Community discussions

MikroTik App
 
kashifzai86
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Nov 09, 2015 8:58 am
Location: Karachi

NetMap Configuration Issue, Need to verify it

Mon Nov 07, 2022 10:20 am

Dear All Mikrotik Community
This is Kashif Khan

Actually, I was using CGNAT rules almost at Ratio of 1:5 (i.e. 1 public IP : 5 Private IPs).
I have a pool of /24 network of Public IP and almost 1250 Private IPs allocated for users. My clients were complaining from last 3 to 4 months about internet stops working for 5sec to 6 sec then start working. I can't able to see anything in Mikroitk WAN and LAN interfaces, all data is continously passing IN and OUT. I googled too much & also ask here in community to fix it, and found that there are 2 possible issues for that Cause (i.e. clients are complaining from last 3 to 4 months about internet stops working for 5 to 6 sec).

1 reason about DNS issue: DNS stops working, might be google 8.8.8.8 and 8.8.4.4 has some connections limts/IP, other
2 reason is CGNAT Src-NAT issue (as I was understading)

So, I tried to change and use Primary DNS Server of Google and Secondary Server of my ISP
Other, I tried after studying to change CGNAT to NETMAP, and this time I use ratio of 1:8 with my local/Private IP Pool /22 (2046 IPs) with Netmapping Public IP Pool of /24 (254 IPs)
8 TCP Rule & 8 UDP Pools & 1 Masquarade Rule with each rule containing 8063 ports (instead of Using 3810 rule in CGNAT)
(here is my config list + Attached Picture)

add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=1024-9087
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=9088-17151
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=17152-25215
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=25216-33279
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=33280-41343
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=41344-49407
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=49408-57471
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=57472-65535
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=1024-9087
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=9088-17151
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=17152-25215
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=25216-33279
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=33280-41343
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=41344-49407
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=49408-57471
add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=57472-65535
add action=masquerade chain=srcnat comment=" WAN Masquarade Rule" \
out-interface-list=WAN src-address-list=Src-Add-List

THE PROBLEM:
I need you Experts People suggestions is to check only that 2 Rules are passing data and other rules are not even used?? My clients are not complaining me but is that OK?? Will I need to use more PORTS for these 2 rules and block/disable other Rules?? or 8063 ports are enough??
Reference as attached picutre

I desgin Netmap studying this link as reference
https://mum.mikrotik.com/presentations/ ... 667160.pdf
You do not have the required permissions to view the files attached to this post.
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NetMap Configuration Issue, Need to verify it

Mon Nov 07, 2022 10:57 am

When you had a 1:5 ratio and (supposedly) an unlimited port range, your clients complained; now, you have a 1:1024 ratio and a limited port range (so much less client-side ports available for connections to the same server) and the clients do not complain. This suggests that the reason of the short-term outages weren't the limitations of the previous NAT setup. So the DNS traffic seems to be a more likely cause of those issues. While it may be a capacity problem of Google DNS itself, it may also be a problem of handling the DNS traffic by your router (you haven't stated whether your clients are using 8.8.8.8 directly or whether your Mikroik acts as a DNS cache for them).

As for the netmap rules - the configuration syntax doesn't distinguish between parameters that are used to match the packets and parameters that specify the output values of the rules. In your netmap rules, you actually match on the same conditions (except protocol) in all rules:
out-interface-list=WAN protocol=tcp(udp) src-address=100.64.0.0/21
It means that all packets match on the first rule for each protocol. To distribute the load among the public addresses, you would have to use longer prefixes as src-address, or some other criteria or distribution strategy (not recommended as too many services comprising of multiple servers check whether all TCP sessions belonging to the same application level session come from the same public IP address and block the request if they don't).

Also, there is not only TCP and UDP - your rules do not deal with ICMP, nor with other L4 protocols.

The only reason to restrict the to-ports range is when local legislation requires that you could identify a particular client for any given connection to the internet - in this case, it makes sense to assign a single public IP and a unique port range to each individual client, as this allows you to identify that client solely based on the public IP address and port used so you don't need to log all connections and search through the logs. If legislation doesn't request this, it is an unnecessary complication of both your firewall rules and your customer's life (some services depend on the source port being unchanged by NAT).
 
kashifzai86
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Nov 09, 2015 8:58 am
Location: Karachi

Re: NetMap Configuration Issue, Need to verify it

Mon Nov 07, 2022 5:27 pm

When you had a 1:5 ratio and (supposedly) an unlimited port range, your clients complained; now, you have a 1:1024 ratio and a limited port range (so much less client-side ports available for connections to the same server) and the clients do not complain. This suggests that the reason of the short-term outages weren't the limitations of the previous NAT setup. So the DNS traffic seems to be a more likely cause of those issues. While it may be a capacity problem of Google DNS itself, it may also be a problem of handling the DNS traffic by your router (you haven't stated whether your clients are using 8.8.8.8 directly or whether your Mikroik acts as a DNS cache for them).

As for the netmap rules - the configuration syntax doesn't distinguish between parameters that are used to match the packets and parameters that specify the output values of the rules. In your netmap rules, you actually match on the same conditions (except protocol) in all rules:
out-interface-list=WAN protocol=tcp(udp) src-address=100.64.0.0/21
It means that all packets match on the first rule for each protocol. To distribute the load among the public addresses, you would have to use longer prefixes as src-address, or some other criteria or distribution strategy (not recommended as too many services comprising of multiple servers check whether all TCP sessions belonging to the same application level session come from the same public IP address and block the request if they don't).

Also, there is not only TCP and UDP - your rules do not deal with ICMP, nor with other L4 protocols.

The only reason to restrict the to-ports range is when local legislation requires that you could identify a particular client for any given connection to the internet - in this case, it makes sense to assign a single public IP and a unique port range to each individual client, as this allows you to identify that client solely based on the public IP address and port used so you don't need to log all connections and search through the logs. If legislation doesn't request this, it is an unnecessary complication of both your firewall rules and your customer's life (some services depend on the source port being unchanged by NAT).
Thanks Sindy

But I'm not able to get any of your point in Easy Way. Moreover, the ratio is not 1:1024 right now its is 1:8.

and the user are little happy from my Earleir Settings,I request you to guide me for a good way to setup NetMap configuration, if I'm doing something wrong.

Well, DNS Issue are somehow looks Solved, but I'm checking for a week, Let C these settings are Good for me
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: NetMap Configuration Issue, Need to verify it

Mon Nov 07, 2022 10:32 pm

I'm not able to get any of your point in Easy Way.
Sorry to hear that. I'll try one more time, and if it doesn't help, maybe someone else will be able to put it in a more comprehensible way.

Moreover, the ratio is not 1:1024 right now its is 1:8.
Yes, correct, I've missed that the to-addresses has a /24 mask.

I request you to guide me for a good way to setup NetMap configuration, if I'm doing something wrong.
No idea where your English comes from, but to request anything on a forum like this is a bit inappropriate.

To the topic - to tell you what the "good" way is, we need to know what is the intended behaviour.

The reason why only the first action=netmap rule out of each eight acts is that it "shadows" all the subsequent ones. In other words, all packets that would match one of the following seven rules if they would reach them match already the first one. And the handling of a packet in a chain stops at the first rule that matches (except where you can specify passthrough=yes, which is not the case in srcnat and dstnat chains).

So please describe in plain words the idea that has lead you to specify 8 netmap rules per protocol that only differ in the to-ports value.
 
User avatar
smyers119
Member Candidate
Member Candidate
Posts: 232
Joined: Sat Feb 27, 2021 8:16 pm
Location: USA

Re: NetMap Configuration Issue, Need to verify it

Mon Nov 07, 2022 10:53 pm

I've been ignoring this post because this is a good example of the XY problem, Instead of coming here with a problem needing solved, you came with a solution for a unknown problem that you can't make work.

And as always with these types of posts you'll never get anywhere until you take a step back and describe the problem you are trying to solve.
 
ponline
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Tue Sep 28, 2004 9:19 pm

Re: NetMap Configuration Issue, Need to verify it

Wed Nov 09, 2022 3:05 pm

So, lets read his post carefully, and try to answer with help in mind.
Answering with patronizing tone, warning about language (which obviously was not his intention), its clearly more effort to give an authority positioned 'Answer' rather then HELP.
If you read a post that you don't understand op's problem, just let it be, you don't have to answer. Someone might.

Kashif Khan,
As I understand, you can correct me if i'm wrong:

You want to netmap a /21 network to a /24 network. That can be done with one rule for tcp, one for udp, and the third for non-port protocols.
The next rules are not being trigered because the source address is the same and the first rule takes all the packets. In this case you could give your first rule wider port numbers (or complete port range), and you can delete the other rules.
-Now, some guru would explain is it OK to netmap /21 to /24 , does that proportionally maps in an 1:8 ratio , would it be OK to do that?
I personally don't know about that, I have my doubts, but you test it and if it works, maybe that would be OK.

- What I do in your place, ( and I really have that scenario on my network), instead of /21 subnet, I have on 8x /24 subnets.
and netmap every /24 subnet to the same /24 public subnet but with different port numbers.
example:

add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.1.0/24 \
to-addresses=X.Y.254.0/24 to-ports=1024-9087
add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.2.0/24 \
to-addresses=X.Y.254.0/24 to-ports=9088-17151
.........
etc

So you end up with 8 tcp rules + 8 udp rules, and 1 masquerade rule for all non-port traffic.

Just my two cents, I hope I helped a bit.
 
kashifzai86
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 58
Joined: Mon Nov 09, 2015 8:58 am
Location: Karachi

Re: NetMap Configuration Issue, Need to verify it  [SOLVED]

Sun Nov 13, 2022 2:59 pm

Thanks

Anyway ISSUE SOLVED, I delete few rules and use only 3 Rule following below:-

add action=netmap chain=srcnat comment="TCP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=tcp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=1024-9087

add action=netmap chain=srcnat comment="UDP- NetMap- CGNAT Rule" \
out-interface-list=WAN protocol=udp src-address=100.64.0.0/21 \
to-addresses=X.Y.254.0/24 to-ports=1024-9087

add action=masquerade chain=srcnat comment=" WAN Masquarade Rule" \
out-interface-list=WAN src-address-list=Src-Add-List
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: NetMap Configuration Issue, Need to verify it

Sun Nov 13, 2022 11:42 pm

i think another approach will be maping each Internal Netowrk /24 to the public /24 network on a specific port range

creating rules for each /24

folliwing this guide

https://mum.mikrotik.com/presentations/ ... 667160.pdf

starting at page 61

Who is online

Users browsing this forum: Bing [Bot], joshnielsen, phascogale and 59 guests