Hello,
since I`m quite new on this forum sorry if this question is answered, though I haven`t found after search.
I have public pool of IP addresses (let`s says /27) on ethernet interface and setup one /24 for customers on WLAN. At the moment all customers using nat (pat) through just one public IP address. Since there is no possibility to using 1-to-1 address translation, how we can offer those 30 addresses from public IP pool (assigned from upstream provider) so they can act as 1-to-1 nat translation but when clients number 31 want to connect nat overload will start?
Thank you!
Re: nat overload with mikrotik
I dont know if this is a workaround or it's the best solution but you can:
Assign IP address via DHCP (or radius)
DHCP Server has 1 ip pool range, let's say 192.168.0.1-192.168.0.29 (pool1)
the IP Pool has a "next-pool" set with ip addresses 10.1.1.1-10.1.1.254 (pool2)
in your /ip firewall nat configuration you can set
chain=srcnat action=src-nat to-addresses=192.168.0.30 src-address=10.1.1.0/24
Your DHCP Server will try to assign to the clients the pool1 addresses until they are available. once there are no ip available, it will try next pool, private ip with nat
I assume you got around 50 customers with an average of 35 online, this solution would be enough i think (and most important, easy)
Assign IP address via DHCP (or radius)
DHCP Server has 1 ip pool range, let's say 192.168.0.1-192.168.0.29 (pool1)
the IP Pool has a "next-pool" set with ip addresses 10.1.1.1-10.1.1.254 (pool2)
in your /ip firewall nat configuration you can set
chain=srcnat action=src-nat to-addresses=192.168.0.30 src-address=10.1.1.0/24
Your DHCP Server will try to assign to the clients the pool1 addresses until they are available. once there are no ip available, it will try next pool, private ip with nat
I assume you got around 50 customers with an average of 35 online, this solution would be enough i think (and most important, easy)
Re: nat overload with mikrotik
is it possible to nat a private subnet to multiple public ips that are apart of the same subnet?
Re: nat overload with mikrotik
This example will split all the connections from your private network to 3 different pubblic IP addresses.
Be sure those 3 addresses can reach internet and can be reached; assign them to the pubblic interface.
Split all the connections in 3 branches with PCC
Assign a NAT to each branch you just created
It should work 
Be sure those 3 addresses can reach internet and can be reached; assign them to the pubblic interface.
Split all the connections in 3 branches with PCC
Code: Select all
/ip firewall mangle
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting comment="" disabled=no new-connection-mark=3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:3/2
Code: Select all
add action=src-nat chain=srcnat comment="" connection-mark=1_conn disabled=no src-address=YOUR_PRIVATE_SUBNET to-addresses=FIRST_PUBLIC_IP
add action=src-nat chain=srcnat comment="" connection-mark=2_conn disabled=no src-address=YOUR_PRIVATE_SUBNET to-addresses=SECOND_PUBLIC_IP
add action=src-nat chain=srcnat comment="" connection-mark=3_conn disabled=no src-address=YOUR_PRIVATE_SUBNET to-addresses=THIRD_PUBLIC_IP
Re: nat overload with mikrotik
PCC is not available, I must need a firmware update. I have 3.22. Any know issues with version 3.24 on power router 732?
Re: nat overload with mikrotik
I must ask the obvious question. If the customers are, in effect, going to get a Public IP, and you have them to give, why use NAT at all? Protect them through the firewall, but just give them the same gateway as you would have. I havent thought this all the way through, but it might even be possible to route them. You might have to do some 'non-standard' setups, but if the object is to give them the Public IPs, just give them to them. If there is functionality required before they get the IP, like accounting or something else, Im sure you can make it work.
Just thought I would suggest an out of the box, solution for you...Havent proofed anything, hope it helps anyway. It could be simpler, with the benefit that everything that is NAT sensitive wouldnt be affected. GL.
Just thought I would suggest an out of the box, solution for you...Havent proofed anything, hope it helps anyway. It could be simpler, with the benefit that everything that is NAT sensitive wouldnt be affected. GL.
Re: nat overload with mikrotik
Don't have enough public ips to hand out.
Currently nating 200 plus customers to one public ip,
Cisco uses nat pools, I just wanted a way to divide up a small subnet of pulic ip's and have the
private pool of address split up so I don't have so many private ips nated to one public.
Not sure what the limit of how many private ips can nat to one public ip.
Currently nating 200 plus customers to one public ip,
Cisco uses nat pools, I just wanted a way to divide up a small subnet of pulic ip's and have the
private pool of address split up so I don't have so many private ips nated to one public.
Not sure what the limit of how many private ips can nat to one public ip.
Re: nat overload with mikrotik
If he has more customers than public IPs, it is understandable. Because there are a limited amount of ports to use for srcnat, if there are lots of customers with many simultaneous connections, you must NAT them to more than one public IP.
Re: nat overload with mikrotik
Ok, this is possibly one of the easiest things I have done. I was frustrated and was just playing around but this works 100% for me:
This is only an example: I am natting the private range 10.50.0.0/16 to the private range 192.168.1.0/25. In the real world you would use your public address space here.
And thats all. No connection marks, no packet marks.
I have not done extensive testing yes, but it seems to be working for me
This is only an example: I am natting the private range 10.50.0.0/16 to the private range 192.168.1.0/25. In the real world you would use your public address space here.
Code: Select all
/ip firewall nat add action=src-nat chain=srcnat comment="" disabled=no src-address=10.50.0.0/16 to-addresses=192.168.1.1-192.168.1.128I have not done extensive testing yes, but it seems to be working for me
Who is online
Users browsing this forum: No registered users and 54 guests