Hi Everyone,

Hopefully I can get an answer to this problem.

I'm using the hotspot future for our open guest Wi-Fi, and at the same time this router it's been use for our office network.
Office network 10.119.76.0/24 on port2
Guest network 10.20.23.0/24 on port 3
These two networks are completely separate from each other, and I have firewall rules in place to prevent the guests from accessing the office network.

From time to time some rogue devices will connect to the hotspot with a different IP that doesn't match the guest network flagged Dynamic. How is this happening, are this devices setup with a static IP?

IP>Hotspot>Hosts The problem begins when one of those guest devices are set with the same IP as those in the office network. The device in the office network will not be able to access the internet, because it's IP matches the one in the Hotspot Hosts list.
It doesn't matter if the rogue device connected for just a second, because the idle time will keep it on the list until it expires. In the mid time, the user in the office network will not be able to access the internet.
How can I prevent this from happening?

Thank you!

Change arp of hotspot bridge to read only.

Also set in dhcp-server "add arp for leases"

IP => Settings

Switch RP Filter => Strict

IP => Settings

Switch RP Filter => Strict

Could this cause any problems?
The default setting is disabled and I just want to make sure that nothing else will be affected by this.

You can also be more conservative and allow only packets with source address in the hotspot range on the
input and forward chains from that interface. At least when there are problems they won't affect the office net.

IP => Settings

Switch RP Filter => Strict

Could this cause any problems?
The default setting is disabled and I just want to make sure that nothing else will be affected by this.

Strict mode can cause problems in asynchronous routing (traffic going in one router and coming out of another router) - in that case you would set it's mode to "Loose"
This doesn't sound like your situation, so no strict should not cause any problems. What it will do is check the source IP's coming to the router to make sure that they are actually routable on the network interfaces. It stops spoofed IP's.

This is caused in part by the 'universal proxy' application of the hotspot.

You can avoid this by doing 2 things:

1. in your hotspot server settings, remove the address-pool entry (it should be none) - this way no unknown IP addresses will be mapped to pool addresses.
2. in the hotspot IP bindings list, create a rule at the bottom of the list for the entirety of your hotspot range as "regular" then a rule below that for 0.0.0.0/0 as "blocked"

This will prevent any incorrect IP addresses from appearing in the hosts list and messing up your routing, but also means all users must have an IP address in the correct space (via DHCP or statically assigned) whereas the alternative method allows people with locked down PC's to still connect to the network (because the router will spoof their gateway address etc so they can still get online)

As a configuration change this would be:
Don't forget if you add any more hotspot bindings to your service, to keep these rules at the bottom of the list.

whereas the alternative method allows people with locked down PC's to still connect to the network (because the router will spoof their gateway address etc so they can still get online)

Could you explain this. Are you saying that if a guest connect with any other IP, the router will automatically add their gateway and the user will be able to get online? Why would this be possible?

Because sometimes people travelling and using hotspots don't have access to change their IP settings but still want internet access.

Sent from my Pixel using Tapatalk

..cut..
1. in your hotspot server settings, remove the address-pool entry (it should be none) - this way no unknown IP addresses will be mapped to pool addresses.
2. in the hotspot IP bindings list, create a rule at the bottom of the list for the entirety of your hotspot range as "regular" then a rule below that for 0.0.0.0/0 as "blocked"
..cut..

absolutely agree, I normally add also:

3. ARP to "reply-only" on hotspot interface (putting "add arp for lease" in hotspot dhcp server settings ) >> Contrary to omega-00 I dont want user static assigned IPs
4. (never hurt) allow only hotspot subnets in ip firewall filter input/forward chain ..as pe1chl suggested before
5. obviously disable "default forwarding" on all APs wlan interfaces
6. if I have multiple vlan/ethernet coming into a hotspot bridge, set same bridge horizon