Src NAT with -same rules on 6.x

Begetan · April 9, 2014, 8:50am

Hello,

I am using Mikrotik for NATing about 1,5 k users. Previously I’ve use ROS5.18 version with RB1100AH and all was fine for up to 1K users. Now I am using x86 with ROS6.11 and some users has complains for problems with some services.

For example there is a problem with SIP.net, WebMoney security. Ordinary web sites show different src ip in request for short period. Is there any problem with -same rule in ROS 6.x or it may be issue in my setup?

Here is a configuration:

/ip firewall nat
add action=same chain=srcnat out-interface=ether1-bb src-address=172.16.0.0/19 to-addresses=\
    37.38.39.32/28

I’ve changed Nat pool from /29 to /28 without any changes.
Connection tracking shows currently 64K entries and 540k max entries.

Should I split our network for several /24 pools and make translation each into single IP?
A bit stupid configuration I think.

stenlyto · April 9, 2014, 11:29am

It must be working well
before u clear it out u may do the stupid idea ONLY for the complaining users… but its a temporary decision!!!
Go behind the router with a laptop and open a website like google: “what’s my IP”
open the website see the IP and refresh it for a couple of time fast, and with intervals of 1-2 minutes … see what going
if it doesn’t change the rule is working good, so start looking somewhere else

ners · April 9, 2014, 1:39pm

Try same-not-by-dst=yes, it might help and I consider it to be best practice for batting.

Begetan · April 11, 2014, 7:44am

Thank you very much ners!
This option solved the problem.