From 77b9ce6ab0fee17e0b0d066b2285f3302ca414cf Mon Sep 17 00:00:00 2001 From: Marek Isalski Date: Sun, 26 Jun 2022 18:49:35 +0100 Subject: [PATCH] add CGNAT IPs --- .../routeros-v7-aggregation-router/firewall.j2 | 17 +++++++++++++++-- 1 file changed, 15 insertions(+), 2 deletions(-) diff --git a/includes/routeros-v7-aggregation-router/firewall.j2 b/includes/routeros-v7-aggregation-router/firewall.j2 index 63eb0af..d9b2592 100644 --- a/includes/routeros-v7-aggregation-router/firewall.j2 +++ b/includes/routeros-v7-aggregation-router/firewall.j2 @@ -59,11 +59,24 @@ add action=accept chain=input comment="allow BGP on uplinks and linknets" dst-po add action=accept chain=input comment="allow ICMP" protocol=icmp add action=accept chain=input comment="allow UDP traceroute" port=33434-33534 protocol=udp add action=drop chain=input comment="protect router's control plane" + +{%- set nat_source_ips = [] %} +{%- for interface in device_interfaces %} + {%- if interface.name in ('loopback',) %} + {%- for address in interface|get_addresses %} + {%- if address|ipv4 %} + {%- do nat_source_ips.append(address.address.split("/")[0]) %} + {%- endif %} + {%- endfor %} + {%- endif %} +{%- endfor %} + /ip firewall nat add action=return chain=srcnat src-address-list=public-addresses add action=return chain=srcnat dst-address-list=no-cgnat-to -add action=same chain=srcnat out-interface-list=uplink same-not-by-dst=yes src-address-list=customer-private to-addresses=185.66.206.1-185.66.206.3 -add action=masquerade chain=srcnat out-interface-list=uplink src-address-list=customer-private +{%- for nat_source_ip in nat_source_ips|sort %} +add action=src-nat chain=srcnat out-interface-list=uplink per-connection-classifier=src-address:{{ nat_source_ips|length }}/{{ loop.index0 }} src-address-list=customer-private to-addresses={{ nat_source_ip }} comment="CGNAT" +{%- endfor %} add chain=dstnat comment="redirect NTP to local NTP server for provisioning" dst-port=123 protocol=udp src-address-list=provisioning to-addresses=127.0.0.1 /ipv6 firewall filter