Community discussions

 
flatbat
newbie
Topic Author
Posts: 48
Joined: Tue Apr 06, 2010 11:18 pm

How can Hotspot see private addresses behind customer NAT..?

Sat Jan 22, 2011 5:03 pm

We have a number of Hotspot servers running on different interfaces on a RB1100, which is used to authenticate ADSL users.
All users have their own local ADSL modem with NAT, where they use a local 192.168.1.0 network for their internal devices. The ADSL modems get their external address from our DHCP server in the 10.1.0.0 scope.

The thing that confuses me, is that the hotspot server is logging some of the user's private IP-addresses as dynamic hosts.
How can the hotspot server see these addresses, when their ADSL modem hides all private addresses behind NAT?
I think these private addresses also count against the 'Maximum Addresses Per MAC' on the hotspot, which then puts a limit on the number of devices the users can have on their local network..?

Does anyone have a clue how this can happen?

Example:
/ip hotspot host print
Flags: S - static, H - DHCP, D - dynamic, A - authorized, P - bypassed 
 #    MAC-ADDRESS       ADDRESS         TO-ADDRESS      SERVER                             IDLE-TIMEOUT
 0 H  D8:5D:4C:9F:11:1B 10.1.8.10       10.1.8.10       hs-vlan107                         4w3d        
 1 H  94:0C:6D:C3:BC:49 10.1.16.230     10.1.16.230     hs-vlan115                         4w3d        
 2 H  D8:5D:4C:D9:FA:D4 10.1.13.230     10.1.13.230     hs-vlan112                         4w3d        
 3 D  40:A6:D9:19:86:92 192.168.1.102   10.1.13.201     hs-vlan112                         4w3d
 4 D  00:22:68:AB:38:A9 192.168.1.103   10.1.13.205     hs-vlan112                         4w3d        
 5 D  40:A6:D9:19:86:92 192.168.1.100   10.1.13.198     hs-vlan112                         4w3d        
 6 D  78:DD:08:E1:54:67 192.168.1.101   10.1.13.197     hs-vlan112                         4w3d        
 7 D  34:15:9E:F7:E6:11 10.1.13.224     10.1.13.224     hs-vlan112                         4w3d        
 8 D  D8:5D:4C:9F:17:A2 192.168.1.1     10.1.13.192     hs-vlan112                         4w3d        
 9 H  D8:5D:4C:D7:1B:B5 10.1.13.228     10.1.13.228     hs-vlan112                         4w3d        
10 D  D8:5D:4C:86:80:60 192.168.1.100   10.1.8.13       hs-vlan107                         4w3d        
11 D  D8:5D:4C:9F:16:88 192.168.1.1     10.1.14.17      hs-vlan113                         4w3d        
12 D  D8:5D:4C:D9:FA:54 192.168.1.100   10.1.14.14      hs-vlan113                         4w3d        
13 H  D8:5D:4C:D7:1B:DE 10.1.14.10      10.1.14.10      hs-vlan113                         4w3d        
14 HA D8:5D:4C:9F:16:88 10.1.14.15      10.1.14.15      hs-vlan113                        
15 H  D8:5D:4C:C6:45:88 10.1.14.13      10.1.14.13      hs-vlan113                         4w3d        
16 D  D8:5D:4C:C3:45:1B 192.168.1.100   10.1.21.219     hs-vlan120                         4w3d 
17 H  D8:5D:4C:C6:45:9A 10.1.8.15       10.1.8.15       hs-vlan107                         4w3d        
18 HA D8:5D:4C:86:80:60 10.1.8.11       10.1.8.11       hs-vlan107                        
19 HA D8:5D:4C:C3:45:1B 10.1.21.220     10.1.21.220     hs-vlan120
20 HA D8:5D:4C:D9:FA:3F 10.1.8.12       10.1.8.12       hs-vlan107                        
21 HA D8:5D:4C:9F:11:21 10.1.13.190     10.1.13.190     hs-vlan112                        
22 HA D8:5D:4C:C6:49:23 10.1.13.200     10.1.13.200     hs-vlan112                        
23 HA D8:5D:4C:9F:28:E0 10.1.14.11      10.1.14.11      hs-vlan113                        
24 HA D8:5D:4C:9F:17:A2 10.1.13.202     10.1.13.202     hs-vlan112                        
25 H  D8:5D:4C:D9:FA:CA 10.1.21.223     10.1.21.223     hs-vlan120                         4w3d       
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How can Hotspot see private addresses behind customer NA

Sat Jan 22, 2011 5:19 pm

The setting "addresses-per-mac" applies to each hotspot. You have more than a few hotspots. I see
hs-vlan107 (10.1.8.0/24?)
hs-vlan112 (10.1.13.0/24?)
hs-vlan113 (10.1.14.0/24?)
hs-vlan115 (10.1.16.0/24?)
hs-vlan120 (10.1.21.0/24?)
Each is translating the "address" to a "to-address" that appears to be in the correct range for that hotspot.
 
flatbat
newbie
Topic Author
Posts: 48
Joined: Tue Apr 06, 2010 11:18 pm

Re: How can Hotspot see private addresses behind customer NA

Sat Jan 22, 2011 5:41 pm

Yupp, that's right.
But what I don't understand is how the hotspot see the 19.168.1.0-addresses, as these are behind another NAT router (the ADSL router/modems).

Look for instance at D8:5D:4C:86:80:60;
This is an ADSL router/modem that is logged on and active on row 18.
But on row 10 it appears again. Now with the IP-address of the computer behind that ADSL router/modem (its built-in DHCP-server gives out addresses from 192.168.1.100 to 192.168.1.199).
How does this address get to the hotspot..?
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How can Hotspot see private addresses behind customer NA

Sat Jan 22, 2011 5:57 pm

The 192.168.x.x ips are either a static ip assignment or a dhcp lease that has not reached 50% expiration on that interface in the client computer. The hotspot will deal with that translation for you. If you have "addresses-per-mac=2", then all is ok. The second assignment is the new lease, maybe due to selecting "repair connection" in a Windows client machine.
 
flatbat
newbie
Topic Author
Posts: 48
Joined: Tue Apr 06, 2010 11:18 pm

Re: How can Hotspot see private addresses behind customer NA

Sat Jan 22, 2011 6:24 pm

Thanks SurferTim, but I don't think you get the point..;
The 192.168.x.x addresses shouldn't be visible to the hotspot at all..?!
They should be secretly hidden behind the users' NAT modem/router..
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How can Hotspot see private addresses behind customer NA

Sat Jan 22, 2011 6:36 pm

Thanks SurferTim, but I don't think you get the point..;
The 192.168.x.x addresses shouldn't be visible to the hotspot at all..?!
They should be secretly hidden behind the users' NAT modem/router..
If that is the case, then it appears the user's modem/router is not doing a very good job of masquerading. Bear in mind, if the user's modem/router is using your dhcp server to get ip addresses for clients on that modem/router, they may all show the modem/router mac address.

Do you have a dhcp server on the modem/router for the 192.168.x.x subnet?

There is also one other drawback. If you are counting on requiring every client computer on the modem/router to login, the answer is normally "no". Only one client logs in, every client computer connected to that modem/router is logged in too. If you could be a little more specific about your security requirements, that would help.
 
flatbat
newbie
Topic Author
Posts: 48
Joined: Tue Apr 06, 2010 11:18 pm

Re: How can Hotspot see private addresses behind customer NA

Sat Jan 22, 2011 6:59 pm

Sorry, I should have been clearer on that point.. Thank's for bearing with me!
Yes, the modem/routers have their own built-in DHCP-servers, which handle out addresses in the 192.168.x.x scope.
On the RB1100 that runs the hotspot, there is a central DHCP server that handles out the addresses in the 10.1.x.x scope.
The idea is that the modem/routers get an address in the 10.1.x.x network, and that this is the only address visible to the hotspot.
The 192.168.x.x addresses should only be used locally behind every modem/router, as they also are the same for every user (192.168.1.100 will be the first device behind every modem/router).

It should be enough that one device behind a modem/router logs in to the hotspot to 'open up' the modem/router's external ip-address and MAC, so that all devices behind the modem/router can access the Internet. Some of them, such as VoIP phones, might not even have a browser to do this themselves.

I don't suggest the RB1100 is doing anything wrong.. I'm just confused that private addreses in the 192.168.x.x scope is visible to the hotspot server.
I agree that it seems like the problem is that the modem/router isn't doing a perfect job..
It looks like there is no traffic logged on the rows marked with 'D', so all traffic is probably NAT'ed they way it should via the mode/routers (the rows marked 'AH').
Maybe it is just some kind of ARP broadcast that the modem/routers are 'leaking' out on the wrong interface, which is intercepted by the RB1100 hotspot and triggers it to register the MAC address and provide a DHCP address for it.. (thinking loud..).
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How can Hotspot see private addresses behind customer NA

Sat Jan 22, 2011 7:33 pm

Is there a masquerade setting in the modem/router? You have not mentioned the make/model of the device.
 
Cantabria
just joined
Posts: 24
Joined: Mon Jan 24, 2011 11:22 pm
Location: Spain

Re: How can Hotspot see private addresses behind customer NA

Mon Jan 24, 2011 11:51 pm

I have the same problem ..
dO YoU NOW YET THE Answer
 
SurferTim
Forum Guru
Forum Guru
Posts: 4637
Joined: Mon Jan 07, 2008 10:31 pm
Location: Miramar Beach, Florida

Re: How can Hotspot see private addresses behind customer NA

Tue Jan 25, 2011 1:23 pm

Same question to you:
Is there a masquerade setting in the modem/router? You have not mentioned the make/model of the device.

What ips are you expecting? If you masquerade the localnet, the hotspot probably won't work like you expect. When one client logs in, the rest of the client computers are automatically logged in under that username.
 
infidel
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Wed Oct 07, 2009 5:30 pm

Re: How can Hotspot see private addresses behind customer NA

Tue Jan 25, 2011 6:23 pm

It looks to me (with my limited knowledge) as SurferTeam said that the customer's routers are not natting properly, or they are set up not to do so. If you torch the interface I bet you will see packets coming from that ip. Why not just drop every packet with source different than you dhcp pool. That would take care of the registrations
 
kbasat
just joined
Posts: 4
Joined: Tue Jan 18, 2011 11:51 pm

Re: How can Hotspot see private addresses behind customer NA

Mon Aug 01, 2011 12:11 am

Has anyone found a solution to this problem? we have tried a couple of firewall rules to block IPs that are supposed to be behind the nat on the client side with no success, either we are not blocking, or the whole internet for the customer goes down.

Here is what we using:

AP------
HOTSPOT on bridge interface (bridging 2 sectors on on same board)
DHCP-SERVER
gw: 10.63.0.1/23
pool: 10.63.0.2-10.63.1.254
masquerading on

CPE------
DHCP Client on wlan1 (to receive an ip from 10.63.x.x range)
192.168.x.x on ether 1
/ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=wlan1

------------------------------
hotspothosts.GIF
The problem is, as you can see from the image, Hotspot is somehow picking up IP addresses (with the same MAC of wlan1 of CPE) that are supposed to be 'BEHIND THE NAT' on the cpe device.

Any ideas on a possible solution is appreciated.

Kemal
You do not have the required permissions to view the files attached to this post.
 
fewi
Forum Guru
Forum Guru
Posts: 7734
Joined: Tue Aug 11, 2009 3:19 am

Re: How can Hotspot see private addresses behind customer NA

Mon Aug 01, 2011 5:05 pm

You can't drop that traffic on the Hotspot router, Hotspots grab traffic very early on so that they can do the Universal NAT feature before the rest of the router facilities deal with traffic. If you don't want to see those kinds of packets either drop them on the CPE, or only allow CPEs that NAT properly. If it's a Mikrotik CPE try dropping invalid packets in the forward chain of the firewall filter - the only packets that wouldn't be subject to NAT on RouterOS are packets that aren't neither establishing a connection nor part of an existing connection:
/ip firewall filter
add chain=forward connection-state=invalid action=drop
Again, that rule has to be put on the CPE, not the Hotspot router.
Specific answers require specific questions. When in doubt, post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
 
NGL
just joined
Posts: 6
Joined: Wed Aug 24, 2011 10:43 pm

Re: How can Hotspot see private addresses behind customer NA

Thu Aug 25, 2011 12:00 am

Hello,

I have this exact problem. I have recently started using the hotspot feature to add authenticating and accounting on my network. I use a RADIUS server to handle all the authentication and its done by mac.

100% of my CPE's are NAT'ed. I use ubiquiti and mikrotik CPE's. The ubiquiti's are set as routers and the mikrotik's are a simple masquerade of their internal IP's. The mikrotik's "bleed" the internal ip's out almost instantly while the ubiquiti take it some time before the hotspot discovers it's internal ip's.

Now I could just change the users per mac to 2, but it messes up the accounting. when the other ip shows up it authenticates it as well and then causes the hotspot to send a stop acc packet to the RADIUS.

now is this some sort of security to prevent people in a hotspot environment from authenticating then placing a simple NAT behind it to share there account with others? if so I would like a way to disable it as in my network it is completely unnecessary.

fewi, I will try that dropping on the mikrotik CPE's but i have doubts it will work as even if its invalid the interfaces are separate and shouldn't fwd it regardless, however i will try and let you know.
 
krakenant
Member Candidate
Member Candidate
Posts: 136
Joined: Sat Feb 06, 2010 6:32 am

Re: How can Hotspot see private addresses behind customer NA

Thu Aug 25, 2011 12:08 am

If using a bridge on your hotspot router, you can create an access list type environment where you accept packets with a source IP that you recognize as a good source IP for the CPEs, and then drop everything else. If you are using DHCP you want a rule to allow that as well.

I do this to prevent mobile phones from mucking up my hotspots as they tend to send out a few packets over the wifi connection with the public IP the phone has on the 3G/4G radio side.

Here is what I use
/interface bridge filter
add action=accept chain=input disabled=no in-bridge=LAN-BRIDGE ip-protocol=udp mac-protocol=ip src-address=0.0.0.0/32 src-port=67-68
add action=accept chain=input disabled=no in-bridge=LAN-BRIDGE mac-protocol=ip src-address=10.59.0.0/24
add action=drop chain=input disabled=no in-bridge=LAN-BRIDGE mac-protocol=ip

 
NGL
just joined
Posts: 6
Joined: Wed Aug 24, 2011 10:43 pm

Re: How can Hotspot see private addresses behind customer NA

Thu Aug 25, 2011 12:59 am

Well I set the clients to block the invalid connection and it did not help the bleeding.
I did notice something odd... for some reason the hotspot claims the information is going to the dynamic address. this makes it look far less of a "bleed" and more like a system to prevent NATing behind your hotspot. this customer had to re-log on with http-chap when I booted the dynamic address. thus the hotspot is ignoring the NAT and pulling addresses behind it.

so there is still a big why? and the more important how can we stop it? :P

krakenant, I will try your bridge rules as I have the hotspot on its individual bridge.
You do not have the required permissions to view the files attached to this post.
 
NGL
just joined
Posts: 6
Joined: Wed Aug 24, 2011 10:43 pm

Re: How can Hotspot see private addresses behind customer NA

Thu Aug 25, 2011 5:59 pm

well krakenant's bridge rules worked. it appears that the NAT on all my CPE's lets way to much un needed information through.

Works great. Thanks.

Who is online

Users browsing this forum: MSN [Bot] and 47 guests