Hello,
I have a problem with 1:1 NAT in hotspot environment: once user is authenticated by hotspot, it receives a private IP address that will be (1:1) natted to a public IP range.
As described in the manual, http://www.mikrotik.com/docs/ros/2.9/ip/nat, I’ve specified my public and private network, but NAT rules doesn’t work.
Are there any other configuration details to look at? 
Regards
What NAT rules you have configured ?
I suppose, you may use ‘ip-binding’ for static one-to-one IP-bindings (for HotSpot users).
I’m using MK with RADIUS (users’ data stered in mySQL) authentication for hotspot users, so it is not possible to use IP binding.
Public IP subnet is 81.174.17.32/27. Actually hotspot users receive public IP address in the subnet 81.174.17.32/27, but this is a waisting of public IP because also not authenticated users (host in WinBox interface) get such an IP. It is possible to avoid this giving a private IP address to hotspot users (e.g. 192.168.20.0/24) and doing 1:1 NAT after authentication. In this way users are traced as well, because of logs:
username ↔ private IP address ↔ public IP address
In such a scenario, I’ve configured following NAT rules:
0 chain=srcnat src-address=192.168.20.100-192.168.20.200 action=netmap
to-addresses=81.174.17.35-81.174.17.62 to-ports=0-65535
1 chain=dsnat dst-address=81.174.17.35-81.174.17.62 action=netmap
to-addresses=192.168.20.100-192.168.20.200 to-ports=0-65535
Regards
For netmap the address ranges for the original and the translated addresses must be of the same size, i.e. you can 1:1 map 100 private addresses to 100 public addresses, but you can not 1:1 map 100 private addresses to less than 100 public addresses, which is what you’re trying to do.
If one range is smaller than the other, how could the address mapping be 1:1 ?
–Tom
Hey Diceman, doing same size ip address ranges you are fixed this problem?
Thanks!
Alessio