did the last configuraiton meets your requests? I think it will not work because it's related to private client ip and that will not work always (in Itlaly for example that is a problem because privacy/interception law). here an example :
1) think of a scenario where thousands connection are happening per second ( normal for small medium wisp, for example).
2) given 2 user A and B , may be (it's happening more often that expected
, with some probability gt 0 , both of them will connect to facebook.com;
3) the mikrotik router has just 1 public ip and for that is using nat/masquerade on private clients ip;
4) both user A and B arive to internal LAN interface with IPa (user A) and IPb (user B) and respectivley with src port Pa and Pb.
5) now both of them are connecting to destination site with ip IPd and port IPd.
6) There is a probability > 0 that the two sourvce port will be exaclty the same port : Pa=Pb; (and may be a third user IPc and may be a fourth user with IPd ...)
7) how the nat algorithm will work in that case? Well, one of the 2 (or the 10/20/30 ...) user will take a specific port as source port and the other a diferent one . So we will have a source natted ip/port for both users as :
IPa/Pa ----> IPpub/Pa';
IPb/Pb ----> IPpub/Pb';
and becacuese Pa==Pb we never can have Pa'==Pb' because the revere traffic could be not well defined!! So for sure Pa'!=Pb'.
The law representative will come and ask : " listen at time HH.MM.ss" who had Ip address IPpub and port Port P as source when connecting to destination IPd with port Pd?"
9) we can answer to previous question giving a list of possible "maliciuos users" : both A and B becasue we Can't map Pb with one and only one between Pa' and Pb'. The inspector will not accept the previous answer because in that time just one customer was using that src ip/port and not more than one user.
10) In other countries the answer with more than 1 item will result in fines and punishement. Lwa doesn't accept to be not specific and exact giving perfect answer and not a basket of possible candidate.
This scenario is creating some issue around the world and the solution in my opinionwas really straight : just permitting a log action after src nat rule matching (more process rule switch) or a additional extra switch to add an optional log item for the jyst amtched src nat rule.
Thanks a lot for your attention
and all of you let me know what do you think about it.