MikroTik Subreddit thread of this: https://www.reddit.com/r/mikrotik/comments/nnne1e/how_do_we_properly_perform_cgnat_on_a_mikrotik/
So in the MikroTik wiki, they used action=src nat as an example, whereas, on various MUM presentations, they used action=netmap.
Note: We are NOT doing or interested in deterministic NAT.
So basically this what we want:
- NAT multiple subnet slices out of the 100.64.0.0/8 to public/25
- And accordingly, allow incoming traffic destined towards public/25 + destined for only ports 1024-65535 to be dst-natted to the various subnet slices out of the 100.64.0.0/8 to allow customers to take advantage of port randomisation and get port forwarding to work correctly for P2P traffic etc.
- What are the chances 100.64.0.0/8 customers would all use port 1024 for instance for their Bittorent clients, right? Zero.
This is an imperfect solution compared to IPv6, but we would like to give customers at least a better if not perfect P2P networking experience while IPv6 is being rolled out.
So this is what we've tried along with IPSec passthrough attribute:
#src-address-list=local, local is address list containing multiple CGNAT subnets like 100.64.0.0/24, 100.64.0.256/24 etc# /ip firewall nat add action=netmap chain=srcnat comment="Netmap for outbound TCP" ipsec-policy=out,none protocol=tcp src-address-list=local to-addresses=public/25 to-ports=1-65535 add action=netmap chain=srcnat comment="Netmap for outbound UDP" ipsec-policy=out,none protocol=udp src-address-list=local to-addresses=public/25 to-ports=1-65535 add action=netmap chain=srcnat comment="Netmap for outbound non TCP/UDP" ipsec-policy=out,none src-address-list=local to-addresses=public/25 #Example we only want to allow accessible for port frowarding for 100.64.8.0/21 instead of everything inside src-address-list=local# add action=dst-nat chain=dstnat comment="For inbound port forwarding TCP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=tcp to-addresses=100.64.8.0/21 to-ports=1024-65535 add action=dst-nat chain=dstnat comment="For inbound port forwarding UDP" dst-address=public/25 dst-port=1024-65535 in-interface-list=WAN protocol=udp to-addresses=100.64.8.0/21 to-ports=1024-65535
So the above rules, sort of works... On the customer end, we were able to seed torrent traffic without any issues but the ports are still "closed" for the public /25 mapped to the customer at the time of testing, which we checked with the port checker.
Is there a proper way of doing CGNAT to allow this to work correctly? I feel something is wrong with the rules themselves.
A different network operator was able to open up ports from the public for their CGNATted customers using MikroTik, we are not sure how they did it.
No comments:
Post a Comment