MikroTik

Hello. I have installed User Manager on a centrally located RouterBoard and I'm using it for RADIUS authentication for some APs (see the attached screen shot which is an L3 topology - User Manager is on device "sdpb-rb2011-usa-rm-L3"). The APs are reachable from the User Manager RB via multiple interfaces and in some cases the same AP is reachable via multiple interfaces. The issue is that the reply packets from User Manager have the source address of the outgoing interface. In my APs, if I put the IP that is on the outgoing interface of the User Manager's RB that the AP is reachable through as the RADIUS server, everything works find, but if I put the loopback (/32 on bridge I/F) IP as the RADIUS server, the APs ignore the responses because they came from the outgoing I/F IP and not the bridge/loopback IP. This creates a problem because I have to choose a specific I/F IP on the RB as the RADIUS server, but if that path is down and it uses an alternate path, the RADIUS replies will be ignored by the AP.
What I'd like to do is SRC-NAT the replies from User Manager RB so that the the replies are translated from whatever interface IP they're using to the bridge/loopback IP, but I can't seem to get the NAT to work.
I've tried many things (simple SRC-NAT on specific packets leaving a specific interface, connection/packet marking and SRC-NAT on marked packets), but no avail. The connection/packet marking is working, but the NAT doesn't seem to be.
Can this be done? Any better solutions? I may have to use a separate RB running just User Manager so that it only has a single path to all APs...

You can maybe create some L2TP tunnels from the devices to the central user manager machine; you will have a "central unique IP" Then you will be able to access your radius server on 10.94.254.254 from every AP