Masquerade problem private ip to public

Fabbbio · February 1, 2010, 9:40pm

I have this configuration 1 433ah ros4.5 with Hotspot enable and dhcp enable (172.20.1.1/24) on a eth1 interface - 1 other AP in bridge mode connected to eth interface.
1 client mikrotik cpe ros4.5 connect to AP - dhcp-client enable on wlan1(cpe) interface with ip from main dhcp-server 172…
internal ip 192.168.0.1/24 on eth of cpe and nat masquerade (out iface wlan1) in the cpe firewall
the problem is in the hosts of Hostspot sometimes I see private ip of cpe like 192.168.0.100(laptop pc) in hosts. With mac address of cpe I see the right client ip 172..and 192.168.1.100.

Thanks

ciphercore · February 3, 2010, 1:54pm

I think a diagram may make it easier for someone to help you.

Fabbbio · February 3, 2010, 11:01pm

I try to explain my setup, but I ask to a friend with direct mikrotik hotspot/AP and the same problem.

RB433AH(with HotSpot config)----ETH-BRIDGE----AP(COMPEX)=-=-=-=-WIFI=-=-=-=-CLIENT-CPE---------PRIVATE-LAT-ETH
ENABLE DHCP 172.20.1.1/24 172.20.1.2 172.20.1.100 MASQ 192.168.1.1/24
ON ETH WLAN ETH

Fabbbio · February 6, 2010, 12:27am

I try to check again the masquerade rule but the same result

butche · February 7, 2010, 4:52am

In you second description:

RB433AH(with HotSpot config)----ETH-BRIDGE----AP(COMPEX)=-=-=-=-WIFI=-=-=-=-CLIENT-CPE---------PRIVATE-LAT-ETH
ENABLE DHCP 172.20.1.1/24 172.20.1.2 172.20.1.100 MASQ 192.168.1.1/24
ON ETH WLAN ETH

You are showing that you are masquerading the 192.168.1.1/24 IP. That isn’t a valid entry for a firewall rule (it would be 192.168.1.0/24 for network address). Please post the output of “/ip firewall nat print”.

Fabbbio · February 8, 2010, 9:46pm

Yes, but I write wrong. the nat rule is:

0 chain=srcnat action=masquerade src-address=192.168.1.0/24
out-interface=wlan1

where ethernet1 address 192.168.1.1/24 with dhcp from 192.168.1.100 to 192.168.1.200
and wlan1 in dhcp-client 172.20.3.130/24 with gateway 172.20.3.1 the 433ah with hotspot

butche · February 8, 2010, 10:28pm

Your rule looks right. If what you have is:

hotspot ↔ CPE/NAT to 192.168.1.0/24

(bridged interfaces between hotspot and CPE are not relevant)

If you have that setup AND you are seeing the 192.168.1.0/24 addresses on the hotspot AND you have the rule you posted on the CPE, then there is a problem with the CPE mikrotik. I’d suggest sending a supout to support@mikrotik.com, as it sounds a little like there are packets that SHOULD match the srcnat rule that are being missed.

Fabbbio · February 8, 2010, 10:53pm

Yes my setup is like you write. Ok, but I think is some configuration problem because I see this problem for different CPE.
I see the private ip under HOSTS of AP HOTSPOT and now I do this:

/ip hotspot ip-binding
add address=172.20.0.0/16 comment=“” disabled=no server=hotspot1
add address=0.0.0.0/0 comment=“” disabled=no server=hotspot1 type=blocked

In this way I don’t see the wrong IP under HOSTS but I don’t know if is only a workaround or this setting is important to do.

butche · February 9, 2010, 12:38am

The second statement (with address=0.0.0.0/0) should NOT be needed, other than it will block any IP space that is not part of the first statement from getting out on the hotspot. Really, neither one is necessary.

namery · April 7, 2015, 10:03am

thanks Buth. at least i can fix this problems. thank to you, because mikrotik´s engineer had never answer my questions.