I have a /30 to the provider with a /28 routed over the /30. The Public IP's in the /28 are assigned (mapped) when needed to various private IP's in some /24 and /22 private subnets. All other IP's in the private /24 are natted to the Public /30.
The Cisco didn't care which Public IP's went to which subnets or addresses as they were done with one rule for each mapping as below.
Code: Select all
interface Ethernet1
ip address 207.a.b.218 255.255.255.252
ip nat inside source list 102 interface Ethernet1 overload
ip nat inside source static 192.168.10.7 207.x.y.2
ip nat inside source static 192.168.20.3 207.x.y.3
What I think I need for the MikroTik is below. I think that the mapped srcnat rules need to appear before the masquerade rule and the dstnat rules must be after masquerade for everything to work properly. The only benefit that I can see for netmap is that it offers a contiguous range of IP address mapping but you still need both srcnat and dstnat netmap rules. With individual and scattered target private IP's I cannot see any point in using netmap, unless I am missing something.
Code: Select all
/ip address
add address=207.a.b.218/30 interface=Public
/ip firewall nat
add chain=srcnat src-address=192.168.10.7 action=src-nat to-addresses=207.x.y.2
add chain=srcnat src-address=192.168.20.3 action=src-nat to-addresses=207.x.y.3
add chain=srcnat action=masquerade out-interface=Public
add chain=dstnat dst-address=207.x.y.2 action=dst-nat to-addresses=192.168.10.7
add chain=dstnat dst-address=207.x.y.3 action=dst-nat to-addresses=192.168.20.3
I would welcome any comments if you know about something I should watch out for, if you think I have it wrong or missed something, or even if you think I have it right.