I am running a mail server behind NAT. Public interface has a range of IP addresses. All outgoing traffic originates from the highest IP address of Public interface, but I would need to force the SMTP outgoing traffic to certain IP address from the public range, different from the highest IP address.
I have tried source nat from local IP address of mail server to exact public IP address present on Public interface, but my mail traffic still appears as comming from the highest IP address of Public interface.

Could someone instruct me how to do that?

i solve that with this line:
change wan port with your public interface, src-address with local ip, to addresses with your public ip which your smtp will get when go outisde to the internet

This is exactly what I have tried - but for some reason it did not work. I am pinging a public address from my mail server, and pings still arrive from the highest address of my WAN interface.

I've tried to put that rule in front and under the general NAT rule, have even tried to disable the main NAT for test - but no luck.

What could be the reason? How do I debug it?

One more concearn comes to my mind:

How does WAN interface choose the public address from which it would transmit traffic?
I am pretty sure that it used to be the lowest available IP address (or was it on Microsoft?).
Could I influence that in any way? Could it change with fw updates in the future?

When you tried that, did you move that srcnat rule above the masquerade? The order in that list is important.

You might want to try it again, then post the output of "/ip firewall nat print" if it doesn't work.

Yes I did...... Still it did not work. Here is the setup:

0 chain=srcnat action=src-nat to-addresses=85.10.49.44 src-address=192.168.154.4 out-interface=bridge1
1 chain=srcnat action=masquerade out-interface=bridge1
2 ;;; APPSRV
chain=dstnat action=dst-nat to-addresses=192.168.40.12 protocol=tcp dst-address=85.10.49.45
in-interface=bridge1 dst-port=3389
3 ;;; WEMSERVER
chain=dstnat action=dst-nat to-addresses=192.168.40.18 to-ports=3389 protocol=tcp
in-interface=bridge1 dst-port=33891
4 ;;; SMTP
chain=dstnat action=dst-nat to-addresses=192.168.152.4 protocol=tcp dst-address=85.10.49.44
in-interface=bridge1 dst-port=25
5 chain=dstnat action=dst-nat to-addresses=192.168.152.4 protocol=tcp dst-address=85.10.49.44
in-interface=bridge1 dst-port=443
6 chain=dstnat action=dst-nat to-addresses=192.168.152.2 protocol=tcp dst-address=85.10.49.46
in-interface=bridge1 dst-port=3389

SurferTim,

You might notice that I have misstyped the source IP address in rule 0. I have fixed that, but it did not help either.

These rules refer to interface bridge1. Are you bridging the WAN interface? Have you assigned the alternate IPs to the WAN interface in /IP Address?

Could you upload the output from /export compact?

Router is 1100AH. I am bridging interfaces 1 and 6 to cover both switching groups, but only Ether1 is currently connected to ISP's router. Ether6 is disconnected.
Switching group 1 covers local 192.168.152.0/24 subnet, and switching group 2 covers 192.168.40.0/24.

Is that a problem?

I have assigned all available public IP addresses to bridge1.

The original post says the servers are behind NAT. That seems inconsistent with bridging the ISP connection across both switching groups. What are you trying to achieve?

Unless there is a good unstated reason for bridging the ISP / WAN port I suggest using an unbridged port as the WAN connection and move your IP assignments and NAT rules to reflect that port.

Well ... it's a long story, but I don't think it should be a problem, and frankly I don't see how it would be inconsistent with servers being behind NAT. Bridge1 is NAT-ed.

So, I have solved my immediate problem in a totally wierd way which rises even more questions:

I have noticed that the address from which all traffic is transmitted is listed first in /ip address print. So I have deleted that address and then created it again.
Now all my traffic comes from a different address - luckily exactly the one I needed for my SMTP traffic, but NOT the address which was next on the list before I have removed the forementioned address.

This leaves the question: How does RouterOS decide which address it would use out of several defined on the inteface?

During this process I've learned that L2TP VPN tunnels could only be built if preferred address is targeted on bridge1 interface. This is my next problem.....

OK - it seems that I have resolved most of the problems:

After removing and giving back the offending highest IP address to bridge1, I had to reboot the router in order to make bridge1 automatically created route to public range take the lowest IP address as preferred source.

Having that done, now the src-nat rule works fine redirecting outgoing traffic of my mail server to desired address. Further on, I can now manipulate the default IP address from which traffic goes out by setting preferred address on default route.

About the only question left now is: Does anyone know how I could manipulate the order of IP addresses assigned to an interface - other than deleting them and re-enter in desired order?!?

Normally a src NAT rule with high enough priority is sufficient to select the outbound IP from multiple available IPs.

The output from /export compact would give a fuller picture and allow better comment.