Community discussions

MikroTik App
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Tue Aug 31, 2021 3:09 pm

Actually, unfortunately, RouterOS just support Deterministic/Predefined/Fixed CGNAT.
The two methods to deploy it are with source port or Netmap.
Both works well, primarily considering Cost X Benefit relation.

But even inside of pre-Defined Method, there is resource that I think is possible, but I don't know how to do it.

I'm talking about the reuse of source ports to different destinations in CGNAT.
The whole idea of Fixed-NAT is to assign a range of SOURCE ports of a Public to and specific Internal IP address.

On the current methods of CGNAT in Router-OS (at least those I know), every new connection uses a different src-port, regardless of destination.

Example:
Internal IP :SrcPort|Dst IP |DstPort|Public IP :SrcPort
100.64.10.10:51123 |S.R.V.A:443 |45.45.45.1:1025
100.64.10.10:44885 |S.R.V.A:443 |45.45.45.1:1026
100.64.10.10:38759 |S.R.V.B:443 |45.45.45.1:1027
100.64.10.10:28695 |S.R.V.C:443 |45.45.45.1:1028

But, considering that the stateful connection table take in count Source and Destination, is possible to define that to different destination IP Address the Public Source port to be used being the same.
Internal IP :SrcPort|Dst IP |DstPort|Public IP :SrcPort
100.64.10.10:51123 |S.R.V.A:443 |45.45.45.1:1025
100.64.10.10:44885 |S.R.V.A:443 |45.45.45.1:1026
100.64.10.10:38759 |S.R.V.B:443 |45.45.45.1:1025
100.64.10.10:28695 |S.R.V.C:443 |45.45.45.1:1025

EDIT:
100.64.10.10 -> IPv4 Wan of Customer CPE
S.R.V.A -> Server A accessed by Customer (this one has 2 simultaneous connections from same Customer)
S.R.V.B -> Server B accessed by Customer
S.R.V.C -> Server C accessed by Customer
45.45.45.1 -> One IPv4 of the Public IP Pool used to CGNAT the internal 100.64/10 users.
1024-2047 -> Port Range of 45.45.45.1 pre-allocated to Internal IP Address 100.64.10.10

Other vendors call it "Sticky NAT".
It allows a lot better use of Public IP.

The question is:
-> How to say RouterOS to do that?
"Hey Mr. RouterOS, if the Source IP is {ThatOne}, use this {port-range} of {PublicIP}...
BUUUUUUT, if the destination IP is different than the already active connections, try to use the already used source ports."
Last edited by fischerdouglas on Tue Aug 31, 2021 7:44 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Tue Aug 31, 2021 3:45 pm

Let me apologize straight away that I'm unable to answer your "how to do exactly this" question, but in what regard should re-using the same "public SrcPort" for different connections from the same Internal IP "allow a lot better use of public IP" - or, in particular, what exactly means "better" here?

The connection tracking works with both the local and remote addresses and ports of the connection, so if the DstIP:DstPort tuple differs for two connections, the same "public SrcPort" can be used for both even if they come from different Internal IPs; on the other hand, if the DstIP:DstPort tuple is the same for two connections, two distinct "public SrcPort" values must be used even if those two connections come from the same Internal IP. So the use of Sticky NAT doesn't conserve the "public SrcPorts" in any way, it's always one "public SrcPort" per single local PublicIP per single DstIP:DstPort tuple.
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Tue Aug 31, 2021 5:19 pm

in particular, what exactly means "better" here?
Well... That old history about IPv4 exhaustion.
ISPs with ASN, IPv6, and no IPv4 of their own.
Surviving with /28 or /29 routed by their upstream.

When you have to make 1-1,5K end users fit into a /28, the creativity is the king.
A lot of effort on IPv6 deployment, and an incredibly careful use of IPv4(each IP is precious).

I must say that I'm not an enthusiastic fan of using RouterOS in some scenarios. It already took several hours of sleep from me.
But the performance of a CCR 1036 to do Predefined NAT, considering its Cost X Benefit relation, is particularly good.

Normally, with a good deployment of IPv6 and a very well-done Nat-Exemption for Internal servers (Like CDNs and DNS), 1024 ports per user(63 user per Public IP) is "OK".
But for some Customers, 1024 ports sequentially used are not enough...

Some vendors bring some solutions like LSN(BPA) and SrcPort Reuse.
- LSN(BPA) I know that is a faraway thing to RouterOS.
- But I guess that Src-Port reuse (to different destination) is much more likely to be done.

With SrcPort Reuse, considering that probably less the 30% of the Destination IPs of the connection will be repeated.
It will allow that a Single Public IP could fit more than 63 End-users without creating panic because the lack of Public Ports.

So, that's the explanation to "better".
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Tue Aug 31, 2021 7:12 pm


Example:
Internal IP :SrcPort|Dst IP |DstPort|Public IP :SrcPort
100.64.10.10:51123 |S.R.V.A:443 |45.45.45.1:1025
100.64.10.10:44885 |S.R.V.A:443 |45.45.45.1:1026
100.64.10.10:38759 |S.R.V.B:443 |45.45.45.1:1027
100.64.10.10:28695 |S.R.V.C:443 |45.45.45.1:1028

But, considering that the stateful connection table take in count Source and Destination, is possible to define that to different destination IP Address the Public Source port to be used being the same.
Internal IP :SrcPort|Dst IP |DstPort|Public IP :SrcPort
100.64.10.10:51123 |S.R.V.A:443 |45.45.45.1:1025
100.64.10.10:44885 |S.R.V.A:443 |45.45.45.1:1026
100.64.10.10:38759 |S.R.V.B:443 |45.45.45.1:1025
100.64.10.10:28695 |S.R.V.C:443 |45.45.45.1:1025

i see the same source ip and destination ip on both your examples, but you mention something about different destination, maybe your example has a typo

i think there is a very common misunderstanding about this topic, many people thinking a range of 1024 src-port numbers not enough for a typical house hold subscriber

using your example:
100.64.10.10:51123 |S.R.V.A:443 |45.45.45.1:1025
100.64.10.10:44885 |S.R.V.A:443 |45.45.45.1:1026
100.64.10.10:38759 |S.R.V.B:443 |45.45.45.1:1027
100.64.10.10:28695 |S.R.V.C:443 |45.45.45.1:1028

100.64.10.10:51123 |S.R.V.A:443 |45.45.45.2:1025
100.64.10.10:44885 |S.R.V.A:443 |45.45.45.2:1026
100.64.10.10:38759 |S.R.V.B:443 |45.45.45.2:1027
100.64.10.10:28695 |S.R.V.C:443 |45.45.45.2:1028


a subscriber can perfectly use the same scr-port for different destinations, most used services use a lot of different destination ip on their servers, so you can only get a problem if subscriber establishes more than 1024 connections to the same destination ip, a very unlikely situation unless subscriber have too many host connecting to that specific destination ip

that are the reason because deterministic CG-NAT implementation for household subscribers can perform correctly with port ranges assigned to subscribers as small as 256 scr-port range, i have seen some operators using even less in that way you can be close to a thousand subscribers per public ip without issue

for corporate subscribers can be better to assign a greater range but that kind of subscribers are a fraction of total subscriber base
 
User avatar
fischerdouglas
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 55
Joined: Thu Mar 07, 2019 6:38 pm
Location: Brazil
Contact:

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Tue Aug 31, 2021 7:43 pm

i see the same source ip and destination ip on both your examples, but you mention something about different destination, maybe your example has a typo

using your example:
100.64.10.10:51123 |S.R.V.A:443 |45.45.45.1:1025
100.64.10.10:44885 |S.R.V.A:443 |45.45.45.1:1026
100.64.10.10:38759 |S.R.V.B:443 |45.45.45.1:1027
100.64.10.10:28695 |S.R.V.C:443 |45.45.45.1:1028
100.64.10.10 -> IPv4 Wan of Customer CPE
S.R.V.A -> Server A accessed by Customer (this one has 2 simultaneous connections from same Customer)
S.R.V.B -> Server B accessed by Customer
S.R.V.C -> Server C accessed by Customer
45.45.45.1 -> One IPv4 of the Public IP Pool used to CGNAT the internal 100.64/10 users.
1024-2047 -> Port Range of 45.45.45.1 pre-allocated to Internal IP Address 100.64.10.10
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CGNAT SRC-Port Reuse to Different Destinations - Sticky NAT

Tue Aug 31, 2021 11:05 pm

My imagination is probably not sufficient to understand how the preference of a particular port on the WAN IP for connections initiated by a particular internal IP can help serve more private IPs per the same public one.

Let's say I have assigned 10 ports on the public IP to be used for outgoing src-nated connections. If my LAN clients establish 10 sessions towards the same destination socket address (e.g. se.rv.er.A:port1), no more connections can be established to the same destination socket no matter from which internal IP they are initiated, but all the 10 ports can still be used for connections towards any other destination socket than se.rv.er.A:port1.

So allocating 10 ports in total provides a maximum of 10 connections towards each individual destination socket.

If all those 10 connections to the same destination socket are initiated by the same internal IP, each connection must get its own port on the public IP, so it will use all 10. If each of the 10 connections from the same internal IP is initiated towards a different destination socket, each of them occupies a single local port out of the total 10 that can be used for connections to that particular destination socket, so for further connections to each of these destination sockets, 9 ports remain available, no matter which particular one of the 10 ports gets seized by the internal IP - the same one for all these connections or a randomly chosen one for each.

What am I missing?

Who is online

Users browsing this forum: GoogleOther [Bot], JDF, netmas, patrikg, RHWwijk and 85 guests