Mikrotik and NAT/Routing issue

You have to make decisions and design you network.

On ether1 which is connected to your ISP you should define a smaller network. e.g /30 (to tell the truth it is much easier if you request one more smaller range from your ISP than splitting what you have now).

So on ether1 10.10.10.192/30 your gw is 10.10.10.193 and 10.10.10.194/30 is your IP (on the mikrotik - ether1). You then ask your ISP to route

  • 10.10.10.196/30
  • 10.10.10.200/29
  • 10.10.10.208/28

to the address 10.10.10.194 and to setup the same /30 netmask on their side as you did on yours.

Then on ether2 you configure one (or more) of the address ranges seen above. On this interface you don't do any NAT. You setup the pool according to the address ranges configured on the interface.

On ether3 you configure private addresses as you wish. The examples you provided seems fine. Here you setup MASQUERADE and this is the only place you have NAT.

And what was wrong with your original setup?

  • You should not assign /32 networks the way you did.
  • The ISP will address all as being on the same network however this is not the case.
  • You do not do SNAT and DNAT at the same time on an interface. In this case you only do SNAT which alters the source address. When the packets comes back the netfilter subsystem remembers what he did the will automatically do the reverse transformation. (MASQUERADE is a special case of SNAT)

EDIT If you do not want to involve your ISP in this then you do the same and enable proxy-arp, this is well described here: http://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP