Hotspot problem - catching wrong IP address

We have wide set of routers authenticating our customers by dhcp/radius - both based on radius. It generally works, but if number of our customers grows, we have two problems:

  1. Leacking NAT - some soho routers (planet, d-link, linksys) have leacking NAT - they should NAT all packets but sometimes they send packets unnated - the problem is that hotspot catches that packets and we have entries in hotspot with ADDRESS catched (192.168 - inside network of customer, after customers router). Of course TO-ADDRESS is different - it is the real address of customer.

  2. Hotspot reversing IP addresses - sometimes we see customers in /ip hotspot host print - with wrong IP address in ADDRESS - what is interesting, very often the source IP address that hotspot cought is IP address of google.com, yahoo.com, microsoft.com and so on - that makes me suspect that is not a accident.

Is it possible that hotspot incorrectly catches packets and reverses IP addresses and makes customers appear with some foreign address?

Regards,

To bridge public IPs to hotspot users you need to connect a secondary ethernet card of the router to the switch of the APs.
This bridge interface put in ARP=reply-only and charge statics ARP for theses Publics IPs to this bridge.
When do this bridge between the secondary ethernet from switch of APs and the WAN ethernet, all internet address of the world are catched in my hotspot router, if you see all theses addresses have the MAC of your border router, in my case is the MAC of the Cisco Router doing BGP to my ISP, if this is your scenary, i recommend to put only the MAC of your router in IP-Binding in mode “bypassed” :wink:
I hope help you!
Thanks and best regards!
Alessio

No, you don’t understand. I don’t bridge anything. I give users IP addresses via DHCP and hotspot is only to control, whois is allowed to access the net.
Sometimes hotspot catches wrong IP address of user.

Gregor

I think you are saying (for example):

Your ether 2 has a DHCP range of 10.1.1.x

Your hotspot is catching 192.168.0.x on ether2 hotspot because the SOHO routers are leaking these addresses out somehow.

I create an address-list (in firewall) of ether2 addresses that are valid (10.1.1.x) .

Then I create a rule that blocks all packets coming in from ether2 that source-address are not in the address-list. This prevents fake/invalid source addresses from touching the mikrotik. Also helps prevent DDOS attacks originating from your network.

Ive had the same trouble as you. Hopefully if you drop the bad packets, the router will retransmit better ones.

Yes, exactly.

I create an address-list (in firewall) of ether2 addresses that are valid (10.1.1.x) .

Then I create a rule that blocks all packets coming in from ether2 that source-address are not in the address-list. This prevents fake/invalid source addresses from touching the mikrotik. Also helps prevent DDOS attacks originating from your network.

Ive had the same trouble as you. Hopefully if you drop the bad packets, the router will retransmit better ones.

What chain do you put filtering in? I have tried input, forward, pre-hotspot, hs-unauth and so on. It didn’t work. I use 2.9.31.

You can do it all in the “filter” table.

Chain: input
In interface: ether2
src-address-list: !ether2-addresses (dont miss the exclamation point)
action: drop

Chain: forward
In interface: ether2
src-address-list: !ether2-addresses (dont miss the exclamation point)
action: drop

I have tried, it didn’t worked for me :frowning:
Hotspot still sees customers with strange source IP addresses.

Regards,

Disable Universal client in HotSpot,
‘ip hotspot set 0 address-pool=none’, then HotSpot will not translate users addresses.

To accept only valid IP subnets and block everything else by hotspot:

/ip hotspot ip-binding add address=
/ip hotspot ip-binding add address=

/ip hotspot ip-binding add address=
/ip hotspot ip-binding add address=0.0.0.0/0 type=blocked

I don’t use universal client. Not at all.

Gregor

Whow, interesting. First tests show that this solution works.
Still needs testing.

Thanks!

It seems working. Much thanks for your help!

Gregor