If the subscriber has only one private address and you want to give him a specific public address, you need to take into consideration the dependance between private and public addresses caused by the non-blocking address dispatching algorithm in the DPI.

subscriber_public_address & mask = subscriber_private_address & mask

here, mask depends on the number of worker threads:

• for 4 worker threads mask=3 (typically for Stingray SG >= 10)
• for 2 worker threads mask=1 (typically for Stingray SG <= 6)

In fact, for newer SSG versions, subscribers with even private addresses need to be given even public addresses, and odd ones - odd ones. It is enough to take into account only the lower byte NNN in the IP-address XXX.YYY.ZZZ.NNN

Accordingly, for older versions, the equality of the 2 least significant bits of the IP address must be taken into account.

With one worker thread, the dependency between addresses disappears.

You can view the exact mask value in the DPI log:

grep nat_hash_mask /var/log/dpi/fastdpi_alert.log

If the start was a long time ago, then reload

service fastdpi reload

Example for SSG-20: We need to allocate a public address 188.99.99.27 to a subscriber with a private address 10.0.0.15
mask=3
15&3=3 equals 27&3=3 - this means that such an address can be issued (otherwise it would be necessary to change either the private address given to the subscriber, or the public one assigned to him)

Assign the address to the subscriber with the command:

fdpi_ctrl load profile --ip 10.0.0.15 --service 11 --profile.json '{ "nat_ip_pool" : "188.99.99.27/32", "nat_type" : 1 }'