Scenario:
Got 5 static IPs (/29) from my ISP. All come in via ether1-WAN (from ISPs modem in bridge mode) on my HEX-S (v7.2.3), let's call them addrA, addrB, addrC, addrD, addrE
got some VMs configured on a separate vlan, few matching dst-nat rules, and a few completely generic src-nat rules like so:
add chain=srcnat src-address=10.1.10.234 out-interface=ether1-WAN action=src-nat to-addresses=addrA
When I restart my router, all these src-nat rules work (in the VM console I check public IP address and it matches the src-nat); I can change them to any public IP address configured on ether1-WAN and after a fwe moments the assigned public address is reported (from ifconfig.io) as the one I set in the rule.
BUT.
after a few minutes, all VMs report only addrE. Changing the src-nat rules to any other address removes outbound internet access on these VMs.
I'm completely baffled as to why it behaves like that.
Of course, default masquerade works, defaulting to addrA.
I have no custom routing addedd (only manually added ISP's GW address), no mangle rules, nothing out of the ordinary.
Any help will be greatly appreciated.