Community discussions

 
Begetan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Src NAT with -same rules on 6.x

Wed Apr 09, 2014 11:50 am

Hello,

I am using Mikrotik for NATing about 1,5 k users. Previously I've use ROS5.18 version with RB1100AH and all was fine for up to 1K users. Now I am using x86 with ROS6.11 and some users has complains for problems with some services.

For example there is a problem with SIP.net, WebMoney security. Ordinary web sites show different src ip in request for short period. Is there any problem with -same rule in ROS 6.x or it may be issue in my setup?

Here is a configuration:
/ip firewall nat
add action=same chain=srcnat out-interface=ether1-bb src-address=172.16.0.0/19 to-addresses=\
    37.38.39.32/28
I've changed Nat pool from /29 to /28 without any changes.
Connection tracking shows currently 64K entries and 540k max entries.

Should I split our network for several /24 pools and make translation each into single IP?
A bit stupid configuration I think.
 
stenlyto
Frequent Visitor
Frequent Visitor
Posts: 79
Joined: Fri Aug 28, 2009 2:03 pm

Re: Src NAT with -same rules on 6.x

Wed Apr 09, 2014 2:29 pm

It must be working well
before u clear it out u may do the stupid idea ONLY for the complaining users.... but its a temporary decision!!!
Go behind the router with a laptop and open a website like google: "what's my IP"
open the website see the IP and refresh it for a couple of time fast, and with intervals of 1-2 minutes .... see what going
if it doesn't change the rule is working good, so start looking somewhere else
 
ners
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Tue Mar 12, 2013 4:30 pm

Re: Src NAT with -same rules on 6.x

Wed Apr 09, 2014 4:39 pm

Try same-not-by-dst=yes, it might help and I consider it to be best practice for batting.
 
Begetan
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Mon Jul 11, 2011 11:49 am

Re: Src NAT with -same rules on 6.x

Fri Apr 11, 2014 10:44 am

Try same-not-by-dst=yes, it might help and I consider it to be best practice for batting.
Thank you very much ners!
This option solved the problem.

Who is online

Users browsing this forum: MSN [Bot] and 73 guests