Tried to setup netmapping in RB1000 running v.4.8
Firewall Nat: public = yy.yy.yy.yyy/24 while local = xx.xx.xx.xxx/24
/ip firewall nat add chain=dstnat dst-address=yy.yy.yy.yyy/24 action=netmap to-addresses=xx.xx.xx.xxx/24
/ip firewall nat add chain=srcnat src-address=xx.xx.xx.xxx/24 action=netmap to-addresses=yy.yy.yy.yyy/24
It is not working. I see in torch on the public interface traffic coming back with some different IP numbers belonging to public net. So translation outgoing is made. But on incoming something must go wrong. Browsing is not taking place… 
Same router works fine when src-nat with action masquerade is set at public interface.
Test PC is three routers away from this routerboard. But default route in PC and next routers is OK (or no browsing with masq. in gateway would be possible) while route back from rb1000 to PC network is working too.
Only complication is that apart from this netmapping in the NAT table I have some other local networks performing masquerade process. But these rules come behind (lower) then the netmapping rules and should therefore not have implications?
Second Question:
If netmapping works, is the translation supposed to be 1:1 and fixed? So a local address with IP xx.xx.xx.1 always get public IP xx.xx.xx.1? And .2 get .2, .3 get .3 etc. etc.? Or is translation taking place at random?
But .2 actually belongs to public interface of router.
On local side interface has .1 but any other device can have .2 as last digit.
How is this managed? Or do I have to setup network such that all digits knocking at local interface always have address ending with different digit and also not the same as existing fixed end digits on public side?
I have presently several different networks all knocking at same local door where now masquerade takes care of translation. Do I now first have to arrange all these addresses coming in from same network and make each last digit unique?
Is my conclusion now right that netmapping (and also “same”) would only work when on both ends of firewall only one same size network is present?
So combination of both netmapping and src nat or masquerade is not possible?
I have several remote networks that all have their own network with even different subnets. Clients knock at local door with different network/subnet range IP´s. How to change that?
Bridging whole network to create one network for all clients is impossible due size, amount of remote routers and remote networks and thus lack of addresses. (If I have to ´cut´ /24 network in /29 subnets I have enough networks (32) but not enough IP’s (180) any more. /28 is not giving enough networks any more.
Bridging also slows network down to much due the broadcast and troubleshooting becomes very complicated.
Do I have to set-up some sort of tunnels to clients so they all have their tunnels ending in this router where authentication server can take care of IP assignment (all within same subnet)?
What tunnels are preferred? Too many options in ROS; VPLS, EoIP, IPIP, L2TP, PPPoE, PPTP, VLAN.
Any advice? (Only fixed located clients that can always be ´on´.)
Some help is appreciated.
that’s why I asked…