Community discussions

MikroTik App
 
frontier
just joined
Topic Author
Posts: 3
Joined: Mon Oct 19, 2020 8:13 pm

NETMAP vs SRCNAT

Mon Oct 19, 2020 8:34 pm

Dear Friends,

I am having 2 public IP pools, one is /30 and the other is /28 routed over that /30. I had assigned the /30 IP to the WAN Interface and /28 IPs are simply added to the IP Address List. Now in Firewall NAT, i created a rule where I SRC-NAT the /24 Private IP Pool with 1 single Public IP already added to the WAN Interface. I am facing a little problem that packets was dropping, Internet occasionally stops responding for a second or two and then starts for sometime. Someone suggested me to use NETMAP instead of SRCNAT, but I am not understanding the basic difference between them except this that SRCNAT is used for specific Ports and NETMAP can be used for all ports.
Can you guys suggest me the more precise way, as I am having problem in creating multiple pools. I have about 400 users now and all of them on PPPOE, to achieve the goal I created multiple PPPOE Servers on multiple PPPOE Interfaces which are connected to different remote networks. Due to lack of Public IPs I have to assign /24 private pool with 1 static public IP. Facing problem still if some user try to connect VPN then that public IP routed to that VPN server and all the clients on that IP gets routed to that VPN destination.

Kindly Help with NETMAP, sometimes my traffic gets congested so our ISP ask me to check the NAT Entries, but as we are having CCR-1036 so didnt found any issue because always found 70k entries maximum. I think its because of SRCNAT Rule.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NETMAP vs SRCNAT

Mon Oct 19, 2020 11:53 pm

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible).
example:
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47
results in the same treatment like
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32/28

action=netmap, if used in chain=srcnat, replaces the prefix of the source address of the connection with the one specified in to-addresses, the rest of the bits remain unchanged.
example:
/ip firewall nat add chain=srcnat action=netmap out-interface=ether1 to-addresses=192.168.143.32/28
if the original source address of the connection is 10.35.27.12 or 10.35.27.28 or 10.35.27.44, the new one will be 192.168.143.44 in all three cases.

The resulting tracked connections will look the same, however, no matter whether their NAT treatment has been activated by src-nat or netmap.

So if the issue is caused by many of your clients accessing the same port on the same remote server using TCP, using a range instead of a single address for NAT may help, but for that, it is enough to specify a range for src-nat. netmap is one of the ways to make sure that the same client on the private side will always be NATed to the same public IP; another possibility is to use individual src-nat rules, one per public IP, with per-connection-classifier computing the hash from the source address alone.

If the issue is caused by something else, the above will not help (unless the provider's gear cannot handle two connections from the same address and port on your side even if they connect to different remote address and port, which sounds quite unlikely).
 
fcserg
just joined
Posts: 7
Joined: Wed Jul 08, 2020 8:50 am

Re: NETMAP vs SRCNAT

Thu Apr 22, 2021 4:39 pm

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible).
example:
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47
results in the same treatment like
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32/28

action=netmap, if used in chain=srcnat, replaces the prefix of the source address of the connection with the one specified in to-addresses, the rest of the bits remain unchanged.
example:
/ip firewall nat add chain=srcnat action=netmap out-interface=ether1 to-addresses=192.168.143.32/28
if the original source address of the connection is 10.35.27.12 or 10.35.27.28 or 10.35.27.44, the new one will be 192.168.143.44 in all three cases.

The resulting tracked connections will look the same, however, no matter whether their NAT treatment has been activated by src-nat or netmap.

So if the issue is caused by many of your clients accessing the same port on the same remote server using TCP, using a range instead of a single address for NAT may help, but for that, it is enough to specify a range for src-nat. netmap is one of the ways to make sure that the same client on the private side will always be NATed to the same public IP; another possibility is to use individual src-nat rules, one per public IP, with per-connection-classifier computing the hash from the source address alone.

If the issue is caused by something else, the above will not help (unless the provider's gear cannot handle two connections from the same address and port on your side even if they connect to different remote address and port, which sounds quite unlikely).
hey Sindy!
Why the new one will be 192.168.143.44 in all three cases?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NETMAP vs SRCNAT

Thu Apr 22, 2021 5:20 pm

Because the netmask part of the to-addresses value is 28, i.e. 255.255.255.240. So the value of the bits of the original address whose positions match the zero bits in the mask, i.e. the least significant four bits, is 12 in all three cases, and the bits whose positions match the one bits in the mask are taken from those in the prefix part of to-addresses. So the last byte is a sum of 00100000 and 00001100, i.e. 32 and 12, in all three cases.
 
fcserg
just joined
Posts: 7
Joined: Wed Jul 08, 2020 8:50 am

Re: NETMAP vs SRCNAT

Thu Apr 22, 2021 6:54 pm

Because the netmask part of the to-addresses value is 28, i.e. 255.255.255.240. So the value of the bits of the original address whose positions match the zero bits in the mask, i.e. the least significant four bits, is 12 in all three cases, and the bits whose positions match the one bits in the mask are taken from those in the prefix part of to-addresses. So the last byte is a sum of 00100000 and 00001100, i.e. 32 and 12, in all three cases.
f.e., if we have 10.35.27.10 as a source address, netmap will replace it with 192.168.143.40?
 
fcserg
just joined
Posts: 7
Joined: Wed Jul 08, 2020 8:50 am

Re: NETMAP vs SRCNAT

Thu Apr 22, 2021 6:57 pm

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible).
example:
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47
results in the same treatment like
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32/28
in this case, which IP from the /28 will be used?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NETMAP vs SRCNAT

Thu Apr 22, 2021 6:58 pm

f.e., if we have 10.35.27.10 as a source address, netmap will replace it with 192.168.143.40?
No, with 192.168.143.42 (32 + 10)
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NETMAP vs SRCNAT

Thu Apr 22, 2021 7:01 pm

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible).
example:
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47
results in the same treatment like
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32/28
in this case, which IP from the /28 will be used?
Can't be predicted - here, the NAT module of the firewall chooses the new address from the configured range or prefix up to its own decision which you cannot reliably anticipate.
 
fcserg
just joined
Posts: 7
Joined: Wed Jul 08, 2020 8:50 am

Re: NETMAP vs SRCNAT

Thu Apr 22, 2021 8:23 pm

action=src-nat replaces the source address of the connection being handled with an address from the to-addresses range or subnet (both variants are possible).
example:
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32-192.168.143.47
results in the same treatment like
/ip firewall nat add chain=srcnat action=src-nat out-interface=ether1 to-addresses=192.168.143.32/28
in this case, which IP from the /28 will be used?
Can't be predicted - here, the NAT module of the firewall chooses the new address from the configured range or prefix up to its own decision which you cannot reliably anticipate.
got it, thanks!

Who is online

Users browsing this forum: Amazon [Bot], sas2k and 78 guests