Extra Note on PPPoE

 Create a single CGNAT pool on a per BNG basis and you can use it for n Number
of PPPoE Servers on n number of interfaces
/ip pool
add name=CGNAT_Pool comment="100.64.0.0-9 is reserved for each
PPPoE Server Gateway/Profile" ranges=100.64.0.10-100.127.255.255
o Here we are reserving 100.64.0.0-9 for gateway IPs on a per-
interface/PPPoE server basis, assuming we only have 10
VLANs/Interfaces
 Reserve as per your local requirements
 Local Address in PPP Profile = Gateway IP address
o One common mistake is using the router’s public IP from the
WAN interface as the local address, which I’ve seen could lead to
issues like traceroute failures or some strange packet loss, you
should be using an address that does not exist in IP>Address
o Each PPPoE Server needs unique profile/gateway in order to allow
inter-VLAN communication between CPEs (which is needed to
allow two customers behind a NATted IP to play a P2P Xbox
game with each other on different VLANs) and will also ensure a
clean network approach
 If you have 100 PPPoE Servers, there should
be 100 unique PPP Profiles with unique local
addresses for each
o Something like this for two servers:

/ppp profile
add change-tcp-mss=yes local-address=100.64.0.1 name=profile1 remote-address=CGNAT_Pool use-upnp=no
add change-tcp-mss=yes local-address=100.64.0.2 name=profile2 remote-address=CGNAT_Pool use-upnp=no
/interface pppoe-server server
add authentication=pap default-profile=profile1 interface=vlan20 keepalive-timeout=disabled max-mru=1500 max-
mtu=1500 one-session-per-host=yes service-name=server1
add authentication=pap default-profile=profile2 disabled=no interface=vlan21 keepalive-timeout=disabled max-
mru=1500 max-mtu=1500 one-session-per-host=yes service-name=server2
CGNAT

Issues

 The majority of ISPs are using RFC1918 subnets for CGNAT and can clash with
subnets on the customer site
 Breaks P2P traffic
 Kills the end-to-end principle
 Requires proper NAT traversal for various protocols including IPsec
 Routing Loops will occur for any traffic coming from the outside destined
towards the public IP pools
Solutions

 Make use of the 100.64.0.0/10 subnet as it’s meant for CGNAT usage to prevent
clashing on the customer site
 Enable the NAT traversal Helpers on the Router like the following inside
IP>Firewall>Service Ports

Figure-11 (NAT Traversal Helpers on RouterOS)

 Use a simple netmap rule with IPsec passthrough (will allow customers to initiate
IPsec outbound without issues) configured.
 Use a single NAT rule for all CGNAT customers on a per BNG basis to reduce
CPU usage.
o /ip firewall nat add
action=netmap chain=srcnat comment="CGNAT rule" dst-
address-list=!not_in_internet ipsec-policy=out,none
out-interface-list=WAN src-address-
list=cgnat_subnetsto-addresses=103.176.189.0/25
 Here cgnat_subnets=address list containing
CGNAT subnets aka 100.64.0.0/10
 dst-address-list=!not_in_internet is self-explanatory,
anything destined towards private subnets shouldn’t
be NATted towards WAN
 Customers should be able to talk
to each other using their CGNAT
IP, Xbox makes use of this and is
mentioned in RFC 7021. This is
equivalent (sort of) to old school
days of everyone having a public IP
and hence is reachable
o Enable port forwarding for entire ranges (netmap algorithm + state
tracking will handle what gets mapped where)
 /ip firewall nat
add action=netmap chain=dstnat
comment="Port Forwarding Solution for
CGNAT (TCP)" dst-address=103.176.189.0/25
dst-port=1024-65535 protocol=tcp to-
addresses=100.64.0.0/10

add action=netmap chain=dstnat

comment="Port Forwarding Solution for
CGNAT (UDP)" dst-address=103.176.189.0/25
dst-port=1024-65535 protocol=udp to-
addresses=100.64.0.0/10