Thu Jul 29, 2021 10:05 am
Port forwarding is a dst-nat operation, which is performed before the packet enters the routing process. Source address change (a src-nat operation) takes place after the packet has been routed. Hence you need a separate action=src-nat rule in chain=srcnat of /ip firewall nat.
Maybe you need the action=src-nat rule to selectively treat only connections previously handled by that particular action=dst-nat rule, but while passing through the srcnat chain, the initial packets of these connections cannot be distinguished any more from those that have not been redirected by that action=dst-nat rule. If this is the case, you have to assign a connection-mark using a rule in chain=prerouting of /ip firewall mangle with the same set of match conditions you used in the action=dst-nat rule, and let the action=dst-nat and action=src-nat rules match on that connection-mark value. In the prerouting chain, mangle is placed even before dstnat.