CGN NAT ( NAT444 ) help

Tue Jan 11, 2022 1:47 am

CGN NAT ( NAT444 ) help

I am asking for some help.
I need to configure NAT444.

I have found several examples to configure NAT444 using a "addNatRules" function.
Example: in the Mikrotik Wiki --> https://wiki.mikrotik.com/wiki/Manual:I ... _or_NAT444
There is a section in the Mikrotik Wiki that has some documentation about using the function "$addNatRules".
I am having problems running the function ( either I am making mistakes and don't know how to run configure and execute this function -or- the function is broken/not-functioning ).

So here are my questions:
Question #1 ; Is the Mikrotik Wiki documentation on the function "$addNatRules" correct and does it work ?
Question #2 ; Where can I find clean clear-cut easy-to-follow documentation to create this function and how do I execute this function ?

Here is what I have tried that is failing:
I add a script with the name of "addNatRules". The body of the script is as follows:
:global sqrt do={
:for i from=0 to=$1 do={
:if (i * i > $1) do={ :return ($i - 1) }
}
}

:global addNatRules do={
/ip firewall nat add chain=srcnat action=jump jump-target=xxx \
src-address="$($srcStart)-$($srcStart + $count - 1)"

:local x [$sqrt $count]
:local y $x
:if ($x * $x = $count) do={ :set y ($x + 1) }
:for i from=0 to=$x do={
/ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)" \
src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))"
}

:for i from=0 to=($count - 1) do={
:local prange "$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)"
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=tcp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=udp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
}
}

Then at the CLI prompt I paste in something like this ( and the script does not do anything ).
I have tried this with and without the "$" in the script - I am lost.

Function-addNatRules.png

Tue Jan 11, 2022 1:54 am

Related to my question addNatRule

What is a good working amount of ports to use ?
I have seen several documents about addNatRules that show 100 ports and some at 10,000 ports.
So , I ask, what is a decent number of ports that will probably work ( 250 ports per CGN IP address ? ) ??

sup5 · Tue Jan 11, 2022 9:44 am

The script die not work for me, as well.
I ended up using the idea and manually built a binary-tree of cascaded jumps to reduce CPU-Load. (Excel helped here for string manipulation).

At the end of each jump-cascade there will be the netmap/NAT to squeeze down the number of required ports.

For residential customers 1012 Ports (64 customers per IP) are sufficient.
For Hotspot/Wireless users you might squeeze it down to 63 ports per user (1024 Users per IP).

Limiting the ports per user does not mean there will be a hard limit of connections=ports. Mikrotik does port-overloading. This means it can re-use the same port for another destination.

Loading a bloated website full of ads and other stuff on a 63 port NAT resulted in approx. 300 successfully simultaneously open sessions.
Be aware that only 63 concurrent DNS requests are possible, still.
You might also want to aggressively time down your UDP timers in connection tracking, when using such a low amount of ports per user.

Tue Jan 11, 2022 3:52 pm

sup5 ,

thank you for your input

Yesterday , I said F-it with the script function and started typing the mt CGN-nat configuration into a txt file.
Then I had a thought:\
- If I have 12 /21 CGN networks ( 100.64.x.x /21 ) and I am natting each /21 network to 8 or 16 Live-IP addresses , that is a whole lot of nat rules to go through. If the nat rule is at the bottom of a huge thousand+ line list, it might run slowwww.
- Sooooo , I am now also thinking about the jump statement and I am going to try to make a configuration that has the least amount of lines to be processed by using jumps.
** If within x.y.x.0/25 jump to x.y.z.0-25
** if within x.y.x.127/25 jump to x.y.x.127-25
The idea will be that processing each GCN-nat will use the the fewest lines of processing.

I am almost thinking about writing this in a Linux Shell program ...

Note - right now I am just doing a simple NAT44 on my /21 networks ( nat each /21 into a /30 --- but I am not doing any port ranges at this time ) , it works fast at multi-Gig nat throughput ( CHR ), I just hope I don't kill it with a full NAT444 configuration.

North Idaho Tom Jones

sindy · Tue Jan 11, 2022 4:19 pm

I just hope I don't kill it with a full NAT444 configuration.

You won't because the NAT rules are only used when handling the initial packet of each connection. Once chains srcnat and dstnat give their verdicts (instructions) regarding the initial packet, these instructions get stored into the context data of that connection maintained by the conn(ection)track(ing) module, and all subsequent packets of the same connection are handled the same or reverse way depending on their direction. And the CPU load of this handling of mid-connection packets is always the same no matter how complex it was to find the instruction for the initial packet.

anav · Tue Jan 11, 2022 4:32 pm

Frig, me thinks your knowledge is somehow not being utilized to its maximum potential.
Perhaps you should start your own Routing Company or RoS equivilant, SoS

Not being flippant (well only a little) but is there anything you do not know?
I am constantly amazed by the amount of detail you put into every post and the command of the english language (are you sure you are not Oxford trained?)

No really I have a little Sindy obelisk in my study and every once in a while I genuflect in its direction.
Just sayin, glad you are here!! glad to know you!!

Tue Jan 11, 2022 6:59 pm

1'st , thanks for your input and thoughts.

I have two types of customer networks.
- 1'st type is Live IP WANs with optional routed Live IPs ( for my static IP business accounts ).
- 2'nd type is my standard CGN customers where:
Close to 2-thousand DHCP ( Mikrotik wireless customer CPE DHCP-Client Wan routers with NATed 192.168.56.x/24 Lans -or- Fiber-to-the-home routers )
19 different residential customer networks where each network is a unique CGN 100.64.x.y/21 ( 8 C CGN networks ) ((( I use a /21 so that we can grow and never need to renumber a network ))).
Currently 1 CHR CGN Nat router (( I am considering breaking this up into 4 different CHR CGN Nat routers to spread the Nat CPU load ))

My 1'st question:
With CGN NAT444 , how many ports should I use per CGN customer ( total of 38,912 CGN IPs ) ? What works for 99-percent of the residential customers ?
1,000 ports ( 8 IPs needed per CGN /21 ) ?
500 ports ? ( 4 IPs needed per CGN /21 ) ?
250 ports ? ( 2 IPs needed per CGN /21 ) ?
100 ports ? ( 1 IP needed per CGN /21 ) ? ( I am considering trying 100 ports per CGN IP -- is this a mistake ? )

My 2'nd question:
Where do thing start to break as I use fewer ports per CGN IP on the average residential customer ?

My 3'rd question:
When I change from NAT44 ( Normal NAT) to NAT444 ( with port ranges ) , how much of an additional CPU load does NAT444 place on a CHR verses NAT44 ?

Again , thank you and everybody else for your ideas and thoughts

North Idaho Tom Jones

anav · Tue Jan 11, 2022 7:12 pm

Excuse my ignorance TOM, but do you mean that customers are limited to access only X number of ports (inbound and outbound)? Put in another way they can only run servers on a choice of 8000 ports or is this simply an allocation schema for WANIP and port association to the WANIP. I have no clue in general and even less about CGNAT.

Tue Jan 11, 2022 7:35 pm

Excuse my ignorance TOM, but do you mean that customers are limited to access only X number of ports (inbound and outbound)? Put in another way they can only run servers on a choice of 8000 ports or is this simply an allocation schema for WANIP and port association to the WANIP. I have no clue in general and even less about CGNAT.

anav.
Forgive me , I a still new to the idea and concept of NAT444 and port usage. I may be wrong in my answer - but I will give it a shot.

I believe that that NAT-overload will be used in this configuration.

Here is one example of a NAT-overload:
Let's say you have a single port ( port 80 forwarded to a web server ), more than one remote client at a time ( hundreds/thousands ) of Internet remote located computers can pull up web pages ( http uses port 80 ) all at the same time.

I believe that NAT-overload can also work the other direction. So , let's say I use 100 ports per CGN IP. I can have a potential of 100 connections to any single remote IP address. And it is possible to also have another 100 connections at the same time to a different remote IP address at the same time.
Thus , with NAT-overload and 100 ports per CGN IP, it is possible to have 100 ports connected to 10 different remote location ( a total of 1,000 ports )
and it is possible to have 100 connections with 100 ports each ( a total of 10,000 connections/ports )

sindy · Tue Jan 11, 2022 7:51 pm

@anav, you have to read that manual @TomjNorthIdaho refers to - the idea is to be able to link a particular connection to a particular client just by the public socket adress (IP:port) used, e.g. when searching for a source of a DDoS attack. You get a report from the attack victim and have to identify the actual source of the attack among your clients, but since the attack is not ongoing, there is no point in listing current connections to the victim. Another scenario could be a CSIS (FBI in Tom's case) request for the same - here's a connection from your public IP to this destination, identify the actual source.

So to facilitate this, you "translate" or "encode" the WAN address of the client (which is the "CGNAT" one) into the port number at the public address. And we talk only about outbound connections of the clients here, because for port forwarding, you obviously do know to which CGNAT address you forward which port on the public address.

If you allow only N ports to be chosen from for a given client, it means that that client can establish at most N connections to the same remote socket address, such as your hypothetical https server in the data center, not that they can establish only N connections in total. For most stock software like web browsers, and for most SOHO users, this will never cause a problem (except maybe dns as @sup5 suggests).

But there are cases when multiple actual users are connected via the same CGNAT address, so all of these actual users use a common pool of N ports. Now imagine a call center where tens of agents' workstations connect to the same web server in the cloud. One would say a pool of N ports should be enough for N such workstations, but that's not the case. If a client uses a port to establish a TCP session to a client and then terminates the session, it will not reuse that port for another connection for one to four minutes depending on the operating system settings. This is a precaution against delayed packets belonging to the old session getting handled as part of the new session, and this guard time of many tens of seconds comes from the times when TCP has been designed and network speeds were far lower. And here comes the issue with software - programmers are typically not network specialists, so the unexperienced ones often use a dedicated TCP session for each transaction rather than only closing a session a few minutes after the last transaction has been finished, and reusing it for any new transaction popping up before the timeout passes. So if the workstations in that hypothetical call center run some in-house application rather than a stock web browser, such an approach combined with the restricted pool of available ports will cost you the rest of your hair until you find the cause.

anav · Tue Jan 11, 2022 7:58 pm

I will have to read this a few times over as the glazed eye phenomenal rapidly ensued.
Suffice to say I think I understood that TN wants to ensure with this technology that a single user can make at least 1000 connections outbound simultaneously on one port (like 443 or 80) as that is a practical number that most likely will not be breached by a single household. Understood if the problem is exacerbated by that CGN address being shared by 10 households then you quickly get into a problem if all attempting to use port 80 ??

sindy · Tue Jan 11, 2022 8:00 pm

Understood if the problem is exacerbated by that CGN address being shared by 10 households then you quickly get into a problem if all attempting to use port 80 ??

Not just port 80 - all of them have to access port 80 at the same remote IP address to get into trouble (hit the limit of N ports in a common pool).

sup5 · Tue Jan 11, 2022 10:19 pm

Hi, I found an old configuration. It compresses a private /18 into a public /24.
Thus compressing 6 bits means 64 customers have to share a single public ip address.

Using the binary tree there will always only be six jumps to reach the approriate netmap command.

/ip firewall nat
add action=jump   chain=srcnat     jump-target=000001-CGN src-address=100.64.0.0/18 comment=/18
add action=jump   chain=000001-CGN jump-target=000010-CGN src-address=100.64.0.0/19 comment=/19
add action=jump   chain=000001-CGN jump-target=000011-CGN src-address=100.64.32.0/19
add action=jump   chain=000010-CGN jump-target=000100-CGN src-address=100.64.0.0/20 comment=/20
add action=jump   chain=000010-CGN jump-target=000101-CGN src-address=100.64.16.0/20
add action=jump   chain=000011-CGN jump-target=000110-CGN src-address=100.64.32.0/20
add action=jump   chain=000011-CGN jump-target=000111-CGN src-address=100.64.48.0/20
add action=jump   chain=000100-CGN jump-target=001000-CGN src-address=100.64.0.0/21 comment=/21
add action=jump   chain=000100-CGN jump-target=001001-CGN src-address=100.64.8.0/21
add action=jump   chain=000101-CGN jump-target=001010-CGN src-address=100.64.16.0/21
add action=jump   chain=000101-CGN jump-target=001011-CGN src-address=100.64.24.0/21
add action=jump   chain=000110-CGN jump-target=001100-CGN src-address=100.64.32.0/21
add action=jump   chain=000110-CGN jump-target=001101-CGN src-address=100.64.40.0/21
add action=jump   chain=000111-CGN jump-target=001110-CGN src-address=100.64.48.0/21
add action=jump   chain=000111-CGN jump-target=001111-CGN src-address=100.64.56.0/21
add action=jump   chain=001000-CGN jump-target=010000-CGN src-address=100.64.0.0/22 comment=/22
add action=jump   chain=001000-CGN jump-target=010001-CGN src-address=100.64.4.0/22
add action=jump   chain=001001-CGN jump-target=010010-CGN src-address=100.64.8.0/22
add action=jump   chain=001001-CGN jump-target=010011-CGN src-address=100.64.12.0/22
add action=jump   chain=001010-CGN jump-target=010100-CGN src-address=100.64.16.0/22
add action=jump   chain=001010-CGN jump-target=010101-CGN src-address=100.64.20.0/22
add action=jump   chain=001011-CGN jump-target=010110-CGN src-address=100.64.24.0/22
add action=jump   chain=001011-CGN jump-target=010111-CGN src-address=100.64.28.0/22
add action=jump   chain=001100-CGN jump-target=011000-CGN src-address=100.64.32.0/22
add action=jump   chain=001100-CGN jump-target=011001-CGN src-address=100.64.36.0/22
add action=jump   chain=001101-CGN jump-target=011010-CGN src-address=100.64.40.0/22
add action=jump   chain=001101-CGN jump-target=011011-CGN src-address=100.64.44.0/22
add action=jump   chain=001110-CGN jump-target=011100-CGN src-address=100.64.48.0/22
add action=jump   chain=001110-CGN jump-target=011101-CGN src-address=100.64.52.0/22
add action=jump   chain=001111-CGN jump-target=011110-CGN src-address=100.64.56.0/22
add action=jump   chain=001111-CGN jump-target=011111-CGN src-address=100.64.60.0/22
add action=jump   chain=010000-CGN jump-target=100000-CGN src-address=100.64.0.0/23 comment=/23 
add action=jump   chain=010000-CGN jump-target=100001-CGN src-address=100.64.2.0/23
add action=jump   chain=010001-CGN jump-target=100010-CGN src-address=100.64.4.0/23
add action=jump   chain=010001-CGN jump-target=100011-CGN src-address=100.64.6.0/23
add action=jump   chain=010010-CGN jump-target=100100-CGN src-address=100.64.8.0/23
add action=jump   chain=010010-CGN jump-target=100101-CGN src-address=100.64.10.0/23
add action=jump   chain=010011-CGN jump-target=100110-CGN src-address=100.64.12.0/23
add action=jump   chain=010011-CGN jump-target=100111-CGN src-address=100.64.14.0/23
add action=jump   chain=010100-CGN jump-target=101000-CGN src-address=100.64.16.0/23
add action=jump   chain=010100-CGN jump-target=101001-CGN src-address=100.64.18.0/23
add action=jump   chain=010101-CGN jump-target=101010-CGN src-address=100.64.20.0/23
add action=jump   chain=010101-CGN jump-target=101011-CGN src-address=100.64.22.0/23
add action=jump   chain=010110-CGN jump-target=101100-CGN src-address=100.64.24.0/23
add action=jump   chain=010110-CGN jump-target=101101-CGN src-address=100.64.26.0/23
add action=jump   chain=010111-CGN jump-target=101110-CGN src-address=100.64.28.0/23
add action=jump   chain=010111-CGN jump-target=101111-CGN src-address=100.64.30.0/23
add action=jump   chain=011000-CGN jump-target=110000-CGN src-address=100.64.32.0/23
add action=jump   chain=011000-CGN jump-target=110001-CGN src-address=100.64.34.0/23
add action=jump   chain=011001-CGN jump-target=110010-CGN src-address=100.64.36.0/23
add action=jump   chain=011001-CGN jump-target=110011-CGN src-address=100.64.38.0/23
add action=jump   chain=011010-CGN jump-target=110100-CGN src-address=100.64.40.0/23
add action=jump   chain=011010-CGN jump-target=110101-CGN src-address=100.64.42.0/23
add action=jump   chain=011011-CGN jump-target=110110-CGN src-address=100.64.44.0/23
add action=jump   chain=011011-CGN jump-target=110111-CGN src-address=100.64.46.0/23
add action=jump   chain=011100-CGN jump-target=111000-CGN src-address=100.64.48.0/23
add action=jump   chain=011100-CGN jump-target=111001-CGN src-address=100.64.50.0/23
add action=jump   chain=011101-CGN jump-target=111010-CGN src-address=100.64.52.0/23
add action=jump   chain=011101-CGN jump-target=111011-CGN src-address=100.64.54.0/23
add action=jump   chain=011110-CGN jump-target=111100-CGN src-address=100.64.56.0/23
add action=jump   chain=011110-CGN jump-target=111101-CGN src-address=100.64.58.0/23
add action=jump   chain=011111-CGN jump-target=111110-CGN src-address=100.64.60.0/23
add action=jump   chain=011111-CGN jump-target=111111-CGN src-address=100.64.62.0/23
add action=netmap chain=100000-CGN protocol=tcp src-address=100.64.0.0/24 to-addresses=3.2.1.0/24 to-ports=1024-2031 comment=/24 
add action=netmap chain=100000-CGN protocol=tcp src-address=100.64.1.0/24 to-addresses=3.2.1.0/24 to-ports=2032-3039
add action=netmap chain=100001-CGN protocol=tcp src-address=100.64.2.0/24 to-addresses=3.2.1.0/24 to-ports=3040-4047
add action=netmap chain=100001-CGN protocol=tcp src-address=100.64.3.0/24 to-addresses=3.2.1.0/24 to-ports=4048-5055
add action=netmap chain=100010-CGN protocol=tcp src-address=100.64.4.0/24 to-addresses=3.2.1.0/24 to-ports=5056-6063
add action=netmap chain=100010-CGN protocol=tcp src-address=100.64.5.0/24 to-addresses=3.2.1.0/24 to-ports=6064-7071
add action=netmap chain=100011-CGN protocol=tcp src-address=100.64.6.0/24 to-addresses=3.2.1.0/24 to-ports=7072-8079
add action=netmap chain=100011-CGN protocol=tcp src-address=100.64.7.0/24 to-addresses=3.2.1.0/24 to-ports=8080-9087
add action=netmap chain=100100-CGN protocol=tcp src-address=100.64.8.0/24 to-addresses=3.2.1.0/24 to-ports=9088-10095
add action=netmap chain=100100-CGN protocol=tcp src-address=100.64.9.0/24 to-addresses=3.2.1.0/24 to-ports=10096-11103
add action=netmap chain=100101-CGN protocol=tcp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 to-ports=11104-12111
add action=netmap chain=100101-CGN protocol=tcp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 to-ports=12112-13119
add action=netmap chain=100110-CGN protocol=tcp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 to-ports=13120-14127
add action=netmap chain=100110-CGN protocol=tcp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 to-ports=14128-15135
add action=netmap chain=100111-CGN protocol=tcp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 to-ports=15136-16143
add action=netmap chain=100111-CGN protocol=tcp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 to-ports=16144-17151
add action=netmap chain=101000-CGN protocol=tcp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 to-ports=17152-18159
add action=netmap chain=101000-CGN protocol=tcp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 to-ports=18160-19167
add action=netmap chain=101001-CGN protocol=tcp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 to-ports=19168-20175
add action=netmap chain=101001-CGN protocol=tcp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 to-ports=20176-21183
add action=netmap chain=101010-CGN protocol=tcp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 to-ports=21184-22191
add action=netmap chain=101010-CGN protocol=tcp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 to-ports=22192-23199
add action=netmap chain=101011-CGN protocol=tcp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 to-ports=23200-24207
add action=netmap chain=101011-CGN protocol=tcp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 to-ports=24208-25215
add action=netmap chain=101100-CGN protocol=tcp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 to-ports=25216-26223
add action=netmap chain=101100-CGN protocol=tcp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 to-ports=26224-27231
add action=netmap chain=101101-CGN protocol=tcp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 to-ports=27232-28239
add action=netmap chain=101101-CGN protocol=tcp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 to-ports=28240-29247
add action=netmap chain=101110-CGN protocol=tcp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 to-ports=29248-30255
add action=netmap chain=101110-CGN protocol=tcp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 to-ports=30256-31263
add action=netmap chain=101111-CGN protocol=tcp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 to-ports=31264-32271
add action=netmap chain=101111-CGN protocol=tcp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 to-ports=32272-33279
add action=netmap chain=110000-CGN protocol=tcp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 to-ports=33280-34287
add action=netmap chain=110000-CGN protocol=tcp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 to-ports=34288-35295
add action=netmap chain=110001-CGN protocol=tcp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 to-ports=35296-36303
add action=netmap chain=110001-CGN protocol=tcp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 to-ports=36304-37311
add action=netmap chain=110010-CGN protocol=tcp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 to-ports=37312-38319
add action=netmap chain=110010-CGN protocol=tcp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 to-ports=38320-39327
add action=netmap chain=110011-CGN protocol=tcp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 to-ports=39328-40335
add action=netmap chain=110011-CGN protocol=tcp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 to-ports=40336-41343
add action=netmap chain=110100-CGN protocol=tcp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 to-ports=41344-42352
add action=netmap chain=110100-CGN protocol=tcp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 to-ports=42352-43359
add action=netmap chain=110101-CGN protocol=tcp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 to-ports=43360-44367
add action=netmap chain=110101-CGN protocol=tcp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 to-ports=44368-45375
add action=netmap chain=110110-CGN protocol=tcp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 to-ports=45376-46383
add action=netmap chain=110110-CGN protocol=tcp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 to-ports=46384-47391
add action=netmap chain=110111-CGN protocol=tcp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 to-ports=47392-48399
add action=netmap chain=110111-CGN protocol=tcp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 to-ports=48400-49407
add action=netmap chain=111000-CGN protocol=tcp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 to-ports=49408-50415
add action=netmap chain=111000-CGN protocol=tcp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 to-ports=50416-51423
add action=netmap chain=111001-CGN protocol=tcp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 to-ports=51424-52431
add action=netmap chain=111001-CGN protocol=tcp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 to-ports=52432-53439
add action=netmap chain=111010-CGN protocol=tcp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 to-ports=53440-54447
add action=netmap chain=111010-CGN protocol=tcp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 to-ports=54448-55455
add action=netmap chain=111011-CGN protocol=tcp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 to-ports=55456-56463
add action=netmap chain=111011-CGN protocol=tcp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 to-ports=56464-57471
add action=netmap chain=111100-CGN protocol=tcp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 to-ports=57472-58479
add action=netmap chain=111100-CGN protocol=tcp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 to-ports=58480-59487
add action=netmap chain=111101-CGN protocol=tcp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 to-ports=59488-60495
add action=netmap chain=111101-CGN protocol=tcp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 to-ports=60496-61503
add action=netmap chain=111110-CGN protocol=tcp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 to-ports=61504-62511
add action=netmap chain=111110-CGN protocol=tcp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 to-ports=62512-63519
add action=netmap chain=111111-CGN protocol=tcp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 to-ports=63520-64527
add action=netmap chain=111111-CGN protocol=tcp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24 to-ports=64528-65535

add action=netmap chain=100000-CGN protocol=udp src-address=100.64.0.0/24  to-addresses=3.2.1.0/24 to-ports=1024-2031
add action=netmap chain=100000-CGN protocol=udp src-address=100.64.1.0/24  to-addresses=3.2.1.0/24 to-ports=2032-3039
add action=netmap chain=100001-CGN protocol=udp src-address=100.64.2.0/24  to-addresses=3.2.1.0/24 to-ports=3040-4047
add action=netmap chain=100001-CGN protocol=udp src-address=100.64.3.0/24  to-addresses=3.2.1.0/24 to-ports=4048-5055
add action=netmap chain=100010-CGN protocol=udp src-address=100.64.4.0/24  to-addresses=3.2.1.0/24 to-ports=5056-6063
add action=netmap chain=100010-CGN protocol=udp src-address=100.64.5.0/24  to-addresses=3.2.1.0/24 to-ports=6064-7071
add action=netmap chain=100011-CGN protocol=udp src-address=100.64.6.0/24  to-addresses=3.2.1.0/24 to-ports=7072-8079
add action=netmap chain=100011-CGN protocol=udp src-address=100.64.7.0/24  to-addresses=3.2.1.0/24 to-ports=8080-9087
add action=netmap chain=100100-CGN protocol=udp src-address=100.64.8.0/24  to-addresses=3.2.1.0/24 to-ports=9088-10095
add action=netmap chain=100100-CGN protocol=udp src-address=100.64.9.0/24  to-addresses=3.2.1.0/24 to-ports=10096-11103
add action=netmap chain=100101-CGN protocol=udp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 to-ports=11104-12111
add action=netmap chain=100101-CGN protocol=udp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 to-ports=12112-13119
add action=netmap chain=100110-CGN protocol=udp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 to-ports=13120-14127
add action=netmap chain=100110-CGN protocol=udp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 to-ports=14128-15135
add action=netmap chain=100111-CGN protocol=udp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 to-ports=15136-16143
add action=netmap chain=100111-CGN protocol=udp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 to-ports=16144-17151
add action=netmap chain=101000-CGN protocol=udp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 to-ports=17152-18159
add action=netmap chain=101000-CGN protocol=udp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 to-ports=18160-19167
add action=netmap chain=101001-CGN protocol=udp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 to-ports=19168-20175
add action=netmap chain=101001-CGN protocol=udp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 to-ports=20176-21183
add action=netmap chain=101010-CGN protocol=udp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 to-ports=21184-22191
add action=netmap chain=101010-CGN protocol=udp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 to-ports=22192-23199
add action=netmap chain=101011-CGN protocol=udp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 to-ports=23200-24207
add action=netmap chain=101011-CGN protocol=udp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 to-ports=24208-25215
add action=netmap chain=101100-CGN protocol=udp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 to-ports=25216-26223
add action=netmap chain=101100-CGN protocol=udp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 to-ports=26224-27231
add action=netmap chain=101101-CGN protocol=udp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 to-ports=27232-28239
add action=netmap chain=101101-CGN protocol=udp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 to-ports=28240-29247
add action=netmap chain=101110-CGN protocol=udp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 to-ports=29248-30255
add action=netmap chain=101110-CGN protocol=udp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 to-ports=30256-31263
add action=netmap chain=101111-CGN protocol=udp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 to-ports=31264-32271
add action=netmap chain=101111-CGN protocol=udp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 to-ports=32272-33279
add action=netmap chain=110000-CGN protocol=udp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 to-ports=33280-34287
add action=netmap chain=110000-CGN protocol=udp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 to-ports=34288-35295
add action=netmap chain=110001-CGN protocol=udp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 to-ports=35296-36303
add action=netmap chain=110001-CGN protocol=udp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 to-ports=36304-37311
add action=netmap chain=110010-CGN protocol=udp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 to-ports=37312-38319
add action=netmap chain=110010-CGN protocol=udp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 to-ports=38320-39327
add action=netmap chain=110011-CGN protocol=udp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 to-ports=39328-40335
add action=netmap chain=110011-CGN protocol=udp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 to-ports=40336-41343
add action=netmap chain=110100-CGN protocol=udp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 to-ports=41344-42352
add action=netmap chain=110100-CGN protocol=udp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 to-ports=42352-43359
add action=netmap chain=110101-CGN protocol=udp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 to-ports=43360-44367
add action=netmap chain=110101-CGN protocol=udp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 to-ports=44368-45375
add action=netmap chain=110110-CGN protocol=udp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 to-ports=45376-46383
add action=netmap chain=110110-CGN protocol=udp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 to-ports=46384-47391
add action=netmap chain=110111-CGN protocol=udp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 to-ports=47392-48399
add action=netmap chain=110111-CGN protocol=udp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 to-ports=48400-49407
add action=netmap chain=111000-CGN protocol=udp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 to-ports=49408-50415
add action=netmap chain=111000-CGN protocol=udp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 to-ports=50416-51423
add action=netmap chain=111001-CGN protocol=udp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 to-ports=51424-52431
add action=netmap chain=111001-CGN protocol=udp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 to-ports=52432-53439
add action=netmap chain=111010-CGN protocol=udp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 to-ports=53440-54447
add action=netmap chain=111010-CGN protocol=udp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 to-ports=54448-55455
add action=netmap chain=111011-CGN protocol=udp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 to-ports=55456-56463
add action=netmap chain=111011-CGN protocol=udp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 to-ports=56464-57471
add action=netmap chain=111100-CGN protocol=udp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 to-ports=57472-58479
add action=netmap chain=111100-CGN protocol=udp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 to-ports=58480-59487
add action=netmap chain=111101-CGN protocol=udp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 to-ports=59488-60495
add action=netmap chain=111101-CGN protocol=udp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 to-ports=60496-61503
add action=netmap chain=111110-CGN protocol=udp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 to-ports=61504-62511
add action=netmap chain=111110-CGN protocol=udp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 to-ports=62512-63519
add action=netmap chain=111111-CGN protocol=udp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 to-ports=63520-64527
add action=netmap chain=111111-CGN protocol=udp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24 to-ports=64528-65535

add action=netmap chain=100000-CGN protocol=icmp src-address=100.64.0.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100000-CGN protocol=icmp src-address=100.64.1.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100001-CGN protocol=icmp src-address=100.64.2.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100001-CGN protocol=icmp src-address=100.64.3.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100010-CGN protocol=icmp src-address=100.64.4.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100010-CGN protocol=icmp src-address=100.64.5.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100011-CGN protocol=icmp src-address=100.64.6.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100011-CGN protocol=icmp src-address=100.64.7.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100100-CGN protocol=icmp src-address=100.64.8.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100100-CGN protocol=icmp src-address=100.64.9.0/24  to-addresses=3.2.1.0/24 
add action=netmap chain=100101-CGN protocol=icmp src-address=100.64.10.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100101-CGN protocol=icmp src-address=100.64.11.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100110-CGN protocol=icmp src-address=100.64.12.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100110-CGN protocol=icmp src-address=100.64.13.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100111-CGN protocol=icmp src-address=100.64.14.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=100111-CGN protocol=icmp src-address=100.64.15.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101000-CGN protocol=icmp src-address=100.64.16.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101000-CGN protocol=icmp src-address=100.64.17.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101001-CGN protocol=icmp src-address=100.64.18.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101001-CGN protocol=icmp src-address=100.64.19.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101010-CGN protocol=icmp src-address=100.64.20.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101010-CGN protocol=icmp src-address=100.64.21.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101011-CGN protocol=icmp src-address=100.64.22.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101011-CGN protocol=icmp src-address=100.64.23.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101100-CGN protocol=icmp src-address=100.64.24.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101100-CGN protocol=icmp src-address=100.64.25.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101101-CGN protocol=icmp src-address=100.64.26.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101101-CGN protocol=icmp src-address=100.64.27.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101110-CGN protocol=icmp src-address=100.64.28.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101110-CGN protocol=icmp src-address=100.64.29.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101111-CGN protocol=icmp src-address=100.64.30.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=101111-CGN protocol=icmp src-address=100.64.31.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110000-CGN protocol=icmp src-address=100.64.32.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110000-CGN protocol=icmp src-address=100.64.33.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110001-CGN protocol=icmp src-address=100.64.34.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110001-CGN protocol=icmp src-address=100.64.35.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110010-CGN protocol=icmp src-address=100.64.36.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110010-CGN protocol=icmp src-address=100.64.37.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110011-CGN protocol=icmp src-address=100.64.38.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110011-CGN protocol=icmp src-address=100.64.39.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110100-CGN protocol=icmp src-address=100.64.40.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110100-CGN protocol=icmp src-address=100.64.41.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110101-CGN protocol=icmp src-address=100.64.42.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110101-CGN protocol=icmp src-address=100.64.43.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110110-CGN protocol=icmp src-address=100.64.44.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110110-CGN protocol=icmp src-address=100.64.45.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110111-CGN protocol=icmp src-address=100.64.46.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=110111-CGN protocol=icmp src-address=100.64.47.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111000-CGN protocol=icmp src-address=100.64.48.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111000-CGN protocol=icmp src-address=100.64.49.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111001-CGN protocol=icmp src-address=100.64.50.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111001-CGN protocol=icmp src-address=100.64.51.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111010-CGN protocol=icmp src-address=100.64.52.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111010-CGN protocol=icmp src-address=100.64.53.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111011-CGN protocol=icmp src-address=100.64.54.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111011-CGN protocol=icmp src-address=100.64.55.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111100-CGN protocol=icmp src-address=100.64.56.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111100-CGN protocol=icmp src-address=100.64.57.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111101-CGN protocol=icmp src-address=100.64.58.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111101-CGN protocol=icmp src-address=100.64.59.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111110-CGN protocol=icmp src-address=100.64.60.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111110-CGN protocol=icmp src-address=100.64.61.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111111-CGN protocol=icmp src-address=100.64.62.0/24 to-addresses=3.2.1.0/24 
add action=netmap chain=111111-CGN protocol=icmp src-address=100.64.63.0/24 to-addresses=3.2.1.0/24

This CGNAT solution only takes care of tcp, udp and icmp.
If you wish to use other protocols, you might need to experiment. Or ad a final catch all rule. (but that might break legal stuff):

add action=netmap chain=srcnat src-address=100.64.0.0/18 to-addresses=3.2.1.0/24

Further optimization might be done using harsh timings with the connection tracking, especially if you're going to hand out less than 250 ports per customer:

/ip firewall connection tracking
set generic-timeout=1m tcp-established-timeout=1h tcp-max-retrans-timeout=1m tcp-unacked-timeout=1m udp-stream-timeout=10s udp-timeout=3m

To automatically clear hung UDP-DNS-Connections you might find a regulary scheduled script helpful:

/system scheduler
add interval=2s name=Clear-DNS on-event="/ip firewall connection remove [find protocol=udp dst-address~\":53\" timeout<2m57s]" policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon start-date=jun/29/2018 start-time=07:46:54

A final suggestion. Do NOT terminale the private space on the router, which has to do the CGNAT translation.
Create two interfaces with transfer networks.
The first facing the internet, and the second facing your Access conentrator.
On the Access concentration you'll then have to route all CGNAT-customers via policy based routing to the CGNAT-router.

Wed Jan 12, 2022 12:41 am

If anybody wants to take a look at this , I created a Linus shell program ( a draft early beta version ) of the addNatRules

This runs on a Linux system - not on a Mikrotik

At this time - I do not have any action=jump lines in my code ( so if it works , it might be slow )

If beta version appears to want to work, then I will re-work it to use action=jump lines in my code.
And add the ability to use larger GGN network ( example /21 ) and NAT to multiple live IP addresses ( some big stuff ).
And possibly the ability to save and modify configurations and auto telnet/ssh to a Mikrotik to auto update the configuration

That said - here is the shell program - please give it a look-see
North Idaho Tom Jones

Linux shell program

- create a file named ( addNatRules-Beta-Version024.sh ) on your Linux ( Ubuntu ) machine

- insert the the following code into this file ( addNatRules-Beta-Version024.sh )

------------------- Cut below this line -------------------
#!/bin/sh
clear
#
echo "This is a Beta program --> addNatRules-Beta-Version024.sh created on January 11 2022 "
echo
echo "This program is by North Idaho Tom Jones "
echo
echo "This program is a script to build a CGN Nat configuration which can then be inserted into a Mikrotik NAT router"
echo
echo "This program is a Beta program. This is not a finished, completed or fully working program at this time."
echo
echo "Use this program and the output text at your own risk."
echo
echo
echo
echo -n "Push the ENTER button to continue :"
read dummy
#
i=0
StartPort=2000
EndPort=2099
clear
echo "What is the first number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 100 ( then push the ENTER button "
echo -n " Input your first number : "
read n1
echo " OK - the first number is going to be $n1"
echo
echo
echo "Note: so far we have $n1"
echo
#
echo
echo "What is the second number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 64 ( then push the ENTER button "
echo -n " Input your second number : "
read n2
echo " OK - the second is going to be $n2"
echo
echo
echo "Note: so far we have $n1.$n2."
echo
#
echo
echo "What is the third number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 0 ( then push the ENTER button "
echo -n " Input your third number : "
read n3
echo " OK - the third is going to be $n3"
echo
echo
echo "Note: so far we have $n1.$n2.$n3"
echo
#
echo
echo "What is the fourth number in your starting CGN-Nat block"
echo " Example - if you want to NAT 100.64.0.0/24 , then you would enter 0 ( then push the ENTER button "
echo -n " Input your fourth number : "
read n4
echo " OK - the fourth second is going to be $n4"
echo
echo
echo "Note: so far we have $n1.$n2.$n3.$n4"
echo
#
echo "Push the ENTER button to continue"
read dummy
clear
echo "Note: so far we have $n1.$n2.$n3.$n4"
echo "Note: I will use $n1.$n2.$n3.$n4 as your starting CGN-NAT IP address"
#
echo "Push the ENTER button to continue"
read dummy
clear
###
echo i-n "What is the outside Live-IP address you will be CGN Natting to : "
read OutSideLiveIP
echo
echo "This program will use outside Live-IP address of $OutSideLiveIP"

echo "Push the ENTER button to continue"
read dummy
clear
###
echo " What is your Starting Port Number "
echo " Note: there are 65,536 ports ( 0 through 65,535 )"
echo " I would like to suggest a starting port number of 1000 or 2000 or 3000 "
echo
echo -n "Enter your Starting Port Number "
read StartPort
echo
echo "I will use a starting port number of : $StartPort "
echo
echo "Push the ENTER button to continue"
read dummy
###
clear
echo "How many ports do you want to use ?"
echo "Note: answers can be 100 or 1000 ( or some other valid number "
echo
echo -n "How many ports do you want to use for each Internal NATted to a live IP address : "
read PortsPerTranslation
echo
echo "OK - I will use $PortsPerTranslation per translation"
echo
echo
echo "Push the ENTER button to continue"
read dummy
clear
###
while [ $i -ne 256 ]
do
EndPort=$(($StartPort+$PortsPerTranslation-1))
echo "#"
echo "#$i Inside NAT IP address $n1.$n2.$n3.$i will translate to outside IP address $OutSideLiveIP using ports $StartPort-$EndPort"
echo "add action=src-nat chain=srcnat protocol=tcp src-address=$n1.$n2.$n3.$i to-addresses=$OutSideLiveIP to-ports=$StartPort-$EndPort"
echo "add action=src-nat chain=srcnat protocol=udp src-address=$n1.$n2.$n3.$i to-addresses=$OutSideLiveIP to-ports=$StartPort-$EndPort"
echo "add action=src-nat chain=srcnat src-address=$n1.$n2.$n3.$i to-addresses=$OutSideLiveIP to-ports=$StartPort-$EndPort"
i=$(($i+1))
StartPort=$(($StartPort+$PortsPerTranslation))
done

------------------- Cut above this line -------------------

- Make this program executable ( example: chmod 777 addNatRules-Beta-Version024.sh )

- Run the shell program ( example: ./addNatRules-Beta-Version024.sh )

Output: This is a Beta program --> addNatRules-Beta-Version024.sh created on January 11 2022
Push the ENTER button

Output: What is the first number in your starting CGN-Nat block
Enter: 100 then push the ENTER button

Output: What is the second number in your starting CGN-Nat block
Enter: 64 then push the ENTER button

Output: What is the third number in your starting CGN-Nat block
Enter: 0 then push the ENTER button

Output: What is the fourth number in your starting CGN-Nat block
Enter: 0 then push the ENTER button

Output: Note: so far we have 100.64.0.0
Enter: Push the ENTER button

Output: Note: so far we have 100.64.0.0
Enter: Push the ENTER button

Output: What is the outside Live-IP address you will be CGN Natting to :
* Here - you type in the full outside IP address you are going to NAT to that the outside world sees
* In my example , I will use: 23.162.144.120 (( this is the outside IP address of my btest server )).
Enter: Push the ENTER button

Output: This program will use outside Live-IP address of 23.162.144.120
Enter: Push the ENTER button

Output: What is your Starting Port Number
Enter: 1000 then push the ENTER button

Output: I will use a starting port number of : 1000
Enter: Push the ENTER button

Output: How many ports do you want to use for each Internal NATted to a live IP address :
Enter: 250 then push the ENTER button

Output: OK - I will use 250 per translation
Enter: Push the ENTER button

************* the program is now running and printing out the Mikrotik NAT444 configuration we want ******

This is the shell program output below:

#
#0 Inside NAT IP address 100.64.0.0 will translate to outside IP address 23.162.144.120 using ports 1000-1249
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.0 to-addresses=23.162.144.120 to-ports=1000-1249
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.0 to-addresses=23.162.144.120 to-ports=1000-1249
add action=src-nat chain=srcnat src-address=100.64.0.0 to-addresses=23.162.144.120 to-ports=1000-1249
#
#1 Inside NAT IP address 100.64.0.1 will translate to outside IP address 23.162.144.120 using ports 1250-1499
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.1 to-addresses=23.162.144.120 to-ports=1250-1499
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.1 to-addresses=23.162.144.120 to-ports=1250-1499
add action=src-nat chain=srcnat src-address=100.64.0.1 to-addresses=23.162.144.120 to-ports=1250-1499
#
#2 Inside NAT IP address 100.64.0.2 will translate to outside IP address 23.162.144.120 using ports 1500-1749
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.2 to-addresses=23.162.144.120 to-ports=1500-1749
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.2 to-addresses=23.162.144.120 to-ports=1500-1749
add action=src-nat chain=srcnat src-address=100.64.0.2 to-addresses=23.162.144.120 to-ports=1500-1749
#
#3 Inside NAT IP address 100.64.0.3 will translate to outside IP address 23.162.144.120 using ports 1750-1999
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.3 to-addresses=23.162.144.120 to-ports=1750-1999
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.3 to-addresses=23.162.144.120 to-ports=1750-1999
add action=src-nat chain=srcnat src-address=100.64.0.3 to-addresses=23.162.144.120 to-ports=1750-1999
#
#4 Inside NAT IP address 100.64.0.4 will translate to outside IP address 23.162.144.120 using ports 2000-2249
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.4 to-addresses=23.162.144.120 to-ports=2000-2249
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.4 to-addresses=23.162.144.120 to-ports=2000-2249
add action=src-nat chain=srcnat src-address=100.64.0.4 to-addresses=23.162.144.120 to-ports=2000-2249

--- through ----
#
#251 Inside NAT IP address 100.64.0.251 will translate to outside IP address 23.162.144.120 using ports 63750-63999
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.251 to-addresses=23.162.144.120 to-ports=63750-63999
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.251 to-addresses=23.162.144.120 to-ports=63750-63999
add action=src-nat chain=srcnat src-address=100.64.0.251 to-addresses=23.162.144.120 to-ports=63750-63999
#
#252 Inside NAT IP address 100.64.0.252 will translate to outside IP address 23.162.144.120 using ports 64000-64249
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.252 to-addresses=23.162.144.120 to-ports=64000-64249
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.252 to-addresses=23.162.144.120 to-ports=64000-64249
add action=src-nat chain=srcnat src-address=100.64.0.252 to-addresses=23.162.144.120 to-ports=64000-64249
#
#253 Inside NAT IP address 100.64.0.253 will translate to outside IP address 23.162.144.120 using ports 64250-64499
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.253 to-addresses=23.162.144.120 to-ports=64250-64499
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.253 to-addresses=23.162.144.120 to-ports=64250-64499
add action=src-nat chain=srcnat src-address=100.64.0.253 to-addresses=23.162.144.120 to-ports=64250-64499
#
#254 Inside NAT IP address 100.64.0.254 will translate to outside IP address 23.162.144.120 using ports 64500-64749
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.254 to-addresses=23.162.144.120 to-ports=64500-64749
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.254 to-addresses=23.162.144.120 to-ports=64500-64749
add action=src-nat chain=srcnat src-address=100.64.0.254 to-addresses=23.162.144.120 to-ports=64500-64749
#
#255 Inside NAT IP address 100.64.0.255 will translate to outside IP address 23.162.144.120 using ports 64750-64999
add action=src-nat chain=srcnat protocol=tcp src-address=100.64.0.255 to-addresses=23.162.144.120 to-ports=64750-64999
add action=src-nat chain=srcnat protocol=udp src-address=100.64.0.255 to-addresses=23.162.144.120 to-ports=64750-64999
add action=src-nat chain=srcnat src-address=100.64.0.255 to-addresses=23.162.144.120 to-ports=64750-64999

sup5 · Wed Jan 12, 2022 2:54 am

you really have to have a look at the netmap. single translations will kill your router's cpu.

Netmap for CGNAT is some sort of Brainfuck, sure. But it's worth the effort.

Wed Jan 12, 2022 4:42 am

you really have to have a look at the netmap. single translations will kill your router's cpu.

Netmap for CGNAT is some sort of Brainfuck, sure. But it's worth the effort.

I am re-looking at doing this with Netmap.
I sure wish I could find a working script

North Idaho Tom Jones

Thu Jan 13, 2022 2:40 am

you really have to have a look at the netmap. single translations will kill your router's cpu.

Netmap for CGNAT is some sort of Brainfuck, sure. But it's worth the effort.

I did some reading on Netmap.
From what I read , it looks like Netmap is better suited for a 1:1 translation.

I am trying to do something like this:
add action=src-nat chain=PlGpon8-15 protocol=tcp src-address=100.64.103.255 to-addresses=x.y.z.223 to-ports=64750-64999
add action=src-nat chain=PlGpon8-15 protocol=udp src-address=100.64.103.255 to-addresses=x.y.z.223 to-ports=64750-64999

where my src-address is each and every IP address in a 100.64.0.0/21 block
where I am NATting each /24 in the /21 block to a live IP address
where each IP in my /21 100.64 block has a port range of 250 ports in a live IP address

Thus , when I get a copyright notice ( where some customer downloaded a movie ) , I get a notice that shows the IP address and the port that was used.

O and by the way - I did configuration working ( whewwww )

North Idaho Tom Jones

Thu Jan 13, 2022 3:02 am

Well - I think I finally got my NAT444 working

I was able to get the Mikrotik terminal-function addNatRules working.
** I did not know what a terminal-function was or how to use one - but I kinda know now ... ***

Here is what I have done that is now working:
- At this time , I have two /21 CGN (100.64.x.y) networks working now with NAT444
- Each NAT configuration of a CGN /21 is uses 8 live-ip-addresses
- Each CGN translation to live IP address is configured to use 250 ports

Each CGN /21 NAT444 to a /29 live IP address has 4,300+ lines of code I has to put into the Mikrotik nat section.

I currently have two CGN /21 networks ( so I have a total of over 8,600 lines of code in the Mikrotik nat section.

What is really interesting is my original CGN /21 nat to a /30 live-ip-address was originally using only 1 line of in the Mikrotik nat section.
So , it was remove 1 line ( NAT44 ) and add 4,300 lines in the nat section - per /21 network I converted to NAT444

What really surprised me is I was expecting my Mikrotik NAT router to die or start running really slow when I put in 8-thousand lines in the nat configuration. But - to my surprise , my testers on the now NAT444 networks informed me that their Internet appeared much faster when making connections out on the Internet.

So now I have another 10+ /21 CGN networks to convert from NAT44 to NAT444 ( which will require another 43-thousand lines of code in the nat section ( I hope it still works ? ).

Now I am ready to get another batch of those annoying emails with a subject line of : Notice of Claimed Infringement - Case ID that contains the IP address and port , and quickly and easily find which customer(s) this notice applies to

North Idaho Tom Jones

EDIT-more info:
To add additional NAT444 to my 2'nd use of the terminal-function , I had to change the "xxx" in the addNatRules to something unique such as "PlGpon".
This way , I don't break the original "jump-target=xxx" from the 1'st time a ran the addNatRules
** I guess it would be nice to be able to call the terminal-function "addNatRules" and include a jump name to use that is not-already-used & unique to any other jump names already in use.

O - and by the way - my original backup config only used 41.2 KiB of disk space. I am now using 1.136 Meg in disk space when I make a Mikrotik backup.
The good thing is , I am using a Mikrotik CHR with 16-Gig of disk ( 44.2 MiB used of 15.9 GiB with 99% free ).

sindy · Thu Jan 13, 2022 10:16 am

It actually makes little difference whether you use action=netmap or action=src-nat because you have to set the new address and the new range of ports in the same rule, and the combination of the new public address and the new range of ports is unique for each CGNAT address, that's the whole point of this exercise. So one rule in chain srcnat per each individual CGNAT address cannot be avoided unless you would pass the traffic through the router twice, doing the port translation during the first pass and the address translation during the second one. But that would indeed double the load of the router, so not a good idea.

So what you can only do is to speed up processing of the initial packet of each connection by making it pass as few rules as possible, which leads to a binary tree implementation, i.e. one jump rule per each bit of the address at each level. For splitting the linear rules for 256 CGNAT addresses into 16 groups of 16 linear rules, it would look as follows:

chain=srcnat src-address=x.x.x.128/25 action=jump jump-target=128.25
chain=srcnat src-address=x.x.x.64/26 action=jump jump-target=64-26
chain=srcnat src-address=x.x.x.32/27 action=jump jump-target=32-27
chain=srcnat src-address=x.x.x.16/28 action=jump jump-target=16-28
chain=srcnat src-address=x.x.x.0 action=src-nat to-addresses=y.y.y.y to-ports=F0-L0
:
chain=srcnat src-address=x.x.x.15 action=src-nat to-addresses=y.y.y.y to-ports=F15-L15

chain=128-25 src-address=x.x.x.192/26 action=jump jump-target=192-26
chain=128-25 src-address=x.x.x.160/27 action=jump jump-target=160-27
chain=128-25 src-address=x.x.x.144/28 action=jump jump-target=144-28
chain=srcnat src-address=x.x.x.128 action=src-nat to-addresses=y.y.y.y to-ports=F128-L128
:
chain=srcnat src-address=x.x.x.143 action=src-nat to-addresses=y.y.y.y to-ports=F143-L143

chain=64-26 src-address=x.x.x.96/27 action=jump jump-target=96-27
chain=64-26 src-address=x.x.x.80/28 action=jump jump-target=80-28
chain=64-26 src-address=x.x.x.64 action=src-nat to-addresses=y.y.y.y to-ports=F64-L64
:
chain=64-26 src-address=x.x.x.79 action=src-nat to-addresses=y.y.y.y to-ports=F79-L79

chain=96-27 src-address=x.x.x.112/28 action=jump jump-target=112-28
chain=96-27 src-address=x.x.x.96 action=src-nat to-addresses=y.y.y.y to-ports=F96-L96
:
chain=96-27 src-address=x.x.x.111 action=src-nat to-addresses=y.y.y.y to-ports=F111-L111

chain=112-28 src-address=x.x.x.112 action=src-nat to-addresses=y.y.y.y to-ports=F112-L112
:
chain=112-28 src-address=x.x.x.127 action=src-nat to-addresses=y.y.y.y to-ports=F127-L127

etc. (still 10 or 11 chains to add).

So for 256 action=src-nat rules in total, instead of passing through 128 of them on average, each initial packet of a connection would pass through just 8 action=src-nat ones on average and just 4 action=jump ones.

olivier2831 · Mon Jan 17, 2022 6:26 pm

Well - I think I finally got my NAT444 working

I don't know if it's the appropriate place to ask, but what happens if a customer consumes too much TCP or UDP ports ?
1. Is this something that is logged ?
2. From end user perspective, does it trigger some 5XX HTTP error code ?
3. What are the network usages that consumes the most TCP/UDP ports ? VOD ? Web browsing ?

sindy · Mon Jan 17, 2022 7:31 pm

I don't know if it's the appropriate place to ask, but what happens if a customer consumes too much TCP or UDP ports ?

It is well in the context of the current topic so I'd say it is OK, but I am neither an admin nor the OP so my opinion is not much significant.

1. Is this something that is logged ?

Definitely not with a high severity, the new connection just does not get through.

2. From end user perspective, does it trigger some 5XX HTTP error code ?

No. In better case (Mikrotik), the TCP connection attempt will just time out, and the browser will show a corresponding error message like "the server did not respond". In worse case (other devices I've seen), the newer connection will succeed but it will break some existing older one. A UDP attempt will also time out and the application will notify the user depending on how it is written. As @sup5 alerts, DNS request may be quite severely affected.

3. What are the network usages that consumes the most TCP/UDP ports ? VOD ? Web browsing ?

As I wrote to @anav above - you need a number of factors to aggregate in order that a limited pool of ports per source IP address and destination socket address would cause a problem to the source. When normal web browsers open multiple connections for a single page, these rarely open towards the same server. If VOD is "video on demand", the issue would pop up if more devices at customer site would connect to the same server at the "broadcasting" end than the number of ports dedicated for that customer. So I'd personally be most afraid of DNS requests to get affected.

olivier2831 · Tue Jan 18, 2022 4:55 pm

Limiting the ports per user does not mean there will be a hard limit of connections=ports. Mikrotik does port-overloading. This means it can re-use the same port for another destination.

But still, original and re-used ports are always binded to the very same private IP, right ?

olivier2831 · Tue Jan 18, 2022 5:07 pm

Be aware that only 63 concurrent DNS requests are possible, still.
You might also want to aggressively time down your UDP timers in connection tracking, when using such a low amount of ports per user.

Can you elaborate, both above points, please ?

In the first one, are you implying DNS requests pass through the router implementing NAT ? If this router also act as a DNS server, DNS requests won't be NATed at all, would they ?

In the second one, are you referring to udp-timeout and udp-stream-timeout ? What could be "aggressive but not too aggressive" values ?

sindy · Tue Jan 18, 2022 5:37 pm

But still, original and re-used ports are always binded to the very same private IP, right ?

Yes. For the same private IP, the same pool of ports is used for all connections.

Tue Jan 18, 2022 6:17 pm

Follow up
So far , I have converted about 5 or 6 CGN networks/vlans ( 100.64.x.y/21 ) from normal NAT44 to NAT444.
In all cases, I am getting reports that customer networks are working better and that some things that did not used to work now work ( now work with NAT444 ).

I am using 250 ports per NATted CGN customer IP. Then the customer router we maintain is also doing NAT ( normal NAT44 ).

Each /24 ( 255 NATted 100.64.x.y/24 IPs ) is NATting to one live IP address where each client has a port range of 250 IPs.
So , when NATting ( NAT444 ) a /21 ( eight C networks ) , each C network is NATting to one live IP address.

The customers on each NAT44 network which I have converted to NAT444 appear to be running faster and so far I have had zero customer tech-support calls since they were converted.

There are two items of interest; When converting a NATted ( NAT44 ) network to a NAT 444 network , the procedure is remove one line ( the lone/single NAT ( NAT44 ) line in the configuration and then paste in almost 1-thousand lines of code to get NAT444 running. So far , I am over 34-thousand lines of NAT444 code in the nat configuration. (( I would of never thought that more lines of nat configuration code would run faster - go figure .... )).

One good thing for me is that it is super easy and quick to lookup and identify what customer is being referenced when I now get one of those copyright notices where some customer downloaded a copyrighted movie. These notices provide two pieces of information ( Live-IP-Address and the Port-Number ), With this , it is simple to quickly identify the customer.

North Idaho Tom Jones

olivier2831 · Tue Jan 18, 2022 7:01 pm

One good thing for me is that it is super easy and quick to lookup and identify what customer is being referenced when I now get one of those copyright notices where some customer downloaded a copyrighted movie. These notices provide two pieces of information ( Live-IP-Address and the Port-Number ), With this , it is simple to quickly identify the customer.

I'm closely following this thread as I urgently need to prepare for such notices

(
In a worst case scenario, if I can't get severaI IP, I would have to NAT traffic from 250 devices into 1 public IP.
In case I can't implement CGN, I was thinking of implementing a NAT-logging system instead, maybe using Netflow.

I'm still hesitating between both routes (logging or CGN).

Wed Jan 19, 2022 2:54 am

One good thing for me is that it is super easy and quick to lookup and identify what customer is being referenced when I now get one of those copyright notices where some customer downloaded a copyrighted movie. These notices provide two pieces of information ( Live-IP-Address and the Port-Number ), With this , it is simple to quickly identify the customer.
I'm closely following this thread as I urgently need to prepare for such notices (
In a worst case scenario, if I can't get severaI IP, I would have to NAT traffic from 250 devices into 1 public IP.
In case I can't implement CGN, I was thinking of implementing a NAT-logging system instead, maybe using Netflow.

I'm still hesitating between both routes (logging or CGN).

In your worst case scenario - do you have 250 devices on an inside NATted /24 network ?
Do you have an available Live-IP-Address that is not being used at this time ?
If you don't have a un-used IP free available address, then it may be possible to NAT444 to the outside Live-IP-Address of your NAT router. Is this your plan ?
Are you wanting to NAT an inside network that is larger than a /24 ( or multiple /24 networks ) ?

I might be able to make a config and send it to you so that all you have to do is:
- disable the existing nat statements and paste in the new NAT444 statements.

North Idaho Tom Jones

amt · Thu Dec 21, 2023 12:28 pm

I'm closely following this thread as I urgently need to prepare for such notices (
In a worst case scenario, if I can't get severaI IP, I would have to NAT traffic from 250 devices into 1 public IP.
In case I can't implement CGN, I was thinking of implementing a NAT-logging system instead, maybe using Netflow.

I'm still hesitating between both routes (logging or CGN).

In your worst case scenario - do you have 250 devices on an inside NATted /24 network ?
Do you have an available Live-IP-Address that is not being used at this time ?
If you don't have a un-used IP free available address, then it may be possible to NAT444 to the outside Live-IP-Address of your NAT router. Is this your plan ?
Are you wanting to NAT an inside network that is larger than a /24 ( or multiple /24 networks ) ?

I might be able to make a config and send it to you so that all you have to do is:
- disable the existing nat statements and paste in the new NAT444 statements.

North Idaho Tom Jones

First of all, I would like to thank you for sharing your experiences here and helping us. I'm currently doing research to switch to nat444 from nat44, and I'm wondering that how do you print all these rules on your CHR , Can you help me to fight with this?

Regards,

Thu Dec 21, 2023 3:54 pm

re: ... wondering that how do you print all these rules on your CHR ...

forget about pasting it in - way to many lines of code and chances are high of a dropped line.

I ended up makin a text file and uploaded the text file to the CHR via winbox , then ran the file as a script ( I think my file was a .rsc file ?? ) --- Anyway - that way worked well and pretty fast.

note - I have just over 1,000 fiber connected customers , average customer traceroute through the fiber network through chr distribution router - through my chr bandwidth shaper through my chr NAT444 , through my CHR OSPF router , through my CHR BGP router averages about .02 ms to .5 ms ( sometimes 2 ms ) per hop ( that includes going through the chr NAT444 router !!! ) ---- and this is while 1k fiber customers are average combined passing 2 to 4 Gig of Internet traffic through the same chr NAT444 router..

North Idaho Tom Jones

amt · Thu Dec 21, 2023 7:03 pm

I ended up makin a text file and uploaded the text file to the CHR via winbox , then ran the file as a script ( I think my file was a .rsc file ?? ) --- Anyway - that way worked well and pretty fast.
North Idaho Tom Jones

I was talking about this, yes its better to import it to the CHR .rsc or prepare txt file but how do you prepare this files ? do you write them to the txt by your self or any script to create or any web page that create these rules.

how many port do you use for per customer without problem ? at the topic seems that 250 port per ip , still no any problem with 250 port ?

Fri Dec 22, 2023 3:21 am

I ended up makin a text file and uploaded the text file to the CHR via winbox , then ran the file as a script ( I think my file was a .rsc file ?? ) --- Anyway - that way worked well and pretty fast.
North Idaho Tom Jones

I was talking about this, yes its better to import it to the CHR .rsc or prepare txt file but how do you prepare this files ? do you write them to the txt by your self or any script to create or any web page that create these rules.

how many port do you use for per customer without problem ? at the topic seems that 250 port per ip , still no any problem with 250 port ?

When I created my NAT444.rsc file , I used an txt editor. I first created a base configuration , then pasted in my config , edit the original config then past-append to my rsc file , then repeat many times.

Here is a clippit sample of my RSC file that I used. ( note - my actual rsc file was much much larger !!!

/ip firewall nat
add action=src-nat chain=srcnat src-address=100.64.1.34 to-addresses=\
A.B.C.182
add action=src-nat chain=srcnat src-address=100.64.1.2 to-addresses=\
A.B.C.183
add action=jump chain=srcnat jump-target=NrWireless1 src-address=\
100.64.2.0/24
add action=jump chain=NrWireless1 jump-target=NrWireless1-0 src-address=\
100.64.2.0/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-1 src-address=\
100.64.2.16/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-2 src-address=\
100.64.2.32/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-3 src-address=\
100.64.2.48/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-4 src-address=\
100.64.2.64/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-5 src-address=\
100.64.2.80/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-6 src-address=\
100.64.2.96/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-7 src-address=\
100.64.2.112/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-8 src-address=\
100.64.2.128/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-9 src-address=\
100.64.2.144/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-10 src-address=\
100.64.2.160/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-11 src-address=\
100.64.2.176/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-12 src-address=\
100.64.2.192/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-13 src-address=\
100.64.2.208/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-14 src-address=\
100.64.2.224/28
add action=jump chain=NrWireless1 jump-target=NrWireless1-15 src-address=\
100.64.2.240/28
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.0 \
to-addresses=A.B.C.84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.0 \
to-addresses=A.B.C.84 to-ports=1000-1249
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.0 to-addresses=\
A.B.C.84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.1 \
to-addresses=A.B.C.84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.1 \
to-addresses=A.B.C.84 to-ports=1250-1499
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.1 to-addresses=\
A.B.C.84

....

add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.12 \
to-addresses=A.B.C.84 to-ports=4000-4249
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.12 \
to-addresses=A.B.C.84 to-ports=4000-4249
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.12 to-addresses=\
A.B.C.84

...

add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.13 \
to-addresses=A.B.C.84 to-ports=4250-4499
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.13 \
to-addresses=A.B.C.84 to-ports=4250-4499
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.13 to-addresses=\
A.B.C.84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.14 \
to-addresses=A.B.C.84 to-ports=4500-4749
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.14 \
to-addresses=A.B.C.84 to-ports=4500-4749
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.14 to-addresses=\
A.B.C.84
add action=src-nat chain=NrWireless1-0 protocol=tcp src-address=100.64.2.15 \
to-addresses=A.B.C.84 to-ports=4750-4999
add action=src-nat chain=NrWireless1-0 protocol=udp src-address=100.64.2.15 \
to-addresses=A.B.C.84 to-ports=4750-4999
add action=src-nat chain=NrWireless1-0 src-address=100.64.2.15 to-addresses=\
A.B.C.84

...

add action=src-nat chain=NrWireless1-1 protocol=tcp src-address=100.64.2.16 \
to-addresses=A.B.C.84 to-ports=5000-5249
add action=src-nat chain=NrWireless1-1 protocol=udp src-address=100.64.2.16 \
to-addresses=A.B.C.84 to-ports=5000-5249
add action=src-nat chain=NrWireless1-1 src-address=100.64.2.16 to-addresses=\
A.B.C.84
add action=src-nat chain=NrWireless1-1 protocol=tcp src-address=100.64.2.17 \
to-addresses=A.B.C.84 to-ports=5250-5499

...

add action=jump chain=srcnat jump-target=PlWireless1 src-address=\
100.64.80.0/24
add action=jump chain=PlWireless1 jump-target=PlWireless1-0 src-address=\
100.64.80.0/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-1 src-address=\
100.64.80.16/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-2 src-address=\
100.64.80.32/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-3 src-address=\
100.64.80.48/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-4 src-address=\
100.64.80.64/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-5 src-address=\
100.64.80.80/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-6 src-address=\
100.64.80.96/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-7 src-address=\
100.64.80.112/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-8 src-address=\
100.64.80.128/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-9 src-address=\
100.64.80.144/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-10 src-address=\
100.64.80.160/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-11 src-address=\
100.64.80.176/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-12 src-address=\
100.64.80.192/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-13 src-address=\
100.64.80.208/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-14 src-address=\
100.64.80.224/28
add action=jump chain=PlWireless1 jump-target=PlWireless1-15 src-address=\
100.64.80.240/28
add action=src-nat chain=PlWireless1-0 protocol=tcp src-address=100.64.80.0 \
to-addresses=A.B.C.224 to-ports=1000-1249
add action=src-nat chain=PlWireless1-0 protocol=udp src-address=100.64.80.0 \
to-addresses=A.B.C.224 to-ports=1000-1249
add action=src-nat chain=PlWireless1-0 src-address=100.64.80.0 to-addresses=\
A.B.C.224
add action=src-nat chain=PlWireless1-0 protocol=tcp src-address=100.64.80.1 \
to-addresses=A.B.C.224 to-ports=1250-1499

...

add action=src-nat chain=PlWireless1-0 protocol=udp src-address=100.64.80.1 \
to-addresses=A.B.C.224 to-ports=1250-1499
add action=src-nat chain=PlWireless1-0 src-address=100.64.80.1 to-addresses=\
A.B.C.224
add action=src-nat chain=PlWireless1-0 protocol=tcp src-address=100.64.80.2 \
to-addresses=A.B.C.224 to-ports=1500-1749
add action=src-nat chain=PlWireless1-0 protocol=udp src-address=100.64.80.2 \
to-addresses=A.B.C.224 to-ports=1500-1749
add action=src-nat chain=PlWireless1-0 src-address=100.64.80.2 to-addresses=\
A.B.C.224

amt · Fri Dec 22, 2023 11:35 am

Thank you for sharing, I am starting to do the same process, only by using netmap instead of src-nat, I aim to reduce the number of rules.

DarkNate · Fri Dec 22, 2023 12:08 pm

Thank you for sharing, I am starting to do the same process, only by using netmap instead of src-nat, I aim to reduce the number of rules.

Don't forget to read this:
viewtopic.php?t=176358

sindy · Fri Dec 22, 2023 12:33 pm

still no any problem with 250 port ?

Bear in mind that 250 ports per customer actually mean 250 ports per connection to a particular remote socket, so far more than 250 connections per customer in total. There are just a few scenarios where that may still be a limitation - what comes to my mind is that some of your customers would have hundreds of IoT devices talking to the same cloud server. Too many kids watching Youtube are far less likely.

As for the creation of the rules, I always prefer to use a script to generate any kind of large configurations because if you make a mistake in the script, you learn about it quite quickly as it affects a good deal of the result; if you make a mistake in the copy-paste-edit process, it is much harder to notice. So even though the time spent on writing the script may be similar to the one spent on copy-paste-edit, the debugging phase is typically faster.

Fri Dec 22, 2023 6:32 pm

Thank you for sharing, I am starting to do the same process, only by using netmap instead of src-nat, I aim to reduce the number of rules.

It's not the number of firewall/nat rules that slows down throughput and places a large CPU load on the system. What slows down a system is how many rules have to be processed to get packets through the system. Thus - efficient use of jump tables is where you get the speed because you are then able to jump/skip rules that do not apply to a packet. Thus a large number of rules is OK if you have efficient jump tables to quickly get packets through the system.

- - -
example below for efficient use of jumps ( note - did not double check my counts )
however , the concept I am emphasizing is to make rules/test that result is the fewest condition tests being performed/examined and exit/finish the rules with the average fewest number of condition test being performed - to get the fastest average speed. Something similar to this applies to your code when creating a NAT444 configuration that may be thousands of lines of code.

X equals any random whole number from 1 to 10

010 if X = 1 then finish/exit all other tests
020 if X = 2 then finish/exit all other tests
030 if X = 3 then finish/exit all other tests
040 if X = 4 then finish/exit all other tests
050 if X = 5 then finish/exit all other tests
060 if X = 6 then finish/exit all other tests
070 if X = 7 then finish/exit all other tests
080 if X = 8 then finish/exit all other tests
090 if X = 9 then finish/exit all other tests
100 finish/exit all other tests ( same as if X = 10 then finish/exit all other tests without the if test )
* 10 lines - Average number of lines processed per X is 5

----------------------------------------------------------------------------------------------------------
X equals any random whole number from 1 to 10

010 if X > 5 jump to 500
020 if X = 1 then finish/exit all other tests
030 if X = 2 then finish/exit all other tests
040 if X = 3 then finish/exit all other tests
050 if X = 4 then finish/exit all other tests
060 finish/exit all other tests
500 if X = 6 then finish/exit all other tests
510 if X = 7 then finish/exit all other tests
520 if X = 8 then finish/exit all other tests
530 if X = 9 then finish/exit all other tests
540 finish/exit all other tests
* 11 lines - Average number of lines processed per X is 4

----------------------------------------------------------------------------------------------------------
X equals any random whole number from 1 to 10

010 if X > 8 jump to 800
020 if X > 6 jump to 600
030 if X > 4 jump to 400
040 if X > 2 jump to 300
100 if X = 1 then finish/exit all other tests
110 finish/exit all other tests
300 if X = 3 then finish/exit all other tests
310 finish/exit all other tests
400 if X = 5 then finish/exit all other tests
410 finish/exit all other tests
500 if X = 7 then finish/exit all other tests
510 finish/exit all other tests
600 if X = 9 then finish/exit all other tests
610 finish/exit all other tests
* 14 lines - Average number of lines processed per X is 3.5

----------------------------------------------------------------------------------------------------------

This reminds me of a simple test procedure:
- you have nine identical looking marbles
- eight marbles are the same weight
- one marble is heavier than the other eight marbles
- you have a balance scale
Find the one heaver marble using the balance scale only 3 times.

amt · Fri Dec 22, 2023 7:12 pm

Thank you for sharing, I am starting to do the same process, only by using netmap instead of src-nat, I aim to reduce the number of rules.
Don't forget to read this:
viewtopic.php?t=176358

will definitely be examined in detail , thanks for inform

amt · Fri Dec 22, 2023 7:15 pm

Bear in mind that 250 ports per customer actually mean 250 ports per connection to a particular remote socket, so far more than 250 connections per customer in total. There are just a few scenarios where that may still be a limitation - what comes to my mind is that some of your customers would have hundreds of IoT devices talking to the same cloud server. Too many kids watching Youtube are far less likely.

As for the creation of the rules, I always prefer to use a script to generate any kind of large configurations because if you make a mistake in the script, you learn about it quite quickly as it affects a good deal of the result; if you make a mistake in the copy-paste-edit process, it is much harder to notice. So even though the time spent on writing the script may be similar to the one spent on copy-paste-edit, the debugging phase is typically faster.

I think using 250 ports may cause problems, for example a crowded restaurant... That's why I asked how is going with 250 ports.

amt · Fri Dec 22, 2023 7:26 pm

It's not the number of firewall/nat rules that slows down throughput and places a large CPU load on the system. What slows down a system is how many rules have to be processed to get packets through the system. Thus - efficient use of jump tables is where you get the speed because you are then able to jump/skip rules that do not apply to a packet. Thus a large number of rules is OK if you have efficient jump tables to quickly get packets through the system.

- - -
example below for efficient use of jumps ( note - did not double check my counts )
however , the concept I am emphasizing is to make rules/test that result is the fewest condition tests being performed/examined and exit/finish the rules with the average fewest number of condition test being performed - to get the fastest average speed. Something similar to this applies to your code when creating a NAT444 configuration that may be thousands of lines of code.

Thank you very much for the examples and information. It's great that you care so much about the subject.
I created the nat rules and jump rules and I am currently testing it in a /22 ip pool and waiting results...
also I put 4000 port for per ip

sindy · Fri Dec 22, 2023 7:37 pm

I think using 250 ports may cause problems, for example a crowded restaurant...

It didn't even come to my mind you might plan on connecting businesses, let alone hospitality ones, this way. Indeed if the whole restaurant is watching youtube, or even worse, if the restaurant has a cloud-based order management service used directly by the guests, 250 ports might be insufficient.

Fri Dec 22, 2023 9:46 pm

I think using 250 ports may cause problems, for example a crowded restaurant...
It didn't even come to my mind you might plan on connecting businesses, let alone hospitality ones, this way. Indeed if the whole restaurant is watching youtube, or even worse, if the restaurant has a cloud-based order management service used directly by the guests, 250 ports might be insufficient.

IMO - if the customer is a business, then sell them a high-speed business account with a static IP address - otherwise no normal residential customer will never need to make 250+ port connections to any single Internet located server. If a customer needs to make 250+ port connections to anything , then they are behaving like a business so then sell them a business account with a static IP address.

Who is online