Can somebody help me please. I am running a wireles netrwork with a number of APs. Users are authenticated via a central User manager server. All is working fine except one issue.
In the AP Hotspot hosts list, MT cpe units often show a second entry related to a device on the LAN side of the client CPE and confuses the User manager. How can i stop these LAN IPs from being detected by the AP? The Client CPEs are set up as simple NAT routers with masquerading on the out interface (wlan1) Client CPE WAN ip address range 10.252.252.0/24 Client CPE Lan ip range 192.168.0.0/24
At the moment when this happens I have to log in and remove all the host entries related to the client CPE then the correct IP will reauthenticate. I have tried changing the amount of allowed ips. I cannot understand how the LAN ip addresses are leaking through the NAT and registering in the AP Hospot host list.
How do the cpe units connect to the AP? If wireless, is it possible a few clients are connecting to the backhaul by mistake? If the masquerade is functioning correctly, the localnet addresses should not go through the cpe. Can you post the masquerade rule from a cpe? You might want to post part of the hotspot hosts list that shows the problem.
The client is connecting wirelessly to the AP ok. However as you can see from the hosts file the 192.168.0.253 address has been picked up from the clients CPE Lan side.
How can this be possible??
The mac address that is shown in the pic is the correct one for the client and there is a second entry in the hosts file (not visable in the pic) for the same MAC that has authorised correctly.
My problem is that sometimes the hotspot tries to authenicate on the Clinets LAN IP and gets all confused resulting in the client losing connectivity untill I delete all the entrys relating to the affected connection.
Oddly enough This problem only occurs with MT cpe´s. I have many other brands eg: ubiquiti etc that also connect to the same AP without a problem.
Somehow the client CPE LAN IP address is leaking through the CPE NAT and the AP is picking it up.
Just the one static NAT rule + a whole bunch of dynamic rules put in by the Hotspot service
NAT RULE:
/ip firewall nat
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no out-interface=wlan1 src-address=10.252.253.0/24
My Backhaul uses a non standard proprietry form of 80211n Is is secured with MAC authorization and WPA encryption I know anything is hackable but we are talking about silver surfers here as the network covers a retirement village.
so my network works thus
Backhaul ip range 172.16.0.0 nats to 10.0.0.0 in the AP and then nats to 192.168.0.0. in the CPE. 192.168.0.0 being the clients private LAN. The whole network is using subnet /24 from backhaul to client private LAN
My bad. Is this nat you posted from the cpe? The nat should be in the cpe. Otherwise, the 192.168.x.x addresses will pass through untranslated to the AP.
so my network works thus
Backhaul ip range 172.16.0.0 nats to 10.0.0.0 in the AP and then nats to 192.168.0.0. in the CPE. 192.168.0.0 being the clients private LAN. The whole network is using subnet /24 from backhaul to client private LAN
Sounds like you need to generate a supout.rif file in the CPE and send it to MikroTik support with an explanation of the problem. They might see something I don’t.
