Idea to think about: --salt 3b5b91c5a2 XOR client addresses for some more privacy
the salt can be added e.g. when restarting router/iptables or may be generated for
a particular host once. Purpose: hide MAC addresses behind the address mapping
gateway 

Another idea: change to a single rule either in POSTROUTING or in PREROUTING to 
make MAP66 compatible with conntrack/stateful FW