Mikrotik CGNAT

Mikrotik – Networking for ALL

Scenario:

OP is running mini ISP 200 users. Currently he is using Mikrotik Router as PPPoE Server along with Freeradius as AAA. on Mikrotik, one public IP is configured for WAN and additional /24 routed pool (256 public IP addresses) is provided to the OP via ISP so that he can provide public IP to each user. After the network upgrades , OP have reached 700 users in total, and since he have only 256 public ip’s , he is now using natting for half of his users.

This NATTING workaround is creating hurdles in tracking illegal activity performed by any NATTED users because hundreds of NATTED user will have same public ip (Mikrotik WAN IP). nowadays law sometimes provide only the public ip along with source port and ask for the user credentials details for investigation purposes.

with single public IP and hundreds of natted hosts behind it. tracking is nearly impossible.

Workaround:

CGNAT concept is used to share one or preferably more public IP addresses with large number of private ip addresses on ratio basis.

To combat with this IPV4 exhausting issue, we can use CGNAT as a workaround. This is by no means a solution, & the OP should get public IP space (either ipv4 or ipv6) to comply with the LAW.

IP scheme example used in this post:

Public IP range: (/24 public IP’s routed pool)

• 1.1.1-1.1.1.255
• Total Public IP useable: 255

Private IP range for PPPoE users:

• 172.16.1.1-172.16.1.255
• 172.16.2.1-172.16.2.255
• 172.16.3.1-172.16.3.255
• Total Private IP useable: 765

For 765 Users, we will be using 1:5 Ratio, thus 153 public ips will be used for 765 users. (on a ratio of 1:5).

• per private IP, we will reserve 10,000 ports, which should be more than enough for each user.
• per private IP, we will be creating 3 rules, one for TCP, second for UDP, 3rd for non ports range

CGNAT configuration on RouterOS is very much similar to regular source NAT configuration.

Some possible disadvantages of using CGNAT concept:

• You need additional SYSLOG server (either windows or linux base) to store hundreds of GB’s of logs. I would prefer linux base SYSLOG-NG). Tracking of users for legal reasons means hundreds GB’s of extra logging is required, as multiple end users go behind one (or more) public IP address(es).
• Tracking Logs is not an easy task particularly when you have tongs of Logging (in a DB). Some super fast computing resources (including preferably RAID10 or SSD based storage) and fine tune DB would be required.
• Hosts behind a NAT-enabled router do not have reliable end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT
• A CG-NAT device must use the same external IP address mapping
  for all sessions associated with the same internal IP address
• Preserve Range RFC4787 defines two port ranges: “Well Known Ports” [0, 1023]
  and “Registered“/”Dynamic and/or Private” [1024, 65535] When the source port of the internal host establishing a new connection falls into one of these ranges the CGN tries to allocate an external source port in the same range. If it fails to find a port, connection fails too.
• Most Applications do not behave well with TCP resets
• Many operations still not familiar with CG-NAT complexities. There is a lot of trial and error on the part of service providers

To add multiple Public IP addresses on WAN interface in bulk using single CMD on Terminal

You may need to add all of your public IP addresses (which will be used for CGNAT) on WAN interface. to do this in bulk you can use Mikrotik FOR X script function for ease / ZAIB

:for x from 1 to 153 do={ /ip address add address="1.1.1.$x/32" comment="1.1.1.$x - Routed IP for ppp CGNAT - zaib" interface="ether1-wan"}

Adding FUNCTION in Mikrotik for later Automation

Paste this in Mikrotik RouterOS terminal:

# CGNAT script source: https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Carrier-Grade_NAT_.28CGNAT.29_or_NAT444
# I modified this script script to match local setup requirements and to support latest version of ROS 6.46.1 as of December 2019. So its somewhat different from the original
# Syed Jahanzaib / aacable at hotmail dot com

:global sqrt
:global sqrt do={
:for i from=0 to=$1 do={
:if (i * i > $1) do={ :return ($i - 1) }
}
}
:global addNatRules do={
/ip firewall nat add chain=srcnat action=jump jump-target=xxx \
src-address="$($srcStart)-$($srcStart + $count - 1)"
:local x [$sqrt $count]
:local y $x
:if ($x * $x = $count) do={ :set y ($x + 1) }
:for i from=0 to=$x do={
/ip firewall nat add chain=xxx action=jump jump-target="xxx-$($i)" \
src-address="$($srcStart + ($x * $i))-$($srcStart + ($x * ($i + 1) - 1))"
}
:for i from=0 to=($count - 1) do={
:local prange "$($portStart + ($i * $portsPerAddr))-$($portStart + (($i + 1) * $portsPerAddr) - 1)"
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=tcp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat protocol=udp src-address=($srcStart + $i) \
to-address=$toAddr to-ports=$prange
/ip firewall nat add chain="xxx-$($i / $x)" action=src-nat src-address=($srcStart + $i) to-address=$toAddr
}
}

Now we can issue following CMD to add rules in NAT section

# per private IP, we will reserve 10000 ports, which should be more than enough for each user.
# per private IP, we will be creating 3 rules, one for TCP, second for UDP, 3rd for non ports range

$addNatRules count=5 srcStart=172.16.1.1 toAddr=1.1.1.1 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.6 toAddr=1.1.1.2 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.11 toAddr=1.1.1.3 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.16 toAddr=1.1.1.4 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.21 toAddr=1.1.1.5 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.26 toAddr=1.1.1.6 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.31 toAddr=1.1.1.7 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.36 toAddr=1.1.1.8 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.41 toAddr=1.1.1.9 portStart=10000 portsPerAddr=9999
$addNatRules count=5 srcStart=172.16.1.46 toAddr=1.1.1.10 portStart=10000 portsPerAddr=9999

# & so on for rest of the pool, you can further automate this by using additional functions & scripting

Enable Logging of CG-NAT Output:

# To log user IP/NAT information on LOG window / files or remote syslog
/ip firewall mangle add action=accept chain=prerouting connection-state=new log=yes log-prefix="NAT_INFO_F> " src-address=172.16.0.0/16

Log Result (from different servers , so ip scheme may be changed in these logs, just for example purposes)

In this log you can clearly see the src-dst address, and on which public ip request was natted along with ports. This is useful

Jan 1 16:58:21 10.11.11.36 firewall,info NAT_INFO_F> forward: in:ether10 out:ether1, src-mac b4:2e:99:xx:xx:xx, proto UDP, 10.11.11.161:63179->172.217.19.3:443, NAT (101.11.11.161:63179->1.1.1.1:19082)->172.217.19.3:443, len 428
Jan 1 16:58:21 10.11.11.36 firewall,info NAT_INFO_F> forward: in:ether10 out:ether1, src-mac b4:2e:99:xx:xx:xx, proto UDP, 10.11.11.161:63179->172.217.19.3:443, NAT (10.11.11.161:63179->1.1.1.1:19082)->172.217.19.3:443, len 428

another one:

To delete older logs from syslog mysql db,

mysql -uroot -pSQLPASSWORD -s -e "use syslog; DELETE FROM logs WHERE date(datetime) < (CURDATE() - INTERVAL 3 MONTH);"