It is just doing a simple NAT from a public IP address (/30) on the SFP port to an office of PCs. Standard config with DHCP server, firewall srcnat masquerade rule, etc.
They have an FTP server on the LAN side with has port 21 forwarded to it via a dst-nat rule.
The client reports that the FTP server sees all WAN traffic as originating from the router’s LAN IP eg 192.168.88.1 instead of a.b.c.d public IP. He needs it to report the WAN IP as he has access lists, traffic policies per IP, etc.
Is there some trick, or something I have missed, that stops the WAN address being rewritten to 192.168.88.1 during a port forward?
Figured this out, but in case anyone in the future needs the solution:
If you omit either ‘out interface’ or ‘src address’ from your masquerade rule it causes the symptoms I describe. I suspect because the packet matches the masquerade rule both outbound (as expected) but also inbound due the the port redirect.
Either specifying an out interface or putting the LAN (eg 192.168.88.0/24) in as the src-address fixes the issue.
I prefer the out interface method because if you ever change IP addressing of your LAN (or add more internal subnets) then you won’t need to remember to modify the firewall rules.