We describe the following scenario:
----------------------------
| pc client with dhcp client |
----------------------------
| dynamic ip 10.5.50.254
|
| ip addr 10.5.50.1
----------------------------
| mikrotik rb450 hotspot |
----------------------------
| ip addr 192.168.4.2 (ether1)
|
| ip addr 192.168.4.1
----------------------------------
| pc gateway with nat and sniffer |
----------------------------------
| Dynamic Pubblic IP
|
INTERNET
My router configuration (first I have reset configuration
):[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.4.2/24 192.168.4.0 192.168.4.255 ether1
1 ;;; hotspot network
10.5.50.1/24 10.5.50.0 10.5.50.255 ether4
[admin@MikroTik] > ip hotspot print
Flags: X - disabled, I - invalid, S - HTTPS
# NAME INTERFACE ADDRESS-POOL PROFILE IDLE-TIMEOUT
0 S hotspot1 ether4 hs-pool-4 hot.test.cxm 5m
[admin@MikroTik] > ip hotspot profile print
Flags: * - default
0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap
http-cookie-lifetime=3d split-user-domain=no use-radius=no
1 name="hot.test.cxm" hotspot-address=10.5.50.1 dns-name="hotsptest"
html-directory=hotspot rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0
login-by=https ssl-certificate=cert1 split-user-domain=no use-radius=no
[admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
[admin@MikroTik] >
It work fine BUT.........
$ sudo tcpdump -i eth0 -n port 80
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
20:45:07.093820 IP 10.5.50.1.33876 > 72.14.221.19.80: S 1378059382:1378059382(0) win 5840 <mss 1460,sackOK,timestamp 143108 0,nop,wscale 1>
20:45:07.149041 IP 72.14.221.19.80 > 10.5.50.1.33876: S 3778402489:3778402489(0) ack 1378059383 win 5672 <mss 1430,sackOK,timestamp 3466031712 143108,nop,wscale 6>
20:45:07.149511 IP 10.5.50.1.33876 > 72.14.221.19.80: . ack 1 win 2920 <nop,nop,timestamp 143113 3466031712>
20:45:07.149814 IP 10.5.50.1.33876 > 72.14.221.19.80: P 1:379(378) ack 1 win 2920 <nop,nop,timestamp 143113 3466031712>
20:45:07.212547 IP 72.14.221.19.80 > 10.5.50.1.33876: . ack 379 win 106 <nop,nop,timestamp 3466031776 143113>
20:45:07.225217 IP 72.14.221.19.80 > 10.5.50.1.33876: P 1:548(547) ack 379 win 106 <nop,nop,timestamp 3466031788 143113>
20:45:07.225615 IP 10.5.50.1.33876 > 72.14.221.19.80: . ack 548 win 3467 <nop,nop,timestamp 143121 3466031788>
Notice anything strange?
Although there are no rules set nat on the router, the source ip address that come from router and go to Internet is not 10.5.50.254 but 10.5.50.1!!!!!!!!!!!!!!!!!!!!!!!!
It is possible to know how to present the true source IP address of the hotspot client at the outbound interface (ether1) of the router RB450 Mikrotik?
I insist on this particular because under current regulations in my country (Italy) a hotspot that masks the true IP source address of the customer has little sense to be used
((Do you have an example of commands for solving this problem?
Probably something wrong, but would like to know above all that I have to give commands on the router.
Thank you in advance!