Please let me know if question should be asked in other sites (e.g.: network engineering); I asked it here because other MikroTik related questions are also asked here!
Setup:
ADSL modem (bridge-mode) ---> MikroTik's ether1
Tp-Link Archer D7 (as wAP; bridge-mode) ---> MikroTik's ether2
Server ---> MikroTik's ether3
Networks:
10.0.0.0/30 on ether1 (ADSL-modem=10.0.0.1 / MikroTik-ether1=10.0.0.2)
10.11.12.0/24 on bridge-ether2-ether3 (MikroTik's ether2 & ether3 are bridged)
Firewall Filters:
0 ;;; Accept connection to WAN from 7 IPs from range 13 to 19
chain=forward action=accept src-address=10.11.12.13-10.11.12.19 out-interface=PPPoE-to-Dlink
1 ;;; Drop all connection to WAN
chain=forward action=drop out-interface=PPPoE-to-Dlink
Nat Rule:
chain=srcnat action=src-nat to-addresses=my.public.ip.address out-interface=PPPoE-to-Dlink
Question:
With the below Nat rules, I'm trying to enable SSH access to my server from WAN / Internet:
/ip firewall nat add chain=dstnat action=dst-nat dst-port=2200 p rotocol=tcp to-addresses=10.11.12.14 to-ports=22/ip firewall nat add chain=dstnat action=dst-nat dst-port=2200 p rotocol=tcp to-addresses=10.11.12.14 to-ports=22 in-interface=ether1/ip firewall nat add chain=dstnat action=dst-nat dst-port=2200 p rotocol=tcp to-addresses=10.11.12.14 to-ports=22 in-interface=PPPoE-to-Dlink
None of above works with current src-nat nat rule; but if I use masquerade instead, it'll works!
note: I test each of these rules separately!
So 1st question is: What does masquerade do that src-nat doesn't and what's the difference?
2nd: What should I do?
