In large NATTED networks, where the number of LAN devices create more connections than there are available ports, connections will stop working, and internet access will be intermittent due to port exhaustion.
Example: In a standard NAT setup on Mikrotik, NATTED connections each get one src port. By default Mikrotik NATS using the port range (1024–65535) – If the total amount of active connections out number ~64 thousand (ignoring any static ports), then the network will have exhausted all available ports, and subsequently new connections will not be possible until used ports become available again after connection timeouts.
Running the following command in your terminal will show the current number of active connections, and subsequently, this number is also the amount of actively used src ports:
ip/firewall/connection/print count-onlyTo solve this problem, multiple public IP addresses need to be added to the routers public interface, and NAT rules setup for LAN connections to be NATTED behind. Here are 2 ways to achieve this:
Load balance NAT using IP an range:
When creating a NAT rule, you can specify a range of IP addresses using “to-addresses=192.168.1.1-192.168.1.2”.
So long as the IP addresses are in a valid sequential order, e.g. “192.168.1.1-192.168.1.4” Router OS will pick one of 4 available IP’s from that range, and apply it per connection. This helps to reduce port exhaustion greatly by adding more public IP addresses to the NAT range. Essentially every public IP added creates room for another ~64 thousand connections. If you do not have public IP addresses in a sequential order to use in a range, skip this section and move on to Load balance NAT using NTH below:
Here is an example of what the NAT rule should look like:
ip/firewall/nat/add chain=srcnat out-interface=<YOUR WAN> action=src-nat to-addresses=192.168.1.1-192.168.1.2Simply replace the out interface with your WAN interface, and the IP range to whatever public range you have on your WAN interface, and Router OS will immediately start NATTING new connections behind the range inputted.
This NAT load balancing method is easily adapted to work in setups with multiple WAN connections. You simply need to create a NAT rule for each WAN interface, and specify the out interface. There must be individual NAT rules for each IP range you want to use, like we’ve done above.
For example, Lets say we had 2 WAN ports, both with 2 public IP addresses on them that we can NAT behind: We simply create the first NAT rule, specify WAN 1 as the out interface, add our address list, and repeat for WAN 2. Along with proper routing in place e.g. ECMP or policy-based routing using mangle and routing marks, Router OS will match connections leaving each interface to the correct IP address. Any traffic leaving via WAN 1 will be NATTED behind the public IP’s on the WAN 1 interface, and any traffic leaving via WAN 2, will be NATTED behind the public IP’s on WAN 2.
ip/firewall/nat/add chain=srcnat out-interface=<WAN 1> action=src-nat to-addresses=192.168.1.1-192.168.1.2ip/firewall/nat/add chain=srcnat out-interface=<WAN 2> action=src-nat to-addresses=10.0.0.1-10.0.0.4
Load balance NAT using NTH:
Load balancing NAT with NTH is particularly useful when your public IP addresses on a single WAN interface are not all in order, and are split up, or between subnets, meaning you cannot assign them to your NAT rules as a sequential range of IP addresses.
First create a src NAT rules that NATs LAN traffic behind your first public IP and select the out interface. Set NTH on first NAT rule to be 2/1. Create a second NAT rule for your second public IP and set NTH to 2/2. With this setup, NAT gets split up, 50/50 between the two NAT rules, and therefore both public IP’s are load balanced between.
ip/firewall/nat add action=src-nat chain=srcnat nth=2,1 out-interface=<WAN 1> to-addresses=192.168.1.1ip/firewall/nat add action=src-nat chain=srcnat nth=2,2 out-interface=<WAN 1> to-addresses=192.168.1.4
The NTH classifier matches every packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule. The next packet will be matched to the second NAT rule (NTH 2/2). This allows you to NAT behind multiple IP addresses without needing a range. In saying this, you might have multiple IP ranges, but in different subnets on the same interface, e.g. 2x /29’s on the same interface. In this case, NTH should still be used, but with an address range also specified.
In practice, when you use NTH in the srcnat chain, it does end up distributing per connection (not per packet), because NAT is only applied once per connection when it’s first established.
So even though NTH technically matches packets, only the first packet of each new connection will trigger the srcnat rule. Router OS will then apply that src-nat address to all packets in the connection, thanks to connection tracking. This is easily appropriated to more than 2 public IP’s and you can create more NAT rules. Simply adjust your NTH number to the total number of NAT rules.
Load balance NAT over Multiple WAN interfaces, each with one IP address:
In cases where multiple WAN interfaces exist, each with a single public IP present, load balancing NAT is very easy. Simply create a src NAT rule for each WAN interface, and specify the out interface. With proper routing in place e.g. ECMP or policy-based routing using mangle and routing marks, Router OS will match connections leaving each interface to the correct IP address.
ip/firewall/nat/add chain=srcnat out-interface=<WAN 1> action=src-nat to-addresses=192.168.1.1ip/firewall/nat/add chain=srcnat out-interface=<WAN 2> action=src-nat to-addresses=192.168.1.2In large NATTED networks, where the number of LAN devices create more connections than there are available ports, connections will stop working, and internet access will be intermittent due to port exhaustion.
Example: In a standard NAT setup on Mikrotik, NATTED connections each get one src port. By default Mikrotik NATS using the port range (1024–65535) – If the total amount of active connections out number ~64 thousand (ignoring any static ports), then the network will have exhausted all available ports, and subsequently new connections will not be possible until used ports become available again after connection timeouts.
Running the following command in your terminal will show the current number of active connections, and subsequently, this number is also the amount of actively used src ports:
ip/firewall/connection/print count-onlyTo solve this problem, multiple public IP addresses need to be added to the routers public interface, and NAT rules setup for LAN connections to be NATTED behind. Here are 2 ways to achieve this:
Load balance NAT using IP an range:
When creating a NAT rule, you can specify a range of IP addresses using “to-addresses=192.168.1.1-192.168.1.2”.
So long as the IP addresses are in a valid sequential order, e.g. “192.168.1.1-192.168.1.4” Router OS will pick one of 4 available IP’s from that range, and apply it per connection. This helps to reduce port exhaustion greatly by adding more public IP addresses to the NAT range. Essentially every public IP added creates room for another ~64 thousand connections. If you do not have public IP addresses in a sequential order to use in a range, skip this section and move on to Load balance NAT using NTH below:
Here is an example of what the NAT rule should look like:
ip/firewall/nat/add chain=srcnat out-interface=<YOUR WAN> action=src-nat to-addresses=192.168.1.1-192.168.1.2Simply replace the out interface with your WAN interface, and the IP range to whatever public range you have on your WAN interface, and Router OS will immediately start NATTING new connections behind the range inputted.
This NAT load balancing method is easily adapted to work in setups with multiple WAN connections. You simply need to create a NAT rule for each WAN interface, and specify the out interface. There must be individual NAT rules for each IP range you want to use, like we’ve done above.
For example, Lets say we had 2 WAN ports, both with 2 public IP addresses on them that we can NAT behind: We simply create the first NAT rule, specify WAN 1 as the out interface, add our address list, and repeat for WAN 2. Along with proper routing in place e.g. ECMP or policy-based routing using mangle and routing marks, Router OS will match connections leaving each interface to the correct IP address. Any traffic leaving via WAN 1 will be NATTED behind the public IP’s on the WAN 1 interface, and any traffic leaving via WAN 2, will be NATTED behind the public IP’s on WAN 2.
ip/firewall/nat/add chain=srcnat out-interface=<WAN 1> action=src-nat to-addresses=192.168.1.1-192.168.1.2ip/firewall/nat/add chain=srcnat out-interface=<WAN 2> action=src-nat to-addresses=10.0.0.1-10.0.0.4
Load balance NAT using NTH:
Load balancing NAT with NTH is particularly useful when your public IP addresses on a single WAN interface are not all in order, and are split up, or between subnets, meaning you cannot assign them to your NAT rules as a sequential range of IP addresses.
First create a src NAT rules that NATs LAN traffic behind your first public IP and select the out interface. Set NTH on first NAT rule to be 2/1. Create a second NAT rule for your second public IP and set NTH to 2/2. With this setup, NAT gets split up, 50/50 between the two NAT rules, and therefore both public IP’s are load balanced between.
ip/firewall/nat add action=src-nat chain=srcnat nth=2,1 out-interface=<WAN 1> to-addresses=192.168.1.1ip/firewall/nat add action=src-nat chain=srcnat nth=2,2 out-interface=<WAN 1> to-addresses=192.168.1.4
The NTH classifier matches every packet: nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rule. The next packet will be matched to the second NAT rule (NTH 2/2). This allows you to NAT behind multiple IP addresses without needing a range. In saying this, you might have multiple IP ranges, but in different subnets on the same interface, e.g. 2x /29’s on the same interface. In this case, NTH should still be used, but with an address range also specified.
In practice, when you use NTH in the srcnat chain, it does end up distributing per connection (not per packet), because NAT is only applied once per connection when it’s first established.
So even though NTH technically matches packets, only the first packet of each new connection will trigger the srcnat rule. Router OS will then apply that src-nat address to all packets in the connection, thanks to connection tracking. This is easily appropriated to more than 2 public IP’s and you can create more NAT rules. Simply adjust your NTH number to the total number of NAT rules.
Load balance NAT over Multiple WAN interfaces, each with one IP address:
In cases where multiple WAN interfaces exist, each with a single public IP present, load balancing NAT is very easy. Simply create a src NAT rule for each WAN interface, and specify the out interface. With proper routing in place e.g. ECMP or policy-based routing using mangle and routing marks, Router OS will match connections leaving each interface to the correct IP address.
ip/firewall/nat/add chain=srcnat out-interface=<WAN 1> action=src-nat to-addresses=192.168.1.1ip/firewall/nat/add chain=srcnat out-interface=<WAN 2> action=src-nat to-addresses=192.168.1.2