Hi, i have right now setup an new mikrotik router. version 4.16 with an rb1000.
i have no nat and only public ip adresses routed to me.
but when i enable hotspot function all clients external ip address becomes mikrotiks main ip address?
how do i solve this so my clients ip addresses will be the external ip ?
my dhcp is sharing nat ip … and when the users logon to the hotspot i want them to have an public ip.
but they all shares my mikrotiks ip address.
did test some other things … such make an ip binding in hotspot and that did solve. but is there any other way to solve this so it works auto? instead of enter all ip addresses manually?
Check “/ip firewall nat”. During the hotspot setup, there is this question and prompt:
masquerade network: yes
If you did not change it, there is a masquerade rule installed in “/ip firewall nat” to masquerade the hotspot localnet.
i dont have any masquerade enabled. that was the first thing that i disabled.
did just notice if i make an ip binding i dont need to login anymore.
is there some way to make in nat / filter rules that it uses hotspot hosts ? there is address and to address but i dont get the to address on the internet … i get the mikrotiks ip address.
That is the function of ip-binding. It eliminates the need for a login.
Are you certain there is nothing in “/ip firewall nat”?
Please post “/ip hotspot”, “/ip hotspot profile”, and “/ip pool”.
[fredrik@ComneWork] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X chain=dstnat action=accept connection-mark=macanslutna
1 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
2 X chain=srcnat action=masquerade src-address=172.16.90.0/24
3 X chain=pre-hotspot action=return
[fredrik@ComneWork] /ip hotspot> print
Flags: X - disabled, I - invalid, S - HTTPS
0 kontor eth2 Kontor kontor-26 default 5m
[fredrik@ComneWork] /ip hotspot profile> print
Flags: * - default
0 * name=“default” hotspot-address=193.13.142.193 dns-name=“” html-directory=hotspot rate-limit=“” http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=cookie,http-chap,http-pap http-cookie-lifetime=3d split-user-domain=no use-radius=no
[fredrik@ComneWork] /ip pool> print
0 kontor-26 193.13.142.194-193.13.142.254
1 nat 172.16.90.2-172.16.90.254
dhcp server share 172.16.90.0/24 until user has logged on. then does the hotspot share 193.13.142.194-193.13.142.254.
and this appears in hotspot hosts.
[fredrik@ComneWork] /ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
0 A 20:CF:30:95:16:75 172.16.90.2 193.13.142.250 kontor 1h
but i dont get that 193.13.142.250 on the internet.
i get the mikrotiks ip address
Maybe I don’t understand your setup. You mean by the Mikrotik’s ip, that is the ip assigned to the WAN interface?
Please post “/ip address” and “/ip route”.
[fredrik@ComneWork] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic
0 62.181.89.26/26 62.181.89.0 62.181.89.63 eth1 Internet
1 193.13.142.193/26 193.13.142.192 193.13.142.255 eth2 Kontor
2 172.16.90.1/24 172.16.90.0 172.16.90.255 eth2 Kontor
[fredrik@ComneWork] /ip route> print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 A S 0.0.0.0/0 62.181.89.1 1
1 ADC 62.181.89.0/26 62.181.89.26 eth1 Internet 0
2 ADC 172.16.90.0/24 172.16.90.1 eth2 Kontor 0
3 ADC 193.13.142.192/26 193.13.142.193 eth2 Kontor 0
what i meant was… all ips that has 193.13.142.192/26 gets 62.181.89.26 on internet
like i get 172.16.90.2 from dhcp to my pc… when i login hotspot assign me 193.13.142.254. but i still has 62.181.89.26 on the internet.
There is a srcnat or masquerade happening somewhere.
Remove the srcnat rule from “/ip firewall nat”. A problem I dealt with on a previous thread was caused by just disabling the rule. When the rule was deleted, everything started working again. 
Here is the thread:
http://forum.mikrotik.com/t/rb750-as-router-between-2-networks/42678/1
[fredrik@ComneWork] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=dstnat action=accept connection-mark=macanslutna
1 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
2 chain=pre-hotspot action=return
i have deleted that rule now. but still have the same issue.
now i got 172.16.90.10 as local ip … and on the net i should have 193.13.142.254 but i have 62.181.89.26 (my mikrotiks wan ip)
The only thing left I see is the dstnat and the pre-hotspot rules. Can you explain those briefly?
i have removed them now.
[fredrik@ComneWork] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
How are you checking the ip? My traceroute to your WAN ip and internal public ips shows the traceroute “ending” at swip.net. Is there one internal hotspot client logged in with a public ip that I can ping? Your 62.181.89.26 ip is responding to a ping from here.
Can you ping the client ips (193.13.142.x) from the router?
www.myip.nu do i check my external ip address with.
i do surf and use internet with one pc behind the microtik.
my firewall on my pc is blocking the icmp traffic…
my pc uses 172.16.90.254 right now.
and due to the mikrotik hotspot hosts i shall have 193.13.142.253 out on the internet, but i get 62.181.89.26 when i check on myip.nu
and if i connect more computers on the network here they also have 62.181.89.26 out on the internet and ping internal works fine. same with traceroutes.
it feels almost like mikrotik routeros does not follow it own rules…
[fredrik@ComneWork] /ip hotspot host> print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
0 A 20:CF:30:95:16:75 172.16.90.254 193.13.142.253 kontor 1h
like it says. i shall have 193.13.142.253 out on the internet there. if i make an ip binding it works. but then i dont need to login.
The only thing I can suggest at this point is to remove the hotspot, and reinstall another one. When the prompt about masquerading the network comes up, change it to no. Maybe someone else will have more for you.
i have tried that several times. without any success.
Your hotspot gateway ip is responding to a ping.
ping 193.13.142.193
If you open your internal computer (193.13.142.253) to icmp temporarily, I will check that from here.
ADD: This hotspot dynamic nat rule may have an affect on port 80.
4 D chain=hotspot action=redirect to-ports=64873 protocol=tcp hotspot=local-dst dst-port=80
This is from fewi on another thread: