Versions Compared

Old Version 42

changes.mady.by.user Druvis Timma

Saved on

compared with

New Version 43

changes.mady.by.user Druvis Timma

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

RFC states that instead of logging each connection, CGNs could deterministically map customer private addresses (received on the customer-facing interface of the CGN, a.k.a., internal side) to public addresses extended with port ranges.

In RouterOS described algorithm can be done with few script functions. Let's take an That means that separate NAT rules have to be added to achieve individual mappings such as the ones seen in the below example:

Inside IPOutside IP/Port range
100.64.10.12.2.2.2:20005000-20995199
100.64.10.22.2.2.2:21005200-21995399
100.64.10.32.2.2.2:22005400-22995599
100.64.10.42.2.2.2:23005600-23995799
100.64.10.52.2.2.2:2400-2499100.64.1.62.2.2.2:2500-25995800-5999

Instead of writing NAT the rules by hand, it is suggested to use a script instead. Below is an The following example that could be adapted to any requirements for of your setup.

Code Block
languageros
{
######## Adjustable values #########
:local StartingAddress 100.64.0.1
:local ClientCount 5
:local AddressesPerClient 2
:local PublicAddress 2.2.2.2
:local StartingPort 5000
:local PortsPerAddress 200
####################################

# All client chain jump
/ip firewall nat add chain=srcnat action=jump jump-target=clients \
    src-address="$StartingAddress-$($StartingAddress + ($ClientCount * $AddressesPerClient) - 1)"

:local currentPort $StartingPort

:for c from=1 to=$ClientCount do={
    # Specific client chain jumps
    :if ($AddressesPerClient > 1) do={
      /ip firewall nat add chain=clients action=jump jump-target="client-$c" \
      src-address="$($StartingAddress + ($AddressesPerClient * ($c - 1)))-$($StartingAddress + ($AddressesPerClient * $c -1))"
    } else={
      /ip firewall nat add chain=clients action=jump jump-target="client-$c" \
      src-address="$($StartingAddress + ($AddressesPerClient * ($c - 1)))"
    }
  
    # Translation rules
    :for a from=1 to=$AddressesPerClient do={
      /ip firewall nat add chain="client-$c" action=src-nat protocol=tcp \
      src-address="$($StartingAddress + (($c -1) * $AddressesPerClient) + $a - 1)" to-address=$PublicAddress to-ports="$currentPort-$($currentPort + $PortsPerAddress - 1)"
      /ip firewall nat add chain="client-$c" action=src-nat protocol=udp \
      src-address="$($StartingAddress + (($c -1) * $AddressesPerClient) + $a - 1)" to-address=$PublicAddress to-ports="$currentPort-$($currentPort + $PortsPerAddress - 1)"
      :set currentPort ($currentPort + $PortsPerAddress)
    }
}
}

...