I’m having problems with 1:1 nat, where some rules always work, and some don’t always.
This happens on a few different RB models and ROS versions about 10% of the time.
Nothing complicated
Hide a local address behind a WAN address
No firewall rules, tracking is auto.
/ip address
add address=172.20.202.9/29 interface=ether4-SW1 network=172.20.202.8
add address=10.32.56.2/24 interface=WAN network=10.32.56.0
add address=10.32.56.10/24 interface=WAN network=10.32.56.0
add address=10.32.56.11/24 interface=WAN network=10.32.56.0
/ip firewall nat
add action=dst-nat chain=dstnat dst-address=10.32.56.10 to-addresses=172.20.202.10
add action=src-nat chain=srcnat src-address=172.20.202.10 to-addresses=10.32.56.10
add action=dst-nat chain=dstnat dst-address=10.32.56.11 to-addresses=172.20.202.11
add action=src-nat chain=srcnat src-address=172.20.202.11 to-addresses=10.32.56.11
10.32.56.10 works, 10.32.56.11 doesn’t.
Some rules have more than 10 similar.
All the problem ones have two, and usually one works and the other doesn’t.
Sometimes the failing one will have worked, and then after making unrelated changes, it stops.
Reboots don’t fix it.
Nat rule counter increments with a ping.
Torch shows even packets on the 172.20.202 interface, so traffic is heading back from the destination, but doesn’t reach the WAN
interface.
There is a switch configured on the target address interface.
Also, the target is an IBM server with a shared IMM and Network cable, with separate mac addresses.
Can anyone offer some bright ideas ?