SNAT with discontiguous to-addresses network

chojrak11 · January 2, 2010, 10:19pm

Hello,

I need to configure NAT similar to this:

# iptables -t nat -A POSTROUTING -s 192.168.1.0/24 -o eth1 \
        -j SNAT --to 1.2.3.2-1.2.3.99 --to 1.2.3.121-1.2.3.254

(to use all addresses from /24 network excluding .1 and .100-.120)
This example in modified form is taken from the bottom of: http://www.netfilter.org/documentation/HOWTO/NAT-HOWTO-6.html#ss6.3
I need to preserve basic round-robin mode of assigning public addresses which this rule provides, across all available addresses, excluding addresses used by other equipment (servers etc).

I tried this:

/ip firewall nat add chain=srcnat src-address=192.168.1.0/24 action=src-nat to-addresses="1.2.3.2-1.2.3.99,1.2.3.121-1.2.3.254"

but it gave me

invalid value for argument max

Is there any way to do that in RouterOS?

Thanks.

fewi · January 2, 2010, 10:57pm

As far as I know you cannot as the to-addresses parameter only supports min-[max] values and can only be used once.

Maybe as a workaround you can split your internal network and NAT the first 128 hosts to .2 - .99 and the second 128 hosts to the rest?

/ip firewall nat 
add chain=srcnat src-address=192.168.1.0/25 action=src-nat to-addresses=1.2.3.2-1.2.3.99
add chain=srcnat src-address=192.168.1.128/25 action=src-nat to-addresses=1.2.3.121-1.2.3.254

changeip · January 2, 2010, 11:40pm

use 2 rules and apply nth or random fields.

chojrak11 · January 3, 2010, 12:28am

Thank you both for the hints. I think it’ll do the trick.