Community discussions

MikroTik App
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

ASK [CGNAT-port forwarding]

Mon Nov 22, 2021 1:58 am

In my case i'm using CGNAT, which is working well!
I'm sharing only one public ip-address for my clinets.

What im trying to do now is, port forwarding for the server (client).

E.g. is simple, CPE01 is the end user and they have some server , and they what to use port forwarding fot that.

Any tip how can i do that?

Just note here, the publis ip-address is terminated on CGNAT router, I can do port forwarding to the CPE01(if ill do nat rule on cgnat router),. but i want to be able to get server on it.
Please see the topology
You do not have the required permissions to view the files attached to this post.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: ASK [CGNAT-port forwarding]

Tue Nov 23, 2021 1:02 pm

Are you saying that your ISP is using CGNAT? If that is the case then you won't be able to do what you want.

If your ISP is providing you with a fixed external IP address then you just need to put in a Firewall/NAT rule to forward the port traffic to your client's server IP address (Check this link).
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: ASK [CGNAT-port forwarding]

Tue Nov 23, 2021 10:24 pm

im not saying that.
let say CGNAT is R2 which is connected to the gateway router (R1), and i have assigned only one public ip-address (R1==>R2) for some customers (i'm sharing the public ip-address,that is the purpose of cgnat).
Everything works fine, just im wondering whether i can do port forwarding for the server (client), which by theory is hard to say yes.
 
User avatar
MickeyT
Member Candidate
Member Candidate
Posts: 125
Joined: Tue Feb 18, 2020 7:06 am
Location: Australia

Re: ASK [CGNAT-port forwarding]

Wed Nov 24, 2021 8:03 am

OK, I think I understand what you're doing now. The short answer is yes, you can port forward to the client.

What I would do (based on your picture) is to forward the port for the external IP address from R1 to R2 and then R2 forwards the port to CPE01. The client (or you if you have access) will need to forward the port from CPE01 to the server. I've usually seen these arrangements called Double-NAT (although it looks more like Triple-NAT in this case with the client having a router) rather than CGNAT but the principle of the forwarding is the same.

I've never used a MikroTik configured for CGNAT but, given how versatile the MikroTiks are and that you have full access to configure the units, you should be able to get it working. The real issue is having a public IP address, once you've got that it's just a matter of getting the firewall and NAT rules correct.
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: ASK [CGNAT-port forwarding]

Wed Nov 24, 2021 10:37 am

give me an example.
How the rule should look like?
I cna do PF to the CPE01 , if i conf that rule on CGNAT-router.
My goal is how to involve the server on that
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ASK [CGNAT-port forwarding]

Wed Nov 24, 2021 7:08 pm

I did not understand what you mean by "involving the server".

On the router with public address, there must be a action=dst-nat rule with to-address=the.cgnat.address.of.customer.router

On the customer router, which has a CGNAT address on its WAN, there must be an action=dst-nat rule with to-address=the.lan.address.of.the.server.

The server itself doesn't need to do anything except listening at the private address.

If you want it complex and dangerous, you can permit UPnP on the customer router, and teach the server to request dynamic creation of a dst-nat rule on the customer router using UPnP.
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: ASK [CGNAT-port forwarding]

Thu Nov 25, 2021 7:20 am

"I did not understand what you mean by "involving the server".
that was bad explanation.
I was trying to say that i want to be able to do port forwarding to the Server.
On the router with public address, there must be a action=dst-nat rule with to-address=the.cgnat.address.of.customer.router
i did try, that will allow me to do PF to the CPE01 only
On the customer router, which has a CGNAT address on its WAN, there must be an action=dst-nat rule with to-address=the.lan.address.of.the.server.
on the CPE uplink ip-add is 10.0.10.x and the server is 192.168.1.x
that why im getting stuck


If you want it complex and dangerous, you can permit UPnP on the customer router, and teach the server to request dynamic creation of a dst-nat rule on the customer router using UPnP.
[/quote]
that would be the last solution
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: ASK [CGNAT-port forwarding]

Thu Nov 25, 2021 10:30 am

i did try, that will allow me to do PF to the CPE01 only
It means there was some error in one of the dst-nat rules, or in some filter rules.

Of course you cannot use the same port for both the web access to the CPE and the web access to the server (the dst-nat rule handles the incoming traffic first, so if you port forward cpe.wan.i.p:80 to a LAN host, you lose access to port 80 of the CPE from the wan side, which should not be permitted anyway), but as you are port forwarding from the public IP, I guess you don't forward pub.lic.i.p:80 anyway, so that should not be a surprise.

on the CPE uplink ip-add is 10.0.10.x and the server is 192.168.1.x
These days, CGNAT usually means not only the setup but also the use of a particular address range for the CPE WAN IPs, namely, 100.64.0.0/10 (RFC 6598). The purpose is to avoid conflict with any RFC1918 range the client may choose to use in their internal network.
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: ASK [CGNAT-port forwarding]

Thu Nov 25, 2021 10:56 am

It means there was some error in one of the dst-nat rules, or in some filter rules.
im using different ports that is not an issue.
The issue is from CGNAT i can't ping the server ip-ad (192.168.1.x) which is logical.
That why i can make it work.
This is basik e.g.


add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8080 in-interface-list=WAN protocol=tcp to-addresses=192.168.1.z to-ports=80 (server)
add action=dst-nat chain=dstnat dst-address=1.1.1.1 dst-port=8222 in-interface-list=WAN protocol=tcp to-addresses=10.0.1.x to-ports=8291 (CPE01)
 
User avatar
nichky
Forum Guru
Forum Guru
Topic Author
Posts: 1275
Joined: Tue Jun 23, 2015 2:35 pm

Re: ASK [CGNAT-port forwarding]

Fri Nov 26, 2021 12:33 am

it seem like that i found solution.

- CGNAT -
add action=dst-nat chain=dstnat dst-address=public-ip dst-port=89 protocol=tcp to-addresses=CPE-ip to-ports=80

- CPE -
add action=dst-nat chain=dstnat dst-address=CPE-ip src-address=public-ip to-addresses=server-ip

NAT is amazing!

Who is online

Users browsing this forum: Ahrefs [Bot], DanMos79, matbcvo and 89 guests