SRC NAT or Masquerade with Multi IP

undecided · October 7, 2014, 8:21am

Hello, I used to have one public IP address, I then requested an additional 5 usable, so now my WAN subnet is a /29
So for example, the public IP’s 1.1.1.1 to 1.1.1.4

chain=srcnat action=src-nat to-addresses=1.1.1.1-1.1.1.4 out-interface=ether1

At the moment I am using src-nat, will this keep changing which public IP a user may receive every time they browse the internet?

Is there a better way of doing this? Shall I just leave it as it was before and masquerade with this:
chain=srcnat action=masquerade out-interface=ether1 (Will this make each internal IP sticky to the Public IP?)

Out of these two methods which is best and is there another way to do this?

Thanks

jkarras · October 7, 2014, 1:25pm

What is it you are trying to accomplish?

undecided · October 7, 2014, 3:30pm

I want to masquerade/nat the intermal lan subnet to the 5 public WAN addresses i have on my wan interface. I would like it to randomly select one of the 5 public addresses(they are in one public subnet) per internal address. So like a “many-to-5” nat translation.

jkarras · October 7, 2014, 8:39pm

I believe you can just put a range of IPs into the “To Address” field of the SRC-NAT action and it will do what you are referring to.

If you had wanted to do a 1:1 mapping you would use the netmap feature.

undecided · October 8, 2014, 3:45pm

When I use the range option with src-nat then I have customers complaining about their IPTV systems not loading, I’m not sure if this is because it uses a different public IP address for each session the user attempts. When I set this to masquerade it works fine. So now the question is, does the masquerade option always use the first address assigned to the interface? I have 1.1.1.1 through 1.1.1.5

So with Masquerade I fear that only 1.1.1.1 is being used, and with src-nat range 1.1.1.1-1.1.1.5 it uses more than one public IP per user, which some sites don’t like..

So does the Masquerade option just use the first address? Is there another way to do this, like with netmap 256:5

Any help much appreaciated.

jkarras · October 8, 2014, 3:57pm

FYI I am just reading the wiki for this information.

To keep people on the same IP for all connections use the same option. From previous discussions on the forum masquerade uses the first IP.

undecided · October 8, 2014, 4:01pm

Thanks, has anyone had success with a netmap like 256:5

Is this doable?

jkarras · October 8, 2014, 7:44pm

One other option is to create 5 NAT rules. One for each portion of your IP space each mapping to a specific IP.

If you want one rule you’ll need to use the SAME action. Netmap is only for 1:1 mappings.

undecided · October 9, 2014, 1:09pm

Thats sounds like the best way, thanks for the idea

undecided · October 10, 2014, 7:25am

Actually would this cause problems with my PCC rules? I have two WAN interfaces, both with 5 usable Public IP’s.

If I NAT sections of my subnet then PCC would be redundant right?

jkarras · October 10, 2014, 12:55pm

Not if your PCC rule tells the traffic to go out the interface aer are not discussing.