Tip
Though Source NAT and masquerading perform the same fundamental function: mapping one address space into another one, the details differ slightly. Most noticeably, masquerading chooses the source IP address for the outbound packet from the IP bound to the interface through which the packet will exit.

CGNAT (NAT444)

To combat IPv4 address exhaustion, a new RFC 6598 was deployed. The idea is to use shared 100.64.0.0/10 address space inside the carrier's network and performing NAT on the carrier's edge router to a single public IP or public IP range.

Because of the nature of such setup, it is also called NAT444, as opposed to a NAT44 network for a 'normal' NAT environment, three different IPv4 address spaces are involved.

CGNAT configuration on RouterOS does not differ from any other regular source NAT configuration:

Code Block

language	ros

/ip firewall nat 
 add chain=src-nat action=srcnat src-address=100.64.0.0/10 to-address=2.2.2.2 out-interface=<public_if>

Where:

2.2.2.2 - public IP address,
public_if - interface on providers edge router connected to the internet

The advantage of NAT444 is obvious, fewer public IPv4 addresses are used. But this technique comes with major drawbacks:

The service provider router performing CGNAT needs to maintain a state table for all the address translations: this requires a lot of memory and CPU resources.
Console gaming problems. Some games fail when two subscribers using the same outside public IPv4 address try to connect to each other.
Tracking users for legal reasons means extra logging, as multiple households go behind one public address.
Anything requiring incoming connections is broken. While this already was the case with regular NAT, end-users could usually still set up port forwarding on their NAT router. CGNAT makes this impossible. This means no web servers can be hosted here, and IP Phones cannot receive incoming calls by default either.
Some web servers only allow a maximum number of connections from the same public IP address, as a means to counter DoS attacks like SYN floods. Using CGNAT this limit is reached more often and some services may be of poor quality.
6to4 requires globally reachable addresses and will not work in networks that employ addresses with a limited topological span.

Packets with Shared Address Space source or destination addresses MUST NOT be forwarded across Service Provider boundaries. Service Providers MUST filter such packets on ingress links. In RouterOS this can be easily done with firewall filters on edge routers:

Code Block

language	ros

/ip firewall filter
 add chain=input src-address=100.64.0.0/10 action=drop in-interface=<public_if>
 add chain=output dst-address=100.64.0.0/10 action=drop out-interface=<public_if>
 add chain=forward src-address=100.64.0.0/10 action=drop in-interface=<public_if>
 add chain=forward src-address=100.64.0.0/10 action=drop out-interface=<public_if>
 add chain=forward dst-address=100.64.0.0/10 action=drop out-interface=<public_if>

Service providers may be required to do logging of MAPed addresses, in a large CGN deployed network that may be a problem. Fortunately, RFC 7422 suggests a way to manage CGN translations in such a way as to significantly reduce the amount of logging required while providing traceability for abuse response.

RFC states that instead of logging each connection, CGNs could deterministically map customer private addresses (received on the customer-facing interface of the CGN, a.k.a., internal side) to public addresses extended with port ranges.

In RouterOS described algorithm can be done with few script functions. Let's take an example:

Inside IP	Outside IP/Port range
100.64.1.1	2.2.2.2:2000-2099
100.64.1.2	2.2.2.2:2100-2199
100.64.1.3	2.2.2.2:2200-2299
100.64.1.4	2.2.2.2:2300-2399
100.64.1.5	2.2.2.2:2400-2499
100.64.1.6	2.2.2.2:2500-2599

Instead of writing NAT mappings by hand, we could write a function that adds such rules automatically.

Code Block

language	ros

:global sqrt do={
  :for i from=0 to=$1 do={
    :if (i * i > $1) do={ :return ($i - 1) }
  }
}

:global addNatRules do={
  /ip firewall nat add chain=srcnat action=jump jump-target=xxx \
    src-address="$($srcStart)-$($srcStart + $count - 1)"

  :local x [$sqrt $count]
  :local y $x
  :if ($x * $x = $count) do={ :set y ($x + 1) }
  :for i from=0 to=$x do={
    /ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)" \
     src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))"
  }

  :for i from=0 to=($count - 1) do={
    :local prange "$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)"
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=tcp src-address=($srcStart + $i) \
     to-address=$toAddr to-ports=$prange
    /ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=udp src-address=($srcStart + $i) \
     to-address=$toAddr to-ports=$prange
  }
}

After pasting the above script in the terminal function "addNatRules" is available. If we take our example, we need to map 6 shared network addresses to be mapped to 2.2.2.2 and each address uses a range of 100 ports starting from 2000. So we run our function:

Code Block

language	ros

$addNatRules count=6 srcStart=100.64.1.1 toAddr=2.2.2.2 portStart=2000 portsPerAddr=100

Now you should be able to get a set of rules:

Code Block

language	ros

[admin@rack1_b18_450] /ip firewall nat> print 
Flags: X - disabled, I - invalid, D - dynamic 
 0    chain=srcnat action=jump jump-target=xxx src-address=100.64.1.1-100.64.1.6 log=no log-prefix="" 

 1    chain=xxx action=jump jump-target=xxx-0 src-address=100.64.1.1-100.64.1.2 log=no log-prefix="" 

 2    chain=xxx action=jump jump-target=xxx-1 src-address=100.64.1.3-100.64.1.4 log=no log-prefix="" 

 3    chain=xxx action=jump jump-target=xxx-2 src-address=100.64.1.5-100.64.1.6 log=no log-prefix="" 

 4    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=tcp src-address=100.64.1.1 log=no log-prefix="" 

 5    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2000-2099 protocol=udp src-address=100.64.1.1 log=no log-prefix="" 

 6    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=tcp src-address=100.64.1.2 log=no log-prefix="" 

 7    chain=xxx-0 action=src-nat to-addresses=2.2.2.2 to-ports=2100-2199 protocol=udp src-address=100.64.1.2 log=no log-prefix="" 

 8    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=tcp src-address=100.64.1.3 log=no log-prefix="" 

 9    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2200-2299 protocol=udp src-address=100.64.1.3 log=no log-prefix="" 

10    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=tcp src-address=100.64.1.4 log=no log-prefix="" 

11    chain=xxx-1 action=src-nat to-addresses=2.2.2.2 to-ports=2300-2399 protocol=udp src-address=100.64.1.4 log=no log-prefix="" 

12    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=tcp src-address=100.64.1.5 log=no log-prefix="" 

13    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2400-2499 protocol=udp src-address=100.64.1.5 log=no log-prefix="" 

14    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=tcp src-address=100.64.1.6 log=no log-prefix="" 

15    chain=xxx-2 action=src-nat to-addresses=2.2.2.2 to-ports=2500-2599 protocol=udp src-address=100.64.1.6 log=no log-prefix=""

Hairpin NAT

Hairpin network address translation (NAT Loopback) is where the device on the LAN is able to access another machine on the LAN via the public IP address of the gateway router.

...

the client sends a packet with a source IP address of 10.0.0.2 to a destination IP address of 172.16.16.1 on port 443 to request some web resource;
the router destination NATs the packet to 10.0.0.3 and replaces the destination IP address in the packet accordingly. It also source NATs the packet and replaces the source IP address in the packet with the IP address on its LAN interface. The destination IP address is 10.0.0.3, and the source IP address is 10.0.0.1;
the web server replies to the request and sends the reply with a source IP address of 10.0.0.3 back to the router's LAN interface IP address of 10.0.0.1;
the router determines that the packet is part of a previous connection and undoes both the source and destination NAT, and puts the original destination IP address of 1.1.1.1 into the source IP address field, and the original source IP address of 172.16.16.1 into the destination IP address field

Properties

Property	Description
action (action name; Default: accept)	Action to take if a packet is matched by the rule: accept - accept the packet. A packet is not passed to the next NAT rule. add-dst-to-address-list - add destination address to address list specified by `address-list` parameter add-src-to-address-list - add source address to address list specified by `address-list` parameter dst-nat - replaces destination address and/or port of an IP packet to values specified by `to-addresses` and `to-ports` parameters jump - jump to the user-defined chain specified by the value of `jump-target` parameter log - add a message to the system log containing the following data: in-interface, out-interface, src-mac, protocol, src-ip:port->dst-ip:port and length of the packet. After a packet is matched it is passed to the next rule in the list, similar as `passthrough` masquerade - replaces source port of an IP packet to one specified by `to-ports` parameter and replace the source address of an IP packet to IP determined by routing facility. netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks passthrough - if a packet is matched by the rule, increase counter and go to next rule (useful for statistics). redirect - replaces destination port of an IP packet to one specified by `to-ports` parameter and destination address to one of the router's local addresses return - passes control back to the chain from where the jump took place same - gives a particular client the same source/destination IP address from a supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client src-nat - replaces source address of an IP packet to values specified by `to-addresses` and `to-ports` parameters
address-list (string; Default: )	Name of the address list to be used. Applicable if action is `add-dst-to-address-list` or `add-src-to-address-list`
address-list-timeout (none-dynamic \| none-static \| time; Default: none-dynamic)	Time interval after which the address will be removed from the address list specified by `address-list` parameter. Used in conjunction with `add-dst-to-address-list` or `add-src-to-address-list` actions Value of none-dynamic (`00:00:00`) will leave the address in the address list till reboot Value of none-static will leave the address in the address list forever and will be included in configuration export/backup
chain (name; Default: )	Specifies to which chain rule will be added. If the input does not match the name of an already defined chain, a new chain will be created
comment (string; Default: )	Descriptive comment for the rule
connection-bytes (integer-integer; Default: )	Matches packets only if a given amount of bytes has been transferred through the particular connection. 0 - means infinity, for example `connection-bytes=2000000-0` means that the rule matches if more than 2MB has been transferred through the relevant connection
connection-limit (integer,netmask; Default: )	Matches connections per address or address block after a given value is reached
connection-mark (no-mark \| string; Default: )	Matches packets marked via mangle facility with particular connection mark. If no-mark is set, the rule will match any unmarked connection
connection-rate (Integer 0..4294967295; Default: )	Connection Rate is a firewall matcher that allows capturing traffic based on the present speed of the connection
connection-type (ftp \| h323 \| irc \| pptp \| quake3 \| sip \| tftp; Default: )	Matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port
content (string; Default: )	Match packets that contain specified text
dscp (integer: 0..63; Default: )	Matches DSCP IP header field.
dst-address (IP/netmask \| IP range; Default: )	Matches packets which destination is equal to specified IP or falls into specified IP range.
dst-address-list (name; Default: )	Matches destination address of a packet against user-defined address list
dst-address-type (unicast \| local \| broadcast \| multicast; Default: )	Matches destination address type: unicast - IP address used for point to point transmission local - if dst-address is assigned to one of the router's interfaces broadcast - packet is sent to all devices in a subnet multicast - packet is forwarded to a defined group of devices
dst-limit (integer[/time],integer,dst-address \| dst-port \| src-address[/time]; Default: )	Matches packets until a given pps limit is exceeded. As opposed to the limit matcher, every destination IP address/destination port has its own limit. Parameters are written in the following format: `count[/time],burst,mode[/expire]`. count - maximum average packet rate measured in packets per `time` interval time - specifies the time interval in which the packet rate is measured (optional) burst - number of packets that are not counted by packet rate mode - the classifier for packet rate limiting expire - specifies interval after which recored ip address /port will be deleted (optional)
dst-port (integer[-integer]: 0..65535; Default: )	List of destination port numbers or port number ranges
fragment (yes\|no; Default: )	Matches fragmented packets. The first (starting) fragment does not count. If connection tracking is enabled there will be no fragments as the system automatically assembles every packet
hotspot (auth \| from-client \| http \| local-dst \| to-client; Default: )	Matches packets received from HotSpot clients against various HotSpot matchers. auth - matches authenticated HotSpot client packets from-client - matches packets that are coming from the HotSpot client http - matches HTTP requests sent to the HotSpot server local-dst - matches packets that are destined to the HotSpot server to-client - matches packets that are sent to the HotSpot client
icmp-options (integer:integer; Default: )	Matches ICMP type: code fields
in-bridge-port (name; Default: )	Actual interface the packet has entered the router if the incoming interface is a bridge
in-interface (name; Default: )	Interface the packet has entered the router
ingress-priority (integer: 0..63; Default: )	Matches ingress the priority of the packet. Priority may be derived from VLAN, WMM or MPLS EXP bit. `Read more>>`
ipsec-policy (in \| out, ipsec \| none; Default: )	Matches the policy used by IpSec. Value is written in the following format: `direction, policy`. The direction is Used to select whether to match the policy used for decapsulation or the policy that will be used for encapsulation. in - valid in the PREROUTING, INPUT, and FORWARD chains out - valid in the POSTROUTING, OUTPUT, and FORWARD chains ipsec - matches if the packet is subject to IpSec processing; none - matches packet that is not subject to IpSec processing (for example, IpSec transport packet). For example, if a router receives an IPsec encapsulated Gre packet, then rule `ipsec-policy=in,ipsec` will match Gre packet, but the rule `ipsec-policy=in,none` will match the ESP packet.
ipv4-options (any \| loose-source-routing \| no-record-route \| no-router-alert \| no-source-routing \| no-timestamp \| none \| record-route \| router-alert \| strict-source-routing \| timestamp; Default: )	Matches IPv4 header options. any - match packet with at least one of the ipv4 options loose-source-routing - match packets with a loose source routing option. This option is used to route the internet datagram based on information supplied by the source no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source no-router-alert - match packets with no router alter option no-source-routing - match packets with no source routing option no-timestamp - match packets with no timestamp option record-route - match packets with record route option router-alert - match packets with router alter option strict-source-routing - match packets with strict source routing option timestamp - match packets with a timestamp
jump-target (name; Default: )	Name of the target chain to jump to. Applicable only if `action=jump`
layer7-protocol (name; Default: )	Layer7 filter name defined in layer7 protocol menu.
limit (integer,time,integer; Default: )	Matches packets until a given PPS limit is exceeded. Parameters are written in the following format: `count[/time],burst`. count - maximum average packet rate measured in packets per `time` interval time - specifies the time interval in which the packet rate is measured (optional, 1s will be used if not specified) burst - number of packets that are not counted by packet rate
log-prefix (string; Default: )	Adds specified text at the beginning of every log message. Applicable if `action=log`
nth (integer,integer; Default: )	Matches every nth packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule
out-bridge-port (name; Default: )	Actual interface the packet is leaving the router if the outgoing interface is a bridge
out-interface (; Default: )	Interface the packet is leaving the router
packet-mark (no-mark \| string; Default: )	Matches packets marked via mangle facility with particular packet mark. If no-mark is set, the rule will match any unmarked packet
packet-size (integer[-integer]:0..65535; Default: )	Matches packets of specified size or size range in bytes
per-connection-classifier (ValuesToHash:Denominator/Remainder; Default: )	PCC matcher allows dividing traffic into equal streams with the ability to keep packets with a specific set of options in one particular stream
port (integer[-integer]: 0..65535; Default: )	Matches if any (source or destination) port matches the specified list of ports or port ranges. Applicable only if `protocol` is TCP or UDP
protocol (name or protocol ID; Default: tcp)	Matches particular IP protocol specified by protocol name or number
psd (integer,time,integer,integer; Default: )	Attempts to detect TCP and UDP scans. Parameters are in the following format `WeightThreshold, DelayThreshold, LowPortWeight, HighPortWeight` WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence LowPortWeight - the weight of the packets with privileged (<1024) destination port HighPortWeight - the weight of the packet with non-privileged destination port
random (integer: 1..99; Default: )	Matches packets randomly with a given probability
routing-mark (string; Default: )	Matches packets marked by mangle facility with particular routing mark
same-not-by-dst (yes \| no; Default: )	Specifies whether to take into account or not destination IP address when selecting a new source IP address. Applicable if `action=same`
src-address (Ip/Netmaks, Ip range; Default: )	Matches packets which source is equal to specified IP or falls into specified IP range.
src-address-list (name; Default: )	Matches source address of a packet against user-defined address list
src-address-type (unicast \| local \| broadcast \| multicast; Default: )	Matches source address type: unicast - IP address used for point to point transmission local - if an address is assigned to one of the router's interfaces broadcast - packet is sent to all devices in a subnet multicast - packet is forwarded to a defined group of devices
src-port (integer[-integer]: 0..65535; Default: )	List of source ports and ranges of source ports. Applicable only if a protocol is TCP or UDP.
src-mac-address (MAC address; Default: )	Matches source MAC address of the packet
tcp-mss (integer[-integer]: 0..65535; Default: )	Matches TCP MSS value of an IP packet
time (time-time,sat \| fri \| thu \| wed \| tue \| mon \| sun; Default: )	Allows to create a filter based on the packets' arrival time and date or, for locally generated packets, departure time and date
to-addresses (IP address[-IP address]; Default: 0.0.0.0)	Replace the original address with the specified one. Applicable if action is dst-nat, netmap, same, src-nat
to-ports (integer[-integer]: 0..65535; Default: )	Replace the original port with the specified one. Applicable if action is dst-nat, redirect, masquerade, netmap, same, src-nat
ttl (integer: 0..255; Default: )	Matches packets TTL value

Stats

Property	Description
bytes (integer)	The total amount of bytes matched by the rule
packets (integer)	The total amount of packets matched by the rule

To show additional read-only properties:

...

Page tree

Versions Compared

Old Version 22

New Version 23

Key

CGNAT (NAT444)

Hairpin NAT

Properties

Stats

Page tree

Page History

Versions Compared

Old Version 22

New Version 23

Key

CGNAT (NAT444)

Hairpin NAT

Properties

Stats