Referring to this MUM by Janis Megis https://mum.mikrotik.com/presentations/ ... 948376.pdf, page 27 "Local IP leaking to public network".
On page 31 for the solution it states:
1. Use action=src-nat instead of action=masquerade where it is possible
2. Drop connection-state=invalid packets
3. Drop connection-state=new connection-natstate=!dstnat packets from public interface
4. Creating backup “blackhole” route for each routing-mark
Clarification:
1. For #2, does he mean:
add action=drop chain=input connection-state=invalid
OR
add action=drop chain=forward connection-state=invalid
2. For #3, does he mean:
add action=drop chain=forward connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
3. What does #4 entail?