hi every body
i have 700 client in 5 subnet
and 5 public ip same gateway
how i can make every private subnet out in different public ip
example:
172.16.1.x/24 >>>>>> 100.200.300.1
172.16.2.x/24 >>>>>>100.200.300.2
172.16.3.x/24 >>>>>>100.200.300.3
172.16.4.x/24 >>>>>>100.200.300.4
172.16.5.x/24 >>>>>>100.200.300.5
Gateway for all is 100.200.300.10
thank you
Instead of default action=masquerade, which picks address (only one) automatically, use action=src-nat and enter specific address you want to use. Repeat five times with different src-address=172.16.x.0/24 conditions.
Sob thank you man
this is true rules
/ip firewall nat
add action=src-nat chain=srcnat src-address=172.16.1.0/24 to-addresses=10.20.30.1
add action=src-nat chain=srcnat src-address=172.16.2.0/24 to-addresses=10.20.30.2
add action=src-nat chain=srcnat src-address=172.16.3.0/24 to-addresses=10.20.30.3
add action=src-nat chain=srcnat src-address=172.16.4.0/24 to-addresses=10.20.30.4
add action=src-nat chain=srcnat src-address=172.16.5.0/24 to-addresses=10.20.30.5
My Old Rules is
/ip firewall nat
add action=src-nat chain=srcnat src-address=172.16.1.0/24 to-addresses=10.20.30.1
add action=src-nat chain=srcnat src-address=172.16.2.0/24 to-addresses=10.20.30.2
add action=src-nat chain=srcnat src-address=172.16.3.0/24 to-addresses=10.20.30.3
add action=src-nat chain=srcnat src-address=172.16.4.0/24 to-addresses=10.20.30.4
add action=src-nat chain=srcnat src-address=172.16.5.0/24 to-addresses=10.20.30.5
add action=masquerade chain=srcnat
i stupid 
Thank you man for this help
But where’s the difference? Sure, you had masquerade rule, but at the end, so it would only catch connections not caught by other srcnat rules before it.
srcnat rules do not terminate processing, so when there is a masquerade at the end it will always win.
Someone wrote that to me before, so I thought “oops, stupid me”, but then I tested it and it worked like I thought before. I tried it again now:
/ip address
add address=10.100.222.2/24 interface=test2 network=10.100.222.0
add address=10.100.222.3/24 interface=test2 network=10.100.222.0
add address=10.100.222.4/24 interface=test2 network=10.100.222.0
/ip firewall nat
add action=src-nat chain=srcnat log=yes out-interface=test2 to-addresses=10.100.222.3
add action=masquerade chain=srcnat log=yes out-interface=test2
/ip firewall mangle
add action=log chain=postrouting out-interface=test2
This is with src-nat rule disabled, to test masquerade:
14:31:43 firewall,info postrouting: in:(none) out:test2, src-mac 00:0c:29:d6:66:05, proto TCP (SYN), 192.168.80.180:45097->159.148.147.201:80, len 60
14:31:43 firewall,info srcnat: in:(none) out:test2, src-mac 00:0c:29:d6:66:05, proto TCP (SYN), 192.168.80.180:45097->159.148.147.201:80, len 60
14:31:43 firewall,info postrouting: in:(none) out:test2, src-mac 00:0c:29:d6:66:05, proto TCP (ACK), 192.168.80.180:45097->159.148.147.201:80, NAT (192.168.80.180:45097->> 10.100.222.2> :45097)->159.148.147.201:80, len 52
And now the real thing with both src-nat and masquerade enabled:
14:33:05 firewall,info postrouting: in:(none) out:test2, src-mac 00:0c:29:d6:66:05, proto TCP (SYN), 192.168.80.180:45105->159.148.147.201:80, len 60
14:33:05 firewall,info srcnat: in:(none) out:test2, src-mac 00:0c:29:d6:66:05, proto TCP (SYN), 192.168.80.180:45105->159.148.147.201:80, len 60
14:33:05 firewall,info postrouting: in:(none) out:test2, src-mac 00:0c:29:d6:66:05, proto TCP (ACK), 192.168.80.180:45105->159.148.147.201:80, NAT (192.168.80.180:45105->> 10.100.222.3> :45105)->159.148.147.201:80, len 52
It uses correct address and counter for masquerade does not increment. You say that masquerade rule should win, OP claims that removing it helped, plus another one from before, … but not here. Any ideas?