Community discussions

MikroTik App
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

How do we properly perform CGNAT on a MikroTik Router for customers?

Sat May 29, 2021 4:25 pm

More details here: viewtopic.php?f=2&t=175633#p860111

So in the MikroTik wiki, they used action=src nat as an example, whereas, on various MUM presentations, they used action=netmap.

Note: We are NOT doing or interested in deterministic NAT.

So basically this what we want:
  • NAT multiple subnet slices out of the 100.64.0.0/8 to public/25
  • And accordingly, allow incoming traffic destined towards public/25 + destined for only ports 1024-65535 to be dst-natted to the various subnet slices out of the 100.64.0.0/8 to allow customers to take advantage of port randomisation and get port forwarding to work correctly for P2P traffic etc.
  • What are the chances 100.64.0.0/8 customers would all use port 1024 for instance for their Bittorent clients, right? Zero.
This is an imperfect solution compared to IPv6, but we would like to give customers at least a better if not perfect P2P networking experience while IPv6 is being rolled out.

So this is what we've tried along with IPSec passthrough attribute:
#src-address-list=local, local is address list containing multiple CGNAT subnets like 100.64.0.0/24, 100.64.0.256/24 etc#

/ip firewall nat
add action=netmap chain=srcnat comment="Netmap for outbound TCP" ipsec-policy=out,none protocol=tcp src-address-list=local to-addresses=public/25 to-ports=1-65535

add action=netmap chain=srcnat comment="Netmap for outbound UDP" ipsec-policy=out,none protocol=udp src-address-list=local to-addresses=public/25 to-ports=1-65535

add action=netmap chain=srcnat comment="Netmap for outbound non TCP/UDP" ipsec-policy=out,none src-address-list=local to-addresses=public/25

#Example we only want to allow accessible for port frowarding for 100.64.8.0/21 instead of everything inside src-address-list=local#
add action=dst-nat chain=dstnat comment="For inbound port forwarding TCP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=tcp to-addresses=100.64.8.0/21 to-ports=1024-65535

add action=dst-nat chain=dstnat comment="For inbound port forwarding UDP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=udp to-addresses=100.64.8.0/21 to-ports=1024-65535
So the above rules, sort of works... On the customer end, we were able to seed torrent traffic without any issues but the ports are still "closed" for the public /25 mapped to the customer at the time of testing, which we checked with the Port Checker: https://portchecker.co/

Is there a proper way of doing CGNAT to allow this to work correctly? I feel something is wrong with the rules themselves.

A different network operator was able to open up ports from the public for their CGNATted customers using MikroTik, we are not sure how they did it.
Last edited by DarkNate on Tue Jun 01, 2021 3:57 pm, edited 2 times in total.
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 12:00 am

A different network operator was able to open up ports from the public for their CGNATted customers using MikroTik, we are not sure how they did it.
Please see this MUM presentation: https://mum.mikrotik.com/presentations/ ... 667160.pdf
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 11:52 am

A different network operator was able to open up ports from the public for their CGNATted customers using MikroTik, we are not sure how they did it.
Please see this MUM presentation: https://mum.mikrotik.com/presentations/ ... 667160.pdf
That's done using deterministic NAT. Anyway, people on the Reddit thread confirmed what I'm trying to achieve is not possible, at least on MikroTik.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11967
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 12:12 pm

one thing:
100.64.0.0/8 do "not exist"
the right is
100.64.0.0/10
from
100.64.0.0 to 100.127.255.255


public/25 ???
what is this?
one single address like 2.3.4.5/25
or one pool of public address like 2.3.4.0/25 -> from 2.3.4.0 to 2.3.4.127 ???


destined for only ports 1024-65535 to be dst-natted
You open by hand port-to-client?
UPnP work only on client-side
The port used for auto NAT go from 32768 to 65534, port from 0 to 32767, and 65535 are not used automatically for auto NAT
You have only 32767 port per public IP usable for auto NAT, assuming one client use near 500 ports, you can have near 64 users for public IP before the NAT is full...
if you have 128 IP (0 and 127 are IP), with 64 users for IP, the hypotetic max number of users without reach end-of-ports are 8192.
Using P2P can increase the ports per users from 500 to 5000 and max number of users per IP can go from 64 to 6 ...


we would like to give customers at least a better if not perfect P2P networking experience
Buy one IPv4 adrress for each customer and more, for use it as dynamic pool of Public IP addresses.
The addresses are NOT out of stock, they are simply for sale and are expensive.
Last edited by rextended on Sun May 30, 2021 1:00 pm, edited 1 time in total.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 12:52 pm

@rextended

public/25 = out of a larger /24 pool, yes.

Looks like there's no easy clean-cut solution for this. We'd have to do it by hand or scripting.

We are considering this
#local contains the CGNAT subnets#
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=!local ipsec-policy=out,none out-interface-list=WAN src-address-list=local to-addresses=public/25

#Example only for 100.64.0.0/24#
add action=dst-nat chain=dstnat  dst-address-list=public/25 dst-port=1024-65535 in-interface-list=WAN to-addresses=100.64.0.0/24 

 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 1:29 pm

I still don't get why you need any dst-nat rules at all. To my understanding, the only thing the two peers in any p2p network need is that all the NATs between each peer and the internet do not change the source port (unless it cannot be kept because some other client is connecting from the same source port to the same destination address and port). When this is true for both, they both connect to some rendez-vous point and exchange information about the ports they use at their side and the public IP from which they access internet (detected with help of the rendez-vous point). Once each peer has received this information, both start sending from their local port to the remote address and port of the other peer, thus creating a pinhole (tracked connection in linux/RouterOS vernacular) by means of src-nat. Since UDP is stateless, by sending a packet from c.c.c.c:C to s.s.s.s:S, the pinhole opens also for packets sent from s.s.s.s:S to public.ip.assigned.to.client:C, and once such packet arrives, it gets "un-src-nated" and delivered to c.c.c.c:C. So the packets sent by the first peer to start are not reaching the second one until the second one sends its first packet; since then, both firewalls let the packets through.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 1:42 pm

I still don't get why you need any dst-nat rules at all. To my understanding, the only thing the two peers in any p2p network need is that all the NATs between each peer and the internet do not change the source port (unless it cannot be kept because some other client is connecting from the same source port to the same destination address and port). When this is true for both, they both connect to some rendez-vous point and exchange information about the ports they use at their side and the public IP from which they access internet (detected with help of the rendez-vous point). Once each peer has received this information, both start sending from their local port to the remote address and port of the other peer, thus creating a pinhole (tracked connection in linux/RouterOS vernacular) by means of src-nat. Since UDP is stateless, by sending a packet from c.c.c.c:C to s.s.s.s:S, the pinhole opens also for packets sent from s.s.s.s:S to public.ip.assigned.to.client:C, and once such packet arrives, it gets "un-src-nated" and delivered to c.c.c.c:C. So the packets sent by the first peer to start are not reaching the second one until the second one sends its first packet; since then, both firewalls let the packets through.
Okay so only one src NAT rule is good enough I believe?
 
kashifzai86
Frequent Visitor
Frequent Visitor
Posts: 58
Joined: Mon Nov 09, 2015 8:58 am
Location: Karachi

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 2:51 pm

Please check this link as well
Very helpfull Link


https://aacable.wordpress.com/2020/01/0 ... tik-cgnat/
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 4:02 pm

Please check this link as well
Very helpfull Link


https://aacable.wordpress.com/2020/01/0 ... tik-cgnat/
How is that helpful?

That's deterministic NAT which I mentioned in OP is not something I'm looking for and another member already shared the same thing: viewtopic.php?f=2&t=175633#p859820
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 4:47 pm

Okay so only one src NAT rule is good enough I believe?
For connections between a peer inside your 10.64.0.0/10 and a peer out there in the internet - yes. For connections between two of your peers, it will be more interesting.

In order that it worked, you need to src-nat also the connections your clients initiate towards the addresses in your public /25 range, but that's not enough. If two clients initiate such connection, RouterOS creates an independent tracked connection for each of them, and it cannot match them together and merge them. So you need the following arrangement (roughly, adapt it to your actual configuration):

/interface bridge add name=br-lo protocol-mode=none
/ip address add address=127.0.0.11/32 interface=br-lo
/ip address add address=127.0.0.12/32 interface=br-lo
/interface ipip add name=hairpin-1 local-address=127.0.0.11 remote-address=127.0.0.12
/interface ipip add name=hairpin-2 local-address=127.0.0.12 remote-address=127.0.0.11
/ip route rule add interface=hairpin-1 dst-address=your.public.sub.net/25 action=drop
/ip route rule add interface=hairpin-2 dst-address=your.public.sub.net/25 action=drop
/ip route add dst-address=your.public.sub.net/25 gateway=hairpin-1,hairpin-2


The addresses from the /25 subnet you use for src-nat must not be assigned to any interface of the router itself, otherwise it won't work because packets for any address on the router itself are not routed, unless they get dst-nated at arrival.

The route must have both ends of the IPIP tunnel as gateways because if you set rp-filter to strict (which you may want to do as you are an ISP so dropping forged packets saves you some problems). The action=drop routing rules are there to prevent the packets from looping through the hairpin tunnel until the second tracked connection gets created.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 9:25 pm

Okay so only one src NAT rule is good enough I believe?
For connections between a peer inside your 10.64.0.0/10 and a peer out there in the internet - yes. For connections between two of your peers, it will be more interesting.

In order that it worked, you need to src-nat also the connections your clients initiate towards the addresses in your public /25 range, but that's not enough. If two clients initiate such connection, RouterOS creates an independent tracked connection for each of them, and it cannot match them together and merge them. So you need the following arrangement (roughly, adapt it to your actual configuration):

/interface bridge add name=br-lo protocol-mode=none
/ip address add address=127.0.0.11/32 interface=br-lo
/ip address add address=127.0.0.12/32 interface=br-lo
/interface ipip add name=hairpin-1 local-address=127.0.0.11 remote-address=127.0.0.12
/interface ipip add name=hairpin-2 local-address=127.0.0.12 remote-address=127.0.0.11
/ip route rule add interface=hairpin-1 dst-address=your.public.sub.net/25 action=drop
/ip route rule add interface=hairpin-2 dst-address=your.public.sub.net/25 action=drop
/ip route add dst-address=your.public.sub.net/25 gateway=hairpin-1,hairpin-2


The addresses from the /25 subnet you use for src-nat must not be assigned to any interface of the router itself, otherwise it won't work because packets for any address on the router itself are not routed, unless they get dst-nated at arrival.

The route must have both ends of the IPIP tunnel as gateways because if you set rp-filter to strict (which you may want to do as you are an ISP so dropping forged packets saves you some problems). The action=drop routing rules are there to prevent the packets from looping through the hairpin tunnel until the second tracked connection gets created.
So would the following be correct?
/ip firewall nat
add action=src-nat chain=srcnat dst-address-list=!local ipsec-policy=out,none out-interface-list=WAN src-address-list=local to-addresses=publicpool/25

/interface bridge add name=br-lo protocol-mode=none
/ip address add address=127.0.0.11/32 interface=br-lo
/ip address add address=127.0.0.12/32 interface=br-lo
/interface ipip add name=hairpin-1 local-address=127.0.0.11 remote-address=127.0.0.12
/interface ipip add name=hairpin-2 local-address=127.0.0.12 remote-address=127.0.0.11
/ip route rule add interface=hairpin-1 dst-address=publicpool/25 action=drop
/ip route rule add interface=hairpin-2 dst-address=publicpool/25 action=drop
/ip route add dst-address=publicpool/25 gateway=hairpin-1,hairpin-2
Also at the moment we are not sure but we assigned the publicpool/25 inside IP>Address to the outgoing WAN interface. Should we remove that?
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Sun May 30, 2021 11:05 pm

So would the following be correct?
...
To make the action=src-nat rule act also on the hairpinned traffic, which is necessary for the whole idea to work, you must make both hairpin-1 and hairpin-2 members of interface list WAN (which they indeed are from the point of view of the network topology).

Also at the moment we are not sure but we assigned the publicpool/25 inside IP>Address to the outgoing WAN interface. Should we remove that?
The question is whether you can remove that just like that, as it depends on how that /25 is configured between you and your upstream provider:
  • if the gateway IP the ISP gave you is from another subnet than this /25 one, the ISP routes that /25 to you via your own IP in that other subnet and there is no need to have the addresses from the /25 up on your router itself
  • if the gateway IP they gave you is from that /25, your router must respond to ARP requests for all addresses from that /25 you want to use; to do that without setting them up on the router itself, you must create ARP records of type publish on the WAN interface (don't specify any MAC address, it will save 00:00:00:00:00:00 and the one of the WAN interface will be actually sent) and add individual routes to these /32 addresses that shadow the route to the whole /25 that is added dynamically as you add the own address in the /25.

    Assuming your own IP in the /25 is .2 and the gateway provided by the ISP is.1, you'll need something like
    /ip arp
    add address=the.public.subnet.3 interface=your-wan-interface-name publish=yes
    ...
    add address=the.public.subnet.126 interface=your-wan-interface-name publish=yes
    /ip route
    add dst-address=the.public.subnet.3 gateway=hairpin-1,hairpin-2
    ...
    add dst-address=the.public.subnet.126 gateway=hairpin-1,hairpin-2
(hence you don't need the route dst-address=the.public.sub.net/25 gateway=hairpin-1,hairpin-2)
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Mon May 31, 2021 3:57 pm

So would the following be correct?
...
To make the action=src-nat rule act also on the hairpinned traffic, which is necessary for the whole idea to work, you must make both hairpin-1 and hairpin-2 members of interface list WAN (which they indeed are from the point of view of the network topology).

Also at the moment we are not sure but we assigned the publicpool/25 inside IP>Address to the outgoing WAN interface. Should we remove that?
The question is whether you can remove that just like that, as it depends on how that /25 is configured between you and your upstream provider:
  • if the gateway IP the ISP gave you is from another subnet than this /25 one, the ISP routes that /25 to you via your own IP in that other subnet and there is no need to have the addresses from the /25 up on your router itself
  • if the gateway IP they gave you is from that /25, your router must respond to ARP requests for all addresses from that /25 you want to use; to do that without setting them up on the router itself, you must create ARP records of type publish on the WAN interface (don't specify any MAC address, it will save 00:00:00:00:00:00 and the one of the WAN interface will be actually sent) and add individual routes to these /32 addresses that shadow the route to the whole /25 that is added dynamically as you add the own address in the /25.

    Assuming your own IP in the /25 is .2 and the gateway provided by the ISP is.1, you'll need something like
    /ip arp
    add address=the.public.subnet.3 interface=your-wan-interface-name publish=yes
    ...
    add address=the.public.subnet.126 interface=your-wan-interface-name publish=yes
    /ip route
    add dst-address=the.public.subnet.3 gateway=hairpin-1,hairpin-2
    ...
    add dst-address=the.public.subnet.126 gateway=hairpin-1,hairpin-2
(hence you don't need the route dst-address=the.public.sub.net/25 gateway=hairpin-1,hairpin-2)
So we used the single src NAT, and it worked fine, but for some reason, we can't run a speedtest.net test on our test server hosted on the same network with a different IP address of course on the edge router. The Access router is connected to this edge router, where we use Hoptspot+PPPoE for some users. We have public/25 in IP>Address>Interface=LAN (switch which is used for distribution) for src NAT for both of these users.

Then we have another public/25 which is paid static IP again for both PPPoE users and Hotspot. The moment we disabled it from IP>Address, the Hotspot users with paid static IPs couldn't use the internet anymore, but the PPPoE users could just fine.

Any ideas?

Rough diagram: https://i.ibb.co/89k3PKL/image.png
Speed test server is connected to edge router ether3
Last edited by DarkNate on Mon May 31, 2021 5:44 pm, edited 2 times in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Mon May 31, 2021 4:55 pm

Nice to learn at this stage that there are actually two routers, so the whole exercise with the hairpin IPIP tunnel could probably be omitted as the access router could as well send the packets to your own egde router which would happily send them back. I've proposed the IPIP tunnel in order that it didn't depend on what the upstream ISP would do with these packets. But OK, the hairpin IPIP tunnel saves some bandwidth on the cable, curious what traffic statistics will you see on it :)

Please update the drawing with the position of the speedtest server and the linking of the two /25 subnets to the interfaces of the routers, and put it as an attachment here rather to linking to an external site. There's the Attachments tab still below the [Save draft] [Previev] [Submit] buttons.
Last edited by sindy on Mon May 31, 2021 5:46 pm, edited 1 time in total.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Mon May 31, 2021 5:29 pm

@sindy

Image
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Mon May 31, 2021 6:16 pm

As I've understood, the hotspot functionality is running at the edge router, but the src-nat rules are already at the access routess, is that correct?

At which router have you "disabled it (the other public /25 I assume) from IP>Address", at the edge one or at the access one?

Are the configurations of the two "access routers" identical (except particular subnets) or they differ?

The speedtest server is a problem for every type of user (PPPoE with public IP, hotspot with public IP, CGNAT one) or only for some?

I'm afraid that with this level of complexity, I'll need configuration exports from all three machines, obfuscated in a way that the relationship between subnets and routes is not lost, and with an indication of the configuration row whose change disables internet access for the hotspot users.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Mon May 31, 2021 6:55 pm

So I've asked the ISP (I'm helping them out on goodwill) to export hide-sensitive for all three devices. Will share it once they've shared it with me.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Mon May 31, 2021 8:51 pm

@Sindy

Newly updated diagram and the configs.

Image
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Wed Jun 02, 2021 6:27 pm

@Sindy I've edited the post above with updated config files with better meaningful obfuscation.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Thu Jun 03, 2021 8:57 am

Hi,
  1. How does the core router know to send traffic for 6.0.0.0/25 and 6.0.0.128/25 to the access routers? BGP is disabled at access router 1 and not configured at all at access router 2, and there are no static routes to 6.0.0.x/y at the core router.
  2. as the hotspot handling is done at the access routers, not at the core as I've understood initially, I'm of little use here, because I never had a reason to understand the hotspot magic and thus I don't know what firewall rules the hotspot functionality dynamically creates. So you'll have to use /tool sniffer at both the access router and at the core router to find out what happens when the hotspot client is trying to access a public IP outside your network and what happens when it is trying to access the internal speedtest server.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Thu Jun 03, 2021 2:45 pm

Hi,
  1. How does the core router know to send traffic for 6.0.0.0/25 and 6.0.0.128/25 to the access routers? BGP is disabled at access router 1 and not configured at all at access router 2, and there are no static routes to 6.0.0.x/y at the core router.
  2. as the hotspot handling is done at the access routers, not at the core as I've understood initially, I'm of little use here, because I never had a reason to understand the hotspot magic and thus I don't know what firewall rules the hotspot functionality dynamically creates. So you'll have to use /tool sniffer at both the access router and at the core router to find out what happens when the hotspot client is trying to access a public IP outside your network and what happens when it is trying to access the internal speedtest server.
1. 6.0.0.0/25 and 6.0.0.128/25 is not meant to be reachable from the access routers, whatsoever. These IPs are used only for Point-to-point communication between the ISP itself and their raw bandwidth provider. They are not meant to be reachable to the public or for access routers.
2. We found it was the DDoS rule blocking the speedtest server, weirdly. We simply excluded the public /24s the ASN has from src-address-list in the DDoS rule.
3. Another issue we found is if a customer behind PPPoE pings an IP address of another PPPoE user which is public, it does not get routed internally and exits through the public provider and then gets routed back in.

So for 3. what I suggested them is a simple rule in the routing table where dst-address=public/25 and another for their public/26 on each of the access routers with gateway=sfpplus2-8G-6-Switch aka the LAN interface/customer facing interface. They have not tested it yet, but in theory, I believe now if a customer is trying to talk to each other with the public IPs directly, they should be routed internally on each of the access routers. Though the larger problem exists, for now, to get them to talk to each other for different blocks located on each access router without creating issues.

Perhpas you're okay with a remote session with them? If so I could arrange for it, perhaps.
 
DarkNate
Forum Veteran
Forum Veteran
Topic Author
Posts: 997
Joined: Fri Jun 26, 2020 4:37 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Fri Jun 04, 2021 1:25 pm

So previously they were using netmap instead of src nat.

After changing to src nat, the IPs mapped to the customers are randomly changing per new TCP/UDP connection and hence causing issues for them.
For example: What's my IP shows 1.1.1.1, next refresh it's 1.1.2.1. With netmap previously, this did not occur.

Any ideas why?
 
czunigag03
just joined
Posts: 2
Joined: Tue Sep 12, 2017 1:19 am

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Tue Oct 19, 2021 8:53 pm

Hi guys, I want to use a Carrier Grade Nat for one class C to one /29 on Mikrotik, any idea?

LAN: 192.168.1.0/24
WAN: 186.X.X.248/29

I m testing with this, but it has some problems with streams plataforms like netflix and microsoftstream.

/ip firewall nat
add action=src-nat chain=srcnat src-address=192.168.1.0/24 to-addresses=186.x.x.248/29

/ip address
add address=192.168.1.1/24 comment="LAN DHCP" interface="bridge dhcp" network=192.168.1.0
add address=186.x.x.248 comment=publica interface="Public IPs" network=186.x.x.248
add address=186.x.x.249 comment=publica interface="Public IPs" network=186.x.x.249
add address=186.x.x.250 comment=publica interface="Public IPs" network=186.x.x.250
add address=186.x.x.251 comment=publica interface="Public IPs" network=186.x.x.251
add address=186.x.x.252 comment=publica interface="Public IPs" network=186.x.x.252
add address=186.x.x.253 comment=publica interface="Public IPs" network=186.x.x.253
add address=186.x.x.254 comment=publica interface="Public IPs" network=186.x.x.254
add address=186.x.x.255 comment=publica interface="Public IPs" network=186.x.x.255

I use this other way in IP address but works similar

/ip address
add address=192.168.1.1/24 comment="LAN DHCP" interface="bridge dhcp" network=192.168.1.0
add address=186.x.x.248/29 comment=publica interface="Public IPs" network=186.x.x.248/29
 
olivier2831
Member Candidate
Member Candidate
Posts: 296
Joined: Fri Sep 08, 2017 6:53 pm

Re: How do we properly perform CGNAT on a MikroTik Router for customers?

Tue Nov 09, 2021 6:11 pm

I m testing with this, but it has some problems with streams plataforms like netflix and microsoftstream.
Can you describe those problems ?

Who is online

Users browsing this forum: rplant and 72 guests