Thanks for the reply.NAT hides multiple addresses behind one and it works for outgoing connections. But if there's incoming connection to external address, router must decide where to send it. With NAT 1:1, everything to external address is sent to one internal address. Ports stay the same, only destination address changes, it's easy. UPnP is for selected ports. So internal device A tells router that it needs ports a, b, c forwarded to it, device B tell router that it needs x, y, z. And it also works, because if incoming connection is to port a, it goes to device A, if for port x, it goes to device B, also easy.
Yes, probably I haven't made me clear. The context is online gaming. PSN/XBOX sets NAT Type based on the network. If I connect the PS4/XBOX directly to the modem, they receive NAT Type 1 and in-game Nat Open.I understand what you want. But think about poor router. It has one external address, let's say 184.108.40.206. If a new connection comes to e.g. 220.127.116.11:5678, how can it know if it should send it to internal 192.168.88.10, 192.168.88.20, or some other one? It can't. It's like wanting to hit two completely different targets with one bullet.
The thing is that I cannot open all ports to a few clients. If I assign Netmap to a client, I lose VPN of my MT and that's not the case.edit removed
Good question, what is going on with MT NAT that is different from a consumer router that just works for this scenari0?
I am thinking the extra granularity of MT should provide a config that works!!
Hi,Do you say that when you connect two consoles to the modem directly (i.e. without Mikrotik in between the modem and the consoles) at the same time, both consoles indicate the same NAT type "open" and you can use both simultaneously (with two players playing the same online game each on one of those two consoles)?
A1: The gaming console should connect to internet just fine with a router even if assigned a private IP. Opened ports (directly to the modem) works best.Good question Sindy, are you trying to establish if one gaming console is being used or two being used at the same time?
Q1: Does one gaming console work with normal consumer router to modem (or isp supplied combo router/modem)?
Q2: Do two gaming consoles work at the same time with normal consumer router to modem (or isp supplied combo router/modem)?
Q3: Does one gaming console work with MT router?
Q4: Do two gaming consoles work at the same time with the MT router?
Q5: In any scenario where both consoles are connected at the same time, are players at each console able to play the same game concurrently (online)?
No need for VPN. MT > Linksys Router > PS4.So you want Mikrotik to forward packets coming to its public address to the private one of the console on the LAN, but choose the right one depending on which console is connected at the time?
Because the DMZ approach (1:1 NAT) should be enough to make the console think that the NAT is the "open" type, and the private address can be updated using a script whenever one of the consoles gets an address from Tik's DHCP server. And the VPN access can be preserved using exceptions from the 1:1 dst-nat rule for the ports used for the VPN, unless the console uses the very same ports for its own purposes.
That is why I asked about two PS4s used simultaneously. You said you need just one PS4 but at the same time you say you need two clients in DMZ.The problem is when I need more than one client in DMZ.
I agree.That is why I asked about two PS4s used simultaneously. You said you need just one PS4 but at the same time you say you need two clients in DMZ.The problem is when I need more than one client in DMZ.
In NAT environment, 1:1 NAT is the best approximation of a DMZ you can get. When a device on a private IP checks how the NAT behaves in particular, it checks with the server whether the server has received the initial request for a connection from the same port from which the client has sent it; this is what Mikrotik normally does unless another client device sends a request to the same remote socket from the same port, as in such case, all the fields used to identify a connection (address:port of the server and address:port of the Mikrotik's WAN) would be identical for both connections so it would not be possible to decide to which of the two connection a packet received at WAN belongs.
For incoming communication requests, where the device on a private side of the NAT acts as a server, the situation is even more hopeless - the address of the remote client cannot be used to choose the required one out of the two addresss on the private side, so you simply cannot have more than a single device in DMZ behind a NAT unless each of them would listen on a different set of ports.
That router is remotely connected through a wireless CPE so, it is necessary to have a router because that CPE is bridged and the end user needs to connect multiple devices.Introducing a second router in the mix is I suspect going to be problematic regardless of which user console is going to be used..........
Have you tried connecting the consoles directly to the MT router??
If you mean an address list of the sources in the internet, then yes. You can forward packets for wan.add.re.ss:port to private.add.ress.1:port if they come from a source on address-list "list1", and to private.add.ress.2:port if they come from a source on address-list "list2", and to private.add.ress.3:port if they come from a source which is not on any address list.Can this be bypassed by having an address list to DMZ?
Thanks Sindy for giving your opinion in this topic. Probably, we have gone so deep into this and I would like to clarify the main point here.If you mean an address list of the sources in the internet, then yes. You can forward packets for wan.add.re.ss:port to private.add.ress.1:port if they come from a source on address-list "list1", and to private.add.ress.2:port if they come from a source on address-list "list2", and to private.add.ress.3:port if they come from a source which is not on any address list.Can this be bypassed by having an address list to DMZ?
Or you can forward the packets to private address chosen up to the destination port.
But you cannot decide which of the three internal addresses to choose if you do not know in advance on which port it listens (or if all of them listen on the same port) or from where the request will come.
It is not a matter of configuration, it is a matter of common sense. If you do not have any information in the packet itself which would tell you where to send it, there is nothing you could use to choose a forwarding (dst-nat) rule.
But I am still wondering about your overall topology. Do the PS4 games send packets between players directly, i.e. not via a gaming server? Because the only scenario I can imagine where you need a real DMZ is that you have two PS4s behind the same public IP, and a third one behind another public IP, and they all participate in the same game to the third one needs to send direct packets to both the first and second one. Only in this case there is a conflict because when the first PS4 seizes a particular port on the public IP of the WAN interface for a connection with the third one, the second PS4 cannot seize the same port for connection with the third one because the packets coming from the third PS4 to that port would be forwarded to the first console.
So maybe we were not clear enough in the example with two PS4, where you want to have one connected directly to Mikrotik's LAN and the other one connected to the LAN of the Linksys but it also gets to internet via the same Mikrotik like the first one, and we've simplified it to just 2 PS4 on Mikrotik's LAN, approximating the tunnel via Linksys by just a cable?
For a single client that's no issue, the dst-nat rule may translate just the destination address and ignore protocol & port completely. So instead of specifying dst-port=1-65535, just leave the dst-port out from the rule completely, much like the default action=masquerade rules in chain=srcnat do. And this way, you can have a triple and quadruple NAT and still nothing happens.How can we have all ports open for a given client? That's the issue.
That is a very likely scenario. I'd like to have my consoles with all ports open. There are 3 and that's the problem.If you'd have:
then NAT 1:1 from MT to Router and UPnP on Router should work fine (edit: although maybe not, I'm not sure if client gets public address from UPnP server, it wouldn't be public in this case, if it does). But if it would be anything like:
i.e. not all consoles behind same router, it's probably impossible. You'd either need to configure consoles to each use different port range and configure such port forwarding on routers (I have no idea if it's possible; probably not, because average user would not be able to configure it anyway). Or there would have to be some UPnP proxy on Router that would receive requests from clients, open ports as usual, and additionally send own UPnP port opening request to upstream router. I don't know if anything supports this (RouterOS surely doesn't).
That's why I talked about a single PS4 connected directly on Mikrotik's LAN (and with UPnP disabled); if it works to your satisfaction, Mikrotik's handling of 1:1 NAT is not the issue. Have you tried this simplified scenario as a diagnostic step?How can we have all ports open for a given client? That's the issue.
When that is done (UPnP: Off), PS4 shows NAT restricted.
A single PS4 behind a Mikrotik and Linksys, each with 1:1 NAT configured, should also not be an issue even with UPnP disabled.
Could you please explain a little bit more of 1:1? Is that for a single device or for the entire LAN? How is that done?
Two PS4 (or one PS4 and something else talking to the same remote services) behind the same public IP will always be a problem no matter whether directly on Mikrotik's (or any other NATing router's) LAN or behind yet another 1:1 NAT device.
Well, the MT is handling a public IP dynamically for worse so I have auto routes.
Unfortunately, there is no IPv6 yet in here.
Then you should be able to install it. I don't know if such thing exists, but the idea is logical and not even complicated (well, on first sight at least). So try to look around, maybe you'll be lucky.Or there would have to be some UPnP proxy on Router that would receive requests from clients, open ports as usual, and additionally send own UPnP port opening request to upstream router.
OK, so this is the place to start from.That's why I talked about a single PS4 connected directly on Mikrotik's LAN (and with UPnP disabled); if it works to your satisfaction, Mikrotik's handling of 1:1 NAT is not the issue. Have you tried this simplified scenario as a diagnostic step?How can we have all ports open for a given client? That's the issue.
When that is done (UPnP: Off), PS4 shows NAT restricted.
Just a small bit which doesn't help here. But unless you expect the inner NAT to be a 1:1 one again, I think it's not important because in case of stacked NATs, the client would have to be aware of the existence of stacked NAT and use UPnP to request ports at the inner NAT and then, based on the result, request a port on the outer NAT in the name of the inner one. Or, as you've suggested before, the inner NAT would have to act as UPnP client, request a port at the outer NAT, and based on that inform the client about the outer IP and port he's got. So it is probably a scriptable thing if you dive into UPnP enough, but the inner NAT must be able to run scripts, and its UPnP server functionality would have to be fully replaced by the script (in terms that it would receive the requests from the actual client, convert them into outgoing requests to the outer NAT, and create according rules in its own firewall).I've never done anything with multicast before, so I don't even know where to start. Do you know more than I do about this?
Is NAT on second router absolutely necessary? Couldn't there be just a routed subnet? I don't know what exactly it is, if some serious ISP network, it could be a problem, but in some hobby network it could be ok.That router is remotely connected through a wireless CPE so, it is necessary to have a router because that CPE is bridged and the end user needs to connect multiple devices.
Okay, at third reading it clicked after all (well, 2 AM is not so far away). When you replace the word "second" by "the closer one to the client" or "inner", things start making sense. So the client likely ignores service discovery responses indicating a unicast address in non-connected subnet (what else could be the reason), so you satisfy it by giving it a response from a device in a connected subnet, and then steal the requests for that address and deliver them where you really need them to go. Cool. It means that you actually don't need the muticast routing at all provided that the "closer to the client" router supports UPnP and port forwarding in LAN -> WAN direction, and that the "outer" or "closer to internet" router doesn't mind getting client requests from a non-connected subnet.... I saw the response on client with Wireshark, but for some reason client didn't like it, because no further communication followed. When I enable UPnP on second router, the only goal is to make SSDP discovery work. Client accepts response from second router, ...
Modem > MT > SwitchI think it is time you pride the config, in terminal window,
Export file=YourFileName hide-sensitive and either attach the file here or copy and paste the contents between source code brackets
NAT chain=srcnat action=masquerade out-interface=WAN1 PoE log=no log-prefix="" Filter ;;; DMZ Gaming chain=forward action=accept connection-nat-state=dstnat in-interface=WAN1 PoE log=no log-prefix=""
If I do that, the rule only works for one of the two consoles when connected directly to MT. If I want both, I need to activate UPnP. But, the problem is when I have the console behind another router.So there is no chain=dstnat action=dst-nat in-interface=WAN1 to-addresses=the.ip.of.the.console rule in /ip firewall nat?