We have a number of Hotspot servers running on different interfaces on a RB1100, which is used to authenticate ADSL users.
All users have their own local ADSL modem with NAT, where they use a local 192.168.1.0 network for their internal devices. The ADSL modems get their external address from our DHCP server in the 10.1.0.0 scope.
The thing that confuses me, is that the hotspot server is logging some of the user’s private IP-addresses as dynamic hosts.
How can the hotspot server see these addresses, when their ADSL modem hides all private addresses behind NAT?
I think these private addresses also count against the ‘Maximum Addresses Per MAC’ on the hotspot, which then puts a limit on the number of devices the users can have on their local network..?
Does anyone have a clue how this can happen?
Example:
/ip hotspot host print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER IDLE-TIMEOUT
0 H D8:5D:4C:9F:11:1B 10.1.8.10 10.1.8.10 hs-vlan107 4w3d
1 H 94:0C:6D:C3:BC:49 10.1.16.230 10.1.16.230 hs-vlan115 4w3d
2 H D8:5D:4C:D9:FA:D4 10.1.13.230 10.1.13.230 hs-vlan112 4w3d
3 D 40:A6:D9:19:86:92 192.168.1.102 10.1.13.201 hs-vlan112 4w3d
4 D 00:22:68:AB:38:A9 192.168.1.103 10.1.13.205 hs-vlan112 4w3d
5 D 40:A6:D9:19:86:92 192.168.1.100 10.1.13.198 hs-vlan112 4w3d
6 D 78:DD:08:E1:54:67 192.168.1.101 10.1.13.197 hs-vlan112 4w3d
7 D 34:15:9E:F7:E6:11 10.1.13.224 10.1.13.224 hs-vlan112 4w3d
8 D D8:5D:4C:9F:17:A2 192.168.1.1 10.1.13.192 hs-vlan112 4w3d
9 H D8:5D:4C:D7:1B:B5 10.1.13.228 10.1.13.228 hs-vlan112 4w3d
10 D D8:5D:4C:86:80:60 192.168.1.100 10.1.8.13 hs-vlan107 4w3d
11 D D8:5D:4C:9F:16:88 192.168.1.1 10.1.14.17 hs-vlan113 4w3d
12 D D8:5D:4C:D9:FA:54 192.168.1.100 10.1.14.14 hs-vlan113 4w3d
13 H D8:5D:4C:D7:1B:DE 10.1.14.10 10.1.14.10 hs-vlan113 4w3d
14 HA D8:5D:4C:9F:16:88 10.1.14.15 10.1.14.15 hs-vlan113
15 H D8:5D:4C:C6:45:88 10.1.14.13 10.1.14.13 hs-vlan113 4w3d
16 D D8:5D:4C:C3:45:1B 192.168.1.100 10.1.21.219 hs-vlan120 4w3d
17 H D8:5D:4C:C6:45:9A 10.1.8.15 10.1.8.15 hs-vlan107 4w3d
18 HA D8:5D:4C:86:80:60 10.1.8.11 10.1.8.11 hs-vlan107
19 HA D8:5D:4C:C3:45:1B 10.1.21.220 10.1.21.220 hs-vlan120
20 HA D8:5D:4C:D9:FA:3F 10.1.8.12 10.1.8.12 hs-vlan107
21 HA D8:5D:4C:9F:11:21 10.1.13.190 10.1.13.190 hs-vlan112
22 HA D8:5D:4C:C6:49:23 10.1.13.200 10.1.13.200 hs-vlan112
23 HA D8:5D:4C:9F:28:E0 10.1.14.11 10.1.14.11 hs-vlan113
24 HA D8:5D:4C:9F:17:A2 10.1.13.202 10.1.13.202 hs-vlan112
25 H D8:5D:4C:D9:FA:CA 10.1.21.223 10.1.21.223 hs-vlan120 4w3d
The setting “addresses-per-mac” applies to each hotspot. You have more than a few hotspots. I see
hs-vlan107 (10.1.8.0/24?)
hs-vlan112 (10.1.13.0/24?)
hs-vlan113 (10.1.14.0/24?)
hs-vlan115 (10.1.16.0/24?)
hs-vlan120 (10.1.21.0/24?)
Each is translating the “address” to a “to-address” that appears to be in the correct range for that hotspot.
Yupp, that’s right.
But what I don’t understand is how the hotspot see the 19.168.1.0-addresses, as these are behind another NAT router (the ADSL router/modems).
Look for instance at D8:5D:4C:86:80:60;
This is an ADSL router/modem that is logged on and active on row 18.
But on row 10 it appears again. Now with the IP-address of the computer behind that ADSL router/modem (its built-in DHCP-server gives out addresses from 192.168.1.100 to 192.168.1.199).
How does this address get to the hotspot..?
The 192.168.x.x ips are either a static ip assignment or a dhcp lease that has not reached 50% expiration on that interface in the client computer. The hotspot will deal with that translation for you. If you have “addresses-per-mac=2”, then all is ok. The second assignment is the new lease, maybe due to selecting “repair connection” in a Windows client machine.
Thanks SurferTim, but I don’t think you get the point..;
The 192.168.x.x addresses shouldn’t be visible to the hotspot at all..?!
They should be secretly hidden behind the users’ NAT modem/router..
If that is the case, then it appears the user’s modem/router is not doing a very good job of masquerading. Bear in mind, if the user’s modem/router is using your dhcp server to get ip addresses for clients on that modem/router, they may all show the modem/router mac address.
Do you have a dhcp server on the modem/router for the 192.168.x.x subnet?
There is also one other drawback. If you are counting on requiring every client computer on the modem/router to login, the answer is normally “no”. Only one client logs in, every client computer connected to that modem/router is logged in too. If you could be a little more specific about your security requirements, that would help.
Sorry, I should have been clearer on that point.. Thank’s for bearing with me!
Yes, the modem/routers have their own built-in DHCP-servers, which handle out addresses in the 192.168.x.x scope.
On the RB1100 that runs the hotspot, there is a central DHCP server that handles out the addresses in the 10.1.x.x scope.
The idea is that the modem/routers get an address in the 10.1.x.x network, and that this is the only address visible to the hotspot.
The 192.168.x.x addresses should only be used locally behind every modem/router, as they also are the same for every user (192.168.1.100 will be the first device behind every modem/router).
It should be enough that one device behind a modem/router logs in to the hotspot to ‘open up’ the modem/router’s external ip-address and MAC, so that all devices behind the modem/router can access the Internet. Some of them, such as VoIP phones, might not even have a browser to do this themselves.
I don’t suggest the RB1100 is doing anything wrong.. I’m just confused that private addreses in the 192.168.x.x scope is visible to the hotspot server.
I agree that it seems like the problem is that the modem/router isn’t doing a perfect job..
It looks like there is no traffic logged on the rows marked with ‘D’, so all traffic is probably NAT’ed they way it should via the mode/routers (the rows marked ‘AH’).
Maybe it is just some kind of ARP broadcast that the modem/routers are ‘leaking’ out on the wrong interface, which is intercepted by the RB1100 hotspot and triggers it to register the MAC address and provide a DHCP address for it.. (thinking loud..).
Same question to you:
Is there a masquerade setting in the modem/router? You have not mentioned the make/model of the device.
What ips are you expecting? If you masquerade the localnet, the hotspot probably won’t work like you expect. When one client logs in, the rest of the client computers are automatically logged in under that username.
It looks to me (with my limited knowledge) as SurferTeam said that the customer’s routers are not natting properly, or they are set up not to do so. If you torch the interface I bet you will see packets coming from that ip. Why not just drop every packet with source different than you dhcp pool. That would take care of the registrations
Has anyone found a solution to this problem? we have tried a couple of firewall rules to block IPs that are supposed to be behind the nat on the client side with no success, either we are not blocking, or the whole internet for the customer goes down.
Here is what we using:
AP------
HOTSPOT on bridge interface (bridging 2 sectors on on same board)
DHCP-SERVER
gw: 10.63.0.1/23
pool: 10.63.0.2-10.63.1.254
masquerading on
CPE------
DHCP Client on wlan1 (to receive an ip from 10.63.x.x range)
192.168.x.x on ether 1
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=wlan1
The problem is, as you can see from the image, Hotspot is somehow picking up IP addresses (with the same MAC of wlan1 of CPE) that are supposed to be ‘BEHIND THE NAT’ on the cpe device.
You can’t drop that traffic on the Hotspot router, Hotspots grab traffic very early on so that they can do the Universal NAT feature before the rest of the router facilities deal with traffic. If you don’t want to see those kinds of packets either drop them on the CPE, or only allow CPEs that NAT properly. If it’s a Mikrotik CPE try dropping invalid packets in the forward chain of the firewall filter - the only packets that wouldn’t be subject to NAT on RouterOS are packets that aren’t neither establishing a connection nor part of an existing connection:
I have this exact problem. I have recently started using the hotspot feature to add authenticating and accounting on my network. I use a RADIUS server to handle all the authentication and its done by mac.
100% of my CPE’s are NAT’ed. I use ubiquiti and mikrotik CPE’s. The ubiquiti’s are set as routers and the mikrotik’s are a simple masquerade of their internal IP’s. The mikrotik’s “bleed” the internal ip’s out almost instantly while the ubiquiti take it some time before the hotspot discovers it’s internal ip’s.
Now I could just change the users per mac to 2, but it messes up the accounting. when the other ip shows up it authenticates it as well and then causes the hotspot to send a stop acc packet to the RADIUS.
now is this some sort of security to prevent people in a hotspot environment from authenticating then placing a simple NAT behind it to share there account with others? if so I would like a way to disable it as in my network it is completely unnecessary.
fewi, I will try that dropping on the mikrotik CPE’s but i have doubts it will work as even if its invalid the interfaces are separate and shouldn’t fwd it regardless, however i will try and let you know.
If using a bridge on your hotspot router, you can create an access list type environment where you accept packets with a source IP that you recognize as a good source IP for the CPEs, and then drop everything else. If you are using DHCP you want a rule to allow that as well.
I do this to prevent mobile phones from mucking up my hotspots as they tend to send out a few packets over the wifi connection with the public IP the phone has on the 3G/4G radio side.
Well I set the clients to block the invalid connection and it did not help the bleeding.
I did notice something odd… for some reason the hotspot claims the information is going to the dynamic address. this makes it look far less of a “bleed” and more like a system to prevent NATing behind your hotspot. this customer had to re-log on with http-chap when I booted the dynamic address. thus the hotspot is ignoring the NAT and pulling addresses behind it.
so there is still a big why? and the more important how can we stop it?
krakenant, I will try your bridge rules as I have the hotspot on its individual bridge.
