I'm trying to create 1:1 nat's to hide network addresses.

My test lab (esx5) has a number of virtual v5.16 x86 routers to test the whole layout before deployment.

2 nic's where 172.254.1.1 is the WAN interface
add address=172.254.1.1/24 disabled=no interface=ether2 network=172.254.1.0
add address=10.10.10.12/24 disabled=no interface=ether5 network=10.10.10.0

I want to nat 10 addresses 172.254.1.xx to .10.10.10.xx where xx is between 10 and 20.


This doesn't seem to work.
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=172.254.1.20 \
to-addresses=10.10.10.20
add action=src-nat chain=srcnat disabled=no src-address=10.10.10.20 \
to-addresses=172.254.1.20

I can ping 172.254.1.20 from the 10.10.10 subnet, but not from the WAN.

But if I use a different subnet (not the same as the WAN) it does work as expected.
e.g.
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=172.254.2.20 \
to-addresses=10.10.10.20
add action=src-nat chain=srcnat disabled=no src-address=10.10.10.20 \
to-addresses=172.254.2.20


Adding the addresses (e.g. 172.254.1.20) as secondary addresses to ether2 resolves the issue.

searching the forum, I found several mentions that it is not necessary to add the addresses to the WAN interface.

What am I doing wrong ?

Mark.

You do need to add the addresses to the WAN interface if they are in the subnet otherwise the RB won't arp for those addresses.

You don't need to add addresses for other subnets if they are routed to the WAN address, as routing directs the packet to the WAN address first.

Hope that makes sense

Nick.

Thanks Nick, that explains it nicely.

Mark