A4: They do but the issue is not if they work but to have Open NAT behind another router.
That is why I asked about two PS4s used simultaneously. You said you need just one PS4 but at the same time you say you need two clients in DMZ.
In NAT environment, 1:1 NAT is the best approximation of a DMZ you can get. When a device on a private IP checks how the NAT behaves in particular, it checks with the server whether the server has received the initial request for a connection from the same port from which the client has sent it; this is what Mikrotik normally does unless another client device sends a request to the same remote socket from the same port, as in such case, all the fields used to identify a connection (address:port of the server and address:port of the Mikrotik’s WAN) would be identical for both connections so it would not be possible to decide to which of the two connection a packet received at WAN belongs.
For incoming communication requests, where the device on a private side of the NAT acts as a server, the situation is even more hopeless - the address of the remote client cannot be used to choose the required one out of the two addresss on the private side, so you simply cannot have more than a single device in DMZ behind a NAT unless each of them would listen on a different set of ports.
Introducing a second router in the mix is I suspect going to be problematic regardless of which user console is going to be used…
Have you tried connecting the consoles directly to the MT router??
That router is remotely connected through a wireless CPE so, it is necessary to have a router because that CPE is bridged and the end user needs to connect multiple devices.
Connecting directly to the MT and UPnP works but that’s not the scenario.
If you mean an address list of the sources in the internet, then yes. You can forward packets for wan.add.re.ss:port to private.add.ress.1:port if they come from a source on address-list “list1”, and to private.add.ress.2:port if they come from a source on address-list “list2”, and to private.add.ress.3:port if they come from a source which is not on any address list.
Or you can forward the packets to private address chosen up to the destination port.
But you cannot decide which of the three internal addresses to choose if you do not know in advance on which port it listens (or if all of them listen on the same port) or from where the request will come.
It is not a matter of configuration, it is a matter of common sense. If you do not have any information in the packet itself which would tell you where to send it, there is nothing you could use to choose a forwarding (dst-nat) rule.
But I am still wondering about your overall topology. Do the PS4 games send packets between players directly, i.e. not via a gaming server? Because the only scenario I can imagine where you need a real DMZ is that you have two PS4s behind the same public IP, and a third one behind another public IP, and they all participate in the same game to the third one needs to send direct packets to both the first and second one. Only in this case there is a conflict because when the first PS4 seizes a particular port on the public IP of the WAN interface for a connection with the third one, the second PS4 cannot seize the same port for connection with the third one because the packets coming from the third PS4 to that port would be forwarded to the first console.
So maybe we were not clear enough in the example with two PS4, where you want to have one connected directly to Mikrotik’s LAN and the other one connected to the LAN of the Linksys but it also gets to internet via the same Mikrotik like the first one, and we’ve simplified it to just 2 PS4 on Mikrotik’s LAN, approximating the tunnel via Linksys by just a cable?
Thanks Sindy for giving your opinion in this topic. Probably, we have gone so deep into this and I would like to clarify the main point here.
PS4 needs open ports to play fine. That’s basically it. When the PS4 is connected to a router (MT>Router>PS4) it is receiving a double NAT. Then, if I activate UPnP in the router, nothing happens. There is no register of petitions of ports at the MT level from the router on behalf the PS4. I don’t know if I am making myself understood or doing this correctly. I know it’s child’s play but not for me at this point. I have been reading for months and no solution.
Then, if I dstnat all 1-65535 ports to that router, it’s not working for some reason. Much less if I have to consoles (XBOX and PS4) in my network.
How can we have all ports open for a given client? That’s the issue.
then NAT 1:1 from MT to Router and UPnP on Router should work fine (edit: although maybe not, I’m not sure if client gets public address from UPnP server, it wouldn’t be public in this case, if it does). But if it would be anything like:
MT>Router1>PS4#1
MT>Router2>PS4#2
MT>PS4#3
i.e. not all consoles behind same router, it’s probably impossible. You’d either need to configure consoles to each use different port range and configure such port forwarding on routers (I have no idea if it’s possible; probably not, because average user would not be able to configure it anyway). Or there would have to be some UPnP proxy on Router that would receive requests from clients, open ports as usual, and additionally send own UPnP port opening request to upstream router. I don’t know if anything supports this (RouterOS surely doesn’t).