Hi,
I have the following setup
RB(HOTSPOT) —>ROUTER1(NAT OUT ETHER1)
|—>ROUTER2(NAT OUT ETHER1)
|—>ROUTER3(NAT OUT ETHER1)
|—>ROUTER4(NAT OUT ETHER1)
My idea was that users connect to ROUTER1-4 they then login once and then their router would be authenticated by the hotspot. However every now and then I see the “private” IP’s of the users behind ROUTER1-4
So the hotspot network is 10.5.50.0/24 and the “internal” network of the clients is 192.168.88.0/24, I NAT out the ether1 interface so RB(HOTSPOT) should never see those addresses, but it does. Why is this happening?
I tried NATting the out-interface and the src-address but this still happens?
The primary reason that pre-NAT addresses will pass through is when the client is sending TCP traffic “from an established stream” after the router has already seen a close (FIN) for that stream and removed the connection. You can add a firewall rule to drop or reject that traffic and mitigate most of the problem. We use a reject to send a tcp-reset, so that the client will retry the traffic right away and the end-user will see the connection re-establish much more quickly.
/ip firewall filter
add protocol=tcp in-interface=[LAN] connection-state=invalid action=reject reject-with=tcp-reset
So, I would put that rule on each of the four “downstream” routers that are performing NAT before traffic hits the hotspot.