Referring to this MUM by Janis Megis https://mum.mikrotik.com/presentations/EU17/presentation_4058_1490948376.pdf, page 27 “Local IP leaking to public network”.
On page 31 for the solution it states:
- Use action=src-nat instead of action=masquerade where it is possible
- Drop connection-state=invalid packets
- Drop connection-state=new connection-natstate=!dstnat packets from public interface
- Creating backup “blackhole” route for each routing-mark
Clarification:
-
For #2, does he mean:
add action=drop chain=input connection-state=invalid
OR
add action=drop chain=forward connection-state=invalid -
For #3, does he mean:
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN -
What does #4 entail?