Hello all.
I have:
AP
10.1.2.1/24 (uplink to default gateway)
10.1.3.1/24 (AP)
No mangle, NAT rules
CPE
10.1.3.2/24 (WAN/PUBLIC)
192.168.0.1/24 (LAN, masqueraded)
However, if I do this in firewall filter(on AP):
0 chain=forward action=drop connection-state=invalid
1 chain=forward action=log src-address=192.168.0.0/24 log-prefix=""
Then I get many many log entires for TCP traffic from 192.168.0.xxx (not supposed to happen!) and if I trace the src-mac, it comes from CPEs with masquerade...
If it was 'invalid' packets, then rule 0 should drop it, but it doesn't, I get 100's of logs entries in a minute generated by rule 1.
How is this possible, how can:
1) TCP/IP Packets arrive from behind a masquerade rule that has original IP in it?
2) Drop invalid packets filter rule does not drop these.
3) Packets route through all default gateways, even if there is no route for that subnet and obviously no return route?
If it is a bug that these packets 'escape' NAT, then at least I'd like to stop them.
To put rules on ingress for each possible subnet behind NAT is not really a good solution, I'd like to be able to stop it at the CPE so the network never receives these 'invalid' packets.
Regards