MikroTik

Hello there. Since I've red the manual and I couldn't figure it out.

Is it possible to have more than one public IP address for source NAT (PAT) translation on the same physical interface? I want to use pool of public IP addresses for masquerading internal privately addressed hosts.

Thanks in advance.
Alex

Yes, it is possible.
You can also use 1:1 mapping
http://wiki.mikrotik.com/wiki/Manual:IP ... :1_mapping

Thank you, but can I use to-addresses parameter with source PAT ? I know about mapping but I need the thing written above.

Yes.

I have a question related to this, how would you go about doing say a 5-1 nat? For example you have a block of public IP's and you would like to NAT 5 private IP's to one Public? Is this something that could be done with address lists?

Yes.

Code: Select all

/ip address 
add address=1.1.1.1 interface=wan
add address=1.1.1.2 interface=wan
/ip firewall nat
add chain=srcnat out-interface=wan src-address=192.168.1.0/25 action=src-nat to-address=1.1.1.1
add chain=srcnat out-interface=wan src-address=192.168.1.128/25 action=src-nat to-address=1.1.1.2

Yes, you could do that with address lists. They even take ranges. See below: Another interesting approach - though I have never tried it - is to use PCC to balance clients across multiple addresses. The more clients, the more even the balance will be. You could pick other classifiers such as both-addresses-and-ports, but that would make secure sites rather unstable as they often rely on the client to come from the same source IP for the duration of a session:

Thanks for the Ideas..

Yes, you could do that with address lists. They even take ranges. See below:

Code: Select all

/ip firewall address-list
add list=pool1 address=192.168.0.2-192.168.0.6
add list=pool2 address=192.168.0.7-192.168.0.11
add list=pool3 address=192.168.0.12-192.168.0.16
add list=pool4 address=192.168.0.17-192.168.0.21
/ip address
add address=1.1.1.2 interface=WAN
add address=1.1.1.3 interface=WAN
add address=1.1.1.4 interface=WAN
add address=1.1.1.5 interface=WAN
/ip firewall nat
add chain=srcnat out-interface=WAN src-address-list=pool1 action=src-nat to-address=1.1.1.2
add chain=srcnat out-interface=WAN src-address-list=pool2 action=src-nat to-address=1.1.1.3
add chain=srcnat out-interface=WAN src-address-list=pool3 action=src-nat to-address=1.1.1.4
add chain=srcnat out-interface=WAN src-address-list=pool4 action=src-nat to-address=1.1.1.5

Another interesting approach - though I have never tried it - is to use PCC to balance clients across multiple addresses. The more clients, the more even the balance will be. You could pick other classifiers such as both-addresses-and-ports, but that would make secure sites rather unstable as they often rely on the client to come from the same source IP for the duration of a session:

Code: Select all

/ip address
add address=1.1.1.2 interface=WAN
add address=1.1.1.3 interface=WAN
add address=1.1.1.4 interface=WAN
add address=1.1.1.5 interface=WAN
/ip firewall nat
add chain=srcnat out-interface=WAN per-connection-classifier=src-address:0/4 action=src-nat to-address=1.1.1.2
add chain=srcnat out-interface=WAN per-connection-classifier=src-address:1/4 action=src-nat to-address=1.1.1.3
add chain=srcnat out-interface=WAN per-connection-classifier=src-address:2/4 action=src-nat to-address=1.1.1.4
add chain=srcnat out-interface=WAN per-connection-classifier=src-address:3/4 action=src-nat to-address=1.1.1.5
add chain=srcnat out-interface=WAN action=src-nat to-address=1.1.1.1.2 comment="paranoid fallback"

Hello everyone.
First off, thank you very much, What you have done for us is something priceless.

We have 13 zones (13 stations) on our network.
Translation was going only through one IP address. Up to 50k connection were open.
We didn't realize it can slow down internet so much. Our users didn't have enough bandwidth and internet was very slow.

Now we have added 13 addresses, each station has it's own address. It's working perfectly. This is just amazing!
Thanks so much!