So in the MikroTik wiki, they used action=src nat as an example, whereas, on various MUM presentations, they used action=netmap.
Note: We are NOT doing or interested in deterministic NAT.
So basically this what we want:
- NAT multiple subnet slices out of the 100.64.0.0/8 to public/25
- And accordingly, allow incoming traffic destined towards public/25 + destined for only ports 1024-65535 to be dst-natted to the various subnet slices out of the 100.64.0.0/8 to allow customers to take advantage of port randomisation and get port forwarding to work correctly for P2P traffic etc.
- What are the chances 100.64.0.0/8 customers would all use port 1024 for instance for their Bittorent clients, right? Zero.
So this is what we've tried along with IPSec passthrough attribute:
Code: Select all
#src-address-list=local, local is address list containing multiple CGNAT subnets like 100.64.0.0/24, 100.64.0.256/24 etc#
/ip firewall nat
add action=netmap chain=srcnat comment="Netmap for outbound TCP" ipsec-policy=out,none protocol=tcp src-address-list=local to-addresses=public/25 to-ports=1-65535
add action=netmap chain=srcnat comment="Netmap for outbound UDP" ipsec-policy=out,none protocol=udp src-address-list=local to-addresses=public/25 to-ports=1-65535
add action=netmap chain=srcnat comment="Netmap for outbound non TCP/UDP" ipsec-policy=out,none src-address-list=local to-addresses=public/25
#Example we only want to allow accessible for port frowarding for 100.64.8.0/21 instead of everything inside src-address-list=local#
add action=dst-nat chain=dstnat comment="For inbound port forwarding TCP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=tcp to-addresses=100.64.8.0/21 to-ports=1024-65535
add action=dst-nat chain=dstnat comment="For inbound port forwarding UDP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=udp to-addresses=100.64.8.0/21 to-ports=1024-65535
Is there a proper way of doing CGNAT to allow this to work correctly? I feel something is wrong with the rules themselves.
A different network operator was able to open up ports from the public for their CGNATted customers using MikroTik, we are not sure how they did it.