Hi all,
I use NAT through my WAN interface with Masquerade, at the moment I have a block of 5 IP's, and obviously with Masquerade the first IP is always used. If I set the NAT to SRC-NAT and specify the range of 5 IP's then users randomly get one of the 5 IP's, the problem is that the user IP keeps changing and things like VPN's, banking websites and other systems that want to see all requests coming from one IP.
Is there a way to make the NAT'd IP sticky? I have too many users to create per user NAT'ing and don't want to create countless rules such as specifying part of my subnet range to take a particular IP, the reason I don't want to do this is because soon I will be using 256 IP's and the user count will be around 1000.
Any help much appreciated.
Re: NAT Sticky with src-nat
With 5 addresses, you can use PCC, split traffic by source address and let each 1/5 use one address.
But 256 addresses seems a little too much for this...
But 256 addresses seems a little too much for this...
Re: NAT Sticky with src-nat
Try using the action "same" and put in the range of IP addresses instead of src-nat.
http://wiki.mikrotik.com/wiki/Manual:IP ... Properties
Should fix the issue you are seeing.
http://wiki.mikrotik.com/wiki/Manual:IP ... Properties
Should fix the issue you are seeing.
Re: NAT Sticky with src-nat
Thank you guys,
FeklarI didn't even know the "same" option existed even though I looked through that list so many times, thanks for pointing it out!
FeklarI didn't even know the "same" option existed even though I looked through that list so many times, thanks for pointing it out!
Re: NAT Sticky with src-nat
Hi all,
Resurrecting my old post here, I'm finally in the change over from pfsense to Mikrotik and trying to get the same internal src IP to always use the same public IP, I've created a src NAT rule with "SAME" under action and specified my IP range, but this seems to make each connection from the client device the SAME, any new connections to different sites or services seem to take on a new random public IP from the specified pool. In my case I can't use this, I need a way to make every connection coming from said client src IP to always use the same public IP.
I have 3 internal subnets(1000 devices), and 128 public IP's.
What is going to be the best way to achieve this? Is there anyway I can get this done using src-nat/same or do I need to us PCC? If PCC what/how is the best way?
Much appreciated.
FYI - I've tried these mangle rules, with SRC NAT SAME (IP RANGE) but still the IP changes every few minutes on the client side.
/ip firewall mangle
add chain=input in-interface=P2 action=mark-connection \
new-connection-mark=P2_conn
add chain=output connection-mark=P2_conn action=mark-routing \
new-routing-mark=to_P2
add chain=prerouting dst-address=1.1.1.1/24 action=accept in-interface=Lan
add chain=prerouting dst-address-type=!local in-interface=Lan \
per-connection-classifier=both-addresses-and-ports:1/0 action=mark-connection \
new-connection-mark=P2_conn passthrough=yes
add chain=prerouting connection-mark=P2_conn in-interface=Lan \
action=mark-routing new-routing-mark=to_P2
/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_P2 \
check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.1.1.2 distance=1 check-gateway=ping
Resurrecting my old post here, I'm finally in the change over from pfsense to Mikrotik and trying to get the same internal src IP to always use the same public IP, I've created a src NAT rule with "SAME" under action and specified my IP range, but this seems to make each connection from the client device the SAME, any new connections to different sites or services seem to take on a new random public IP from the specified pool. In my case I can't use this, I need a way to make every connection coming from said client src IP to always use the same public IP.
I have 3 internal subnets(1000 devices), and 128 public IP's.
What is going to be the best way to achieve this? Is there anyway I can get this done using src-nat/same or do I need to us PCC? If PCC what/how is the best way?
Much appreciated.
FYI - I've tried these mangle rules, with SRC NAT SAME (IP RANGE) but still the IP changes every few minutes on the client side.
/ip firewall mangle
add chain=input in-interface=P2 action=mark-connection \
new-connection-mark=P2_conn
add chain=output connection-mark=P2_conn action=mark-routing \
new-routing-mark=to_P2
add chain=prerouting dst-address=1.1.1.1/24 action=accept in-interface=Lan
add chain=prerouting dst-address-type=!local in-interface=Lan \
per-connection-classifier=both-addresses-and-ports:1/0 action=mark-connection \
new-connection-mark=P2_conn passthrough=yes
add chain=prerouting connection-mark=P2_conn in-interface=Lan \
action=mark-routing new-routing-mark=to_P2
/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_P2 \
check-gateway=ping
add dst-address=0.0.0.0/0 gateway=1.1.1.2 distance=1 check-gateway=ping
Re: NAT Sticky with src-nat
Have you tried to check the box "not by dst." when creating this kind of rule?Hi all,
FYI - I've tried these mangle rules, with SRC NAT SAME (IP RANGE) but still the IP changes every few minutes on the client side.