Community discussions

MikroTik App
 
EdgarSoler
just joined
Topic Author
Posts: 8
Joined: Tue Apr 06, 2021 5:46 pm

CGNAT with SAME rule

Wed Nov 09, 2022 10:26 am

Hello, I had a doubt with my nat rule. I have some published ips and I want to distribute them randomly with my clients. I don't want them to have a different ip in each connection, I want each pppoe tunnel to have a public ip even if they are repeated.

What does same-not-by-dst mean?

My rule:
add action=same chain=srcnat comment="CGNAT" out-interface="WAN" same-not-by-dst=yes src-address-list="CGNATPRIVATE" to-addresses= 1.1.1.1-1.1.1.50

Thanks!
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CGNAT with SAME rule

Wed Nov 09, 2022 10:39 am

The description in the manual doesn't clearly explain which value (yes or no) means that the destination address is taken into acount (i.e. that connections from the same client to different servers may get src-nated to different public IPs), so you have to try.

I suspect that the destination address is hashed somehow, so testing with just two destination addresses is unlikely to be sufficient to see the difference.
 
EdgarSoler
just joined
Topic Author
Posts: 8
Joined: Tue Apr 06, 2021 5:46 pm

Re: CGNAT with SAME rule

Wed Nov 09, 2022 10:54 am

The description in the manual doesn't clearly explain which value (yes or no) means that the destination address is taken into acount (i.e. that connections from the same client to different servers may get src-nated to different public IPs), so you have to try.

I suspect that the destination address is hashed somehow, so testing with just two destination addresses is unlikely to be sufficient to see the difference.
Apparently it works fine.
Each client is always assigned a public IP for all their connections.

I do not want a client to go out through several public IPs since it may have problems with some services.
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 2989
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: CGNAT with SAME rule

Wed Nov 09, 2022 7:11 pm

i have seen that with not-by-dst option marked a customer/suscriber uses the same public ip address for all outgoing connections

what is not clear to me is how often this private/public ip relation changes or not
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: CGNAT with SAME rule

Wed Nov 09, 2022 10:11 pm

I assume it is stateless in terms that a hash of the source address and the destination address (if enabled) is converted to an index of the list of public addresses (similar to how per-connection-classifier works), but I'd have to see the source code to be sure - no documentation explains this.
 
EdgarSoler
just joined
Topic Author
Posts: 8
Joined: Tue Apr 06, 2021 5:46 pm

Re: CGNAT with SAME rule

Thu Nov 10, 2022 10:33 pm

I've been studying the method in "connection tracking"...
I need a mathematician. Let's look for the puzzle.

My currently functional used method.

Public: 1.1.1.160-1.1.1.249
All Private: 100.64.10.0/23 + 100.64.5.0/24

Random results on connection mark:

100.64.5.217 to 1.1.1.171
100.64.5.231 to 1.1.1.185
100.64.11.60 to 1.1.1.200
100.64.11.90 to 1.1.1.230
100.64.11.1 to 1.1.1.231

It's not stochastic...
Come on guys

Who is online

Users browsing this forum: Ahrefs [Bot], Bing [Bot], Google [Bot], GoogleOther [Bot], johnson73, miks and 74 guests