MikroTik

Some intelligent person please help me!

ether1 - Users - 172.31.100.100/16
ether2 - InSPire Net - 203.114.137.71/28
ether3 - Servers - 203.114.162.1/28

My ISP has given me a main public IP of 203.114.137.71, they've also given me additional public IP addresses 203.114.162.2-203.114.162.14 where the gateway of those IP addresses 203.114.162.1.

The servers on my network use the public IP addresses and my users use the private IP address 172.31.0.x which NAT through my public IP of 203.114.137.71 using the basic src-nat masquerade.

Problem is, I would like my users to NAT through the public IP address 203.114.162.10, not the 203.114.137.71 address.

How am I able to do this?
=========================

Routes:
# DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE
0 ADC 172.31.0.0/16 172.31.100.100 Clients
1 ADC 203.114.137.64/28 203.114.137.71 InSPire Net
2 ADC 203.114.162.0/28 203.114.162.1 Servers
3 A S 0.0.0.0/0 r 203.114.137.65 InSPire Net

NAT:
0 ;;; LAN => WAN
chain=srcnat action=masquerade

1 ;;; uTorrent (Adam Shaw)
chain=dstnat protocol=tcp dst-port=100 action=dst-nat
to-addresses=172.31.0.1 to-ports=100

2 ;;; uTorrent (Jonathan Dix)
chain=dstnat protocol=tcp dst-port=101 action=dst-nat
to-addresses=172.31.0.4 to-ports=101

3 ;;; Web Proxy
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

4 ;;; uTorrent (Max Annear)
chain=dstnat protocol=tcp dst-port=102 action=dst-nat
to-addresses=172.31.0.2 to-ports=102

You need policy routing to do this. The overall steps are:

1) Use mangle rules to route-mark the packets coming from 172.31.0.0/16 subnet and those from the public servers.
/ip firewall mangle add chain=forward src-address=172.31.0.0/16 action=mark-routing new-routing-mark=LanUsers passthrough=no disabled=no
/ip firewall mangle add chain=forward action=mark-routing new-routing-mark=Servers passthrough=no disabled=no

2) Add a default route to the LanUsers routing table:
/ ip route add dst-address=0.0.0.0/0 gateway=203.114.162.1 pref-src=203.114.162.10 routing-mark=LanUsers disabled=no

This assumes that you have the 203.114.162.10 as an address on the router.

NAT:
0 ;;; LAN => WAN
chain=srcnat action=masquerade

This is too broad. Your saying everything passing thru the router masq it. Specify a src-address range on this line.

Then add another line with the src-address range of the other net that you want, and instead of using masq use to-addresses. Order makes a difference also. The more broad entry should probably be last.

1 ;;; uTorrent (Adam Shaw)
chain=dstnat protocol=tcp dst-port=100 action=dst-nat
to-addresses=172.31.0.1 to-ports=100

2 ;;; uTorrent (Jonathan Dix)
chain=dstnat protocol=tcp dst-port=101 action=dst-nat
to-addresses=172.31.0.4 to-ports=101

3 ;;; Web Proxy
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

4 ;;; uTorrent (Max Annear)
chain=dstnat protocol=tcp dst-port=102 action=dst-nat
to-addresses=172.31.0.2 to-ports=102

i dont think you need to policy route just to change src-addresses.

You do for a Masq-NAT because the source address is determined by the route not by the srcnat rule.

Hmm need a little more help..

NAT Rules:
[admin@MikroTik] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade

IP Addresses:
[admin@MikroTik] ip address> pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 172.31.100.100/16 172.31.0.0 172.31.255.255 Clients
1 203.114.137.71/28 203.114.137.64 203.114.137.79 Inspire Net
2 203.114.162.1/28 203.114.162.0 203.114.162.15 Servers
3 203.114.162.10/28 203.114.162.0 203.114.162.15 Proxy

Routes:
[admin@MikroTik] ip route> pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREF-SRC G GATEWAY DIS INTERFACE
0 ADC 172.31.0.0/16 172.31.100.100 Clients
1 ADC 203.114.137.64/28 203.114.137.71 Inspire Net
2 ADC 203.114.162.0/28 203.114.162.1 Servers
3 DC 203.114.162.0/28 203.114.162.10 Proxy
4 A S 0.0.0.0/0 r 203.114.137.65 Inspire Net
5 A S 0.0.0.0/0 203.114.162.10 r 203.114.162.1 Servers

Mangle Rules:
[admin@MikroTik] ip firewall mangle> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward src-address=172.31.0.0/16 action=mark-routing
new-routing-mark=LanUsers passthrough=no

1 chain=forward action=mark-routing new-routing-mark=Servers passthrough=no



Still somehow not working as the IP address is still 203.114.137.71 when I check my IP.
Also this line:
5 A S 0.0.0.0/0 203.114.162.10 r 203.114.162.1 Servers
Is showing up blue in the route list as something not right..

Help?

If it's blue, then its not active so check the list to make sure that the letter A was really next to that route. That aside, you have multiple problems and a lack of info. If the gateway for subnet 203.114.162.0/28 is 203.114.162.1, then you should NOT have that address on your router (because that address should be on your providers router thus you cannot both of the address). You need to add the addresses in the 203.114.162.0/28 subnet to your router and then one-to-one NAT them to the appropriate private addresses using a pair of srcnat and dstnat rules. The masq nat rule should come last to handle everything else from the 172.16.0.0/16 subnet.

And are you doing all this so you can do better P2P? Seems a waste of precious IPv4 address space.