...
Tip |
---|
Though Source NAT and masquerading perform the same fundamental function: mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit. |
CGNAT (NAT444)
To combat IPv4 address exhaustion, a new RFC 6598 was deployed. The idea is to use shared 100.64.0.0/10 address space inside the carrier's network and performing NAT on the carrier's edge router to a single public IP or public IP range.
Because of the nature of such setup, it is also called NAT444, as opposed to a NAT44 network for a 'normal' NAT environment, three different IPv4 address spaces are involved.
CGNAT configuration on RouterOS does not differ from any other regular source NAT configuration:
Code Block | ||
---|---|---|
| ||
/ip firewall nat
add chain=src-nat action=srcnat src-address=100.64.0.0/10 to-address=2.2.2.2 out-interface=<public_if> |
Where:
- 2.2.2.2 - public IP address,
- public_if - interface on providers edge router connected to the internet
The advantage of NAT444 is obvious, fewer public IPv4 addresses are used. But this technique comes with major drawbacks:
- The service provider router performing CGNAT needs to maintain a state table for all the address translations: this requires a lot of memory and CPU resources.
- Console gaming problems. Some games fail when two subscribers using the same outside public IPv4 address try to connect to each other.
- Tracking users for legal reasons means extra logging, as multiple households go behind one public address.
- Anything requiring incoming connections is broken. While this already was the case with regular NAT, end-users could usually still set up port forwarding on their NAT router. CGNAT makes this impossible. This means no web servers can be hosted here, and IP Phones cannot receive incoming calls by default either.
- Some web servers only allow a maximum number of connections from the same public IP address, as a means to counter DoS attacks like SYN floods. Using CGNAT this limit is reached more often and some services may be of poor quality.
- 6to4 requires globally reachable addresses and will not work in networks that employ addresses with a limited topological span.
Packets with Shared Address Space source or destination addresses MUST NOT be forwarded across Service Provider boundaries. Service Providers MUST filter such packets on ingress links. In RouterOS this can be easily done with firewall filters on edge routers:
Code Block | ||
---|---|---|
| ||
/ip firewall filter
add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>
add chain=output dst-address=100.64.0.0/10 action=drop out-interface=<public_if>
add chain=forward src-address=100.64.0.0/10 action=drop in-interface=<public_if>
add chain=forward src-address=100.64.0.0/10 action=drop out-interface=<public_if>
add chain=forward dst-address=100.64.0.0/10 action=drop out-interface=<public_if> |
Service providers may be required to do logging of MAPed addresses, in a large CGN deployed network that may be a problem. Fortunately, RFC 7422 suggests a way to manage CGN translations in such a way as to significantly reduce the amount of logging required while providing traceability for abuse response.
RFC states that instead of logging each connection, CGNs could deterministically map customer private addresses (received on the customer-facing interface of the CGN, a.k.a., internal side) to public addresses extended with port ranges.
In RouterOS described algorithm can be done with few script functions. Let's take an example:
Inside IP | Outside IP/Port range |
100.64.1.1 | 2.2.2.2:2000-2099 |
100.64.1.2 | 2.2.2.2:2100-2199 |
100.64.1.3 | 2.2.2.2:2200-2299 |
100.64.1.4 | 2.2.2.2:2300-2399 |
100.64.1.5 | 2.2.2.2:2400-2499 |
100.64.1.6 | 2.2.2.2:2500-2599 |
Instead of writing NAT mappings by hand, we could write a function that adds such rules automatically.
Code Block | ||
---|---|---|
| ||
:global sqrt do={
:for i from=0 to=$1 do={
:if (i * i > $1) do={ :return ($i - 1) }
}
}
:global addNatRules do={
/ip firewall nat add chain=srcnat action=jump jump-target=xxx \
src-address="$($srcStart)-$($srcStart + $count - 1)"
:local x [$sqrt $count]
:local y $x
:if ($x * $x = $count) do={ :set y ($x + 1) }
:for i from=0 to=$x do={
/ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)" \
src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))"
}
:for i from=0 to=($count - 1) do={
:local prange "$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)"
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=tcp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=udp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
}
} |
After pasting the above script in the terminal function "addNatRules" is available. If we take our example, we need to map 6 shared network addresses to be mapped to 2.2.2.2 and each address uses a range of 100 ports starting from 2000. So we run our function:
Code Block | ||
---|---|---|
| ||
$addNatRules count=6 srcStart=100.64.1.1 toAddr=2.2.2.2 portStart=2000 portsPerAddr=100 |
Now you should be able to get a set of rules:
Code Block | ||
---|---|---|
| ||
[admin@rack1_b18_450] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=jump jump-target=xxx src-address=100.64.1.1-100.64.1.6 log=no log-prefix=""
1 chain=xxx action=jump jump-target=xxx-0 src-address=100.64.1.1-100.64.1.2 log=no log-prefix=""
2 chain=xxx action=jump jump-target=xxx-1 src-address=100.64.1.3-100.64.1.4 log=no log-prefix=""
3 chain=xxx action=jump jump-target=xxx-2 src-address=100.64.1.5-100.64.1.6 log=no log-prefix=""
4 chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=tcp src-address=100.64.1.1 log=no log-prefix=""
5 chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=udp src-address=100.64.1.1 log=no log-prefix=""
6 chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=tcp src-address=100.64.1.2 log=no log-prefix=""
7 chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=udp src-address=100.64.1.2 log=no log-prefix=""
8 chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=tcp src-address=100.64.1.3 log=no log-prefix=""
9 chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=udp src-address=100.64.1.3 log=no log-prefix=""
10 chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=tcp src-address=100.64.1.4 log=no log-prefix=""
11 chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=udp src-address=100.64.1.4 log=no log-prefix=""
12 chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=tcp src-address=100.64.1.5 log=no log-prefix=""
13 chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=udp src-address=100.64.1.5 log=no log-prefix=""
14 chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=tcp src-address=100.64.1.6 log=no log-prefix=""
15 chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=udp src-address=100.64.1.6 log=no log-prefix="" |
Hairpin NAT
Hairpin network address translation (NAT Loopback) is where the device on the LAN is able to access another machine on the LAN via the public IP address of the gateway router.
...
- the client sends a packet with a source IP address of 10.0.0.2 to a destination IP address of 172.16.16.1 on port 443 to request some web resource;
- the router destination NATs the packet to 10.0.0.3 and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is 10.0.0.3, and the source IP address is 10.0.0.1;
- the web server replies to the request and sends the reply with a source IP address of 10.0.0.3 back to the router's LAN interface IP address of 10.0.0.1;
- the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of 1.1.1.1 into the source IP address field, and the original source IP address of 172.16.16.1 into the destination IP address field
Properties
Property | Description |
---|---|
action (action name; Default: accept) | Action to take if a packet is matched by the rule:
|
address-list (string; Default: ) | Name of the address list to be used. Applicable if action is add-dst-to-address-list or add-src-to-address-list |
address-list-timeout (none-dynamic | none-static | time; Default: none-dynamic) | Time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions
|
chain (name; Default: ) | Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created |
comment (string; Default: ) | Descriptive comment for the rule |
connection-bytes (integer-integer; Default: ) | Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transferred through the relevant connection |
connection-limit (integer,netmask; Default: ) | Matches connections per address or address block after a given value is reached |
connection-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular connection mark. If no-mark is set, the rule will match any unmarked connection |
connection-rate (Integer 0..4294967295; Default: ) | Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection |
connection-type (ftp | h323 | irc | pptp | quake3 | sip | tftp; Default: ) | Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port |
content (string; Default: ) | Match packets that contain specified text |
dscp (integer: 0..63; Default: ) | Matches DSCP IP header field. |
dst-address (IP/netmask | IP range; Default: ) | Matches packets which destination is equal to specified IP or falls into specified IP range. |
dst-address-list (name; Default: ) | Matches destination address of a packet against user-defined address list |
dst-address-type (unicast | local | broadcast | multicast; Default: ) | Matches destination address type:
|
dst-limit (integer[/time],integer,dst-address | dst-port | src-address[/time]; Default: ) | Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: count[/time],burst,mode[/expire] .
|
dst-port (integer[-integer]: 0..65535; Default: ) | List of destination port numbers or port number ranges |
fragment (yes|no; Default: ) | Matches fragmented packets. The first (starting) fragment does not count. If connection tracking is enabled there will be no fragments as the system automatically assembles every packet |
hotspot (auth | from-client | http | local-dst | to-client; Default: ) | Matches packets received from HotSpot clients against various HotSpot matchers.
|
icmp-options (integer:integer; Default: ) | Matches ICMP type: code fields |
in-bridge-port (name; Default: ) | Actual interface the packet has entered the router if the incoming interface is a bridge |
in-interface (name; Default: ) | Interface the packet has entered the router |
ingress-priority (integer: 0..63; Default: ) | Matches ingress the priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. Read more>> |
ipsec-policy (in | out, ipsec | none; Default: ) | Matches the policy used by IpSec. Value is written in the following format: direction, policy . The direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation.
For example, if a router receives an IPsec encapsulated Gre packet, then rule |
ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp; Default: ) | Matches IPv4 header options.
|
jump-target (name; Default: ) | Name of the target chain to jump to. Applicable only if action=jump |
layer7-protocol (name; Default: ) | Layer7 filter name defined in layer7 protocol menu. |
limit (integer,time,integer; Default: ) | Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: count[/time],burst .
|
log-prefix (string; Default: ) | Adds specified text at the beginning of every log message. Applicable if action=log |
nth (integer,integer; Default: ) | Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule |
out-bridge-port (name; Default: ) | Actual interface the packet is leaving the router if the outgoing interface is a bridge |
out-interface (; Default: ) | Interface the packet is leaving the router |
packet-mark (no-mark | string; Default: ) | Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet |
packet-size (integer[-integer]:0..65535; Default: ) | Matches packets of specified size or size range in bytes |
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: ) | PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream |
port (integer[-integer]: 0..65535; Default: ) | Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if protocol is TCP or UDP |
protocol (name or protocol ID; Default: tcp) | Matches particular IP protocol specified by protocol name or number |
psd (integer,time,integer,integer; Default: ) | Attempts to detect TCP and UDP scans. Parameters are in the following format WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight
|
random (integer: 1..99; Default: ) | Matches packets randomly with a given probability |
routing-mark (string; Default: ) | Matches packets marked by mangle facility with particular routing mark |
same-not-by-dst (yes | no; Default: ) | Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if action=same |
src-address (Ip/Netmaks, Ip range; Default: ) | Matches packets which source is equal to specified IP or falls into specified IP range. |
src-address-list (name; Default: ) | Matches source address of a packet against user-defined address list |
src-address-type (unicast | local | broadcast | multicast; Default: ) | Matches source address type:
|
src-port (integer[-integer]: 0..65535; Default: ) | List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP. |
src-mac-address (MAC address; Default: ) | Matches source MAC address of the packet |
tcp-mss (integer[-integer]: 0..65535; Default: ) | Matches TCP MSS value of an IP packet |
time (time-time,sat | fri | thu | wed | tue | mon | sun; Default: ) | Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date |
to-addresses (IP address[-IP address]; Default: 0.0.0.0) | Replace the original address with the specified one. Applicable if action is dst-nat, netmap, same, src-nat |
to-ports (integer[-integer]: 0..65535; Default: ) | Replace the original port with the specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat |
ttl (integer: 0..255; Default: ) | Matches packets TTL value |
Stats
Property | Description |
---|---|
bytes (integer) | The total amount of bytes matched by the rule |
packets (integer) | The total amount of packets matched by the rule |
To show additional read-only properties:
...