netmap with address list behavior

ncats · June 10, 2020, 8:18pm

I have a need to create a netmap using an address list, but I need help understanding the side-effects of doing so. This is what I would like to do:

add action=netmap chain=srcnat src-address-list=active to-addresses=199.176.0.0/22

There would be roughly 1000 addresses in the address list. I do not understand what happens to the mapping and the existing connections if an address is removed from the address-list. Do all the existing mapping get remapped to conform with the new order of the access list? Do connections get dropped when this happens?

In the past we had a /16 private subnet and used rules like this to create 1-to-1 mappings:
add action=netmap chain=srcnat src-address=10.100.2.0/24 to-addresses=199.176.2.0/24
add action=netmap chain=srcnat src-address=10.100.3.0/24 to-addresses=199.176.3.0/24
add action=netmap chain=srcnat src-address=10.100.4.0/24 to-addresses=199.176.4.0/24
add action=netmap chain=srcnat src-address=10.100.5.0/24 to-addresses=199.176.5.0/24

Now that the networks are broken into partially filled subnets, we have a src-nat rule for every address.
To clean this up and make it more dynamic, we wish to go back to netmap with an address list.
Ideally we are looking for a NAT pool similar to a Cisco firewall.

Thanks!

sindy · June 11, 2020, 9:56am

The rules in the NAT table only handle the first packet of each connection, and no information from the rule is copied to the context of the tracked connection. So if an address disappears from an address-list on which a dst-nat, src-nat or netmap rule matched, the connection which has become NATed by this rule won’t be affected by that.

ncats · June 16, 2020, 12:39pm

Do you know what would happen if the address-list is larger than the to-addresses subnet?

sindy · June 16, 2020, 1:44pm

The size of the address list has nothing to do with the size of the to-addresses subnet directly. The whole difference between plain src-nat (or dst-nat) and netmap is how many bits of the original source (or destination) address are translated, and how many remain unchanged; this is determined by the /masklength parameter of the to-addresses in case of action=netmap, and it is always all 32 bits of the address in case of action=src-nat or action=dst-nat (also, obviously, the to-addresses value must be a subnet in case of action=netmap). The address list only determines whether a given packet will match the rule or not.

So let’s imagine the following configuration:

/ip firewall address-list {
  add list=my-test address=192.168.3.7
  add list=my-test address=192.168.4.0/28
  add list=my-test address=192.168.5.0/27
}
/ip firewall nat {
   add chain=dstnat dst-address-list=my-test action=netmap to-addresses=192.168.200.0/24
}

With this setup in place, a connection from any address, on any protocol and from&to any source&destination port, to IP address 192.168.3.7, 192.168.4.7, or 192.168.5.7 will all be translated into connections to 192.168.200.7. But whilst connections to 192.168.4.8 or 192.168.5.8 will get dst-nated to 192.168.200.8, a connection to 192.168.3.8 will remain unchanged because 192.168.3.8 doesn’t match any item on the address list.