I’ve got an issue with the firewall leaking private IP addresses to the Internet. Quite regularly I’m seeing packets leave the public interface without the source address being translated. The packets that typically make it through w/o NAT are RST or FIN packets, although not always. Two questions. First, is there any way to create a firewall rule that will match the src address after its been through the src-nat chain?
Second, what could be causing the source address to not be translated?
The firewall rules are quite simple:
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=public