I'm trying to create 1:1 nat's to hide network addresses.
My test lab (esx5) has a number of virtual v5.16 x86 routers to test the whole layout before deployment.
2 nic's where 172.254.1.1 is the WAN interface
add address=172.254.1.1/24 disabled=no interface=ether2 network=172.254.1.0
add address=10.10.10.12/24 disabled=no interface=ether5 network=10.10.10.0
I want to nat 10 addresses 172.254.1.xx to .10.10.10.xx where xx is between 10 and 20.
This doesn't seem to work.
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=172.254.1.20 \
to-addresses=10.10.10.20
add action=src-nat chain=srcnat disabled=no src-address=10.10.10.20 \
to-addresses=172.254.1.20
I can ping 172.254.1.20 from the 10.10.10 subnet, but not from the WAN.
But if I use a different subnet (not the same as the WAN) it does work as expected.
e.g.
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=172.254.2.20 \
to-addresses=10.10.10.20
add action=src-nat chain=srcnat disabled=no src-address=10.10.10.20 \
to-addresses=172.254.2.20
Adding the addresses (e.g. 172.254.1.20) as secondary addresses to ether2 resolves the issue.
searching the forum, I found several mentions that it is not necessary to add the addresses to the WAN interface.
What am I doing wrong ?
Mark.