By design, Rublon for Windows Logon reports every local Windows login with the client IP address specified as Rublon intentionally does not report the actual client IP for local logins as a security measure against spoofing attacks. In a feasible scenario, a party outside your organization might try to bypass MFA by using the client’s local IP address, which belongs to the range of Authorized Networks for which MFA is bypassed. Rublon safeguards you against such malicious attacks.

Reporting client’s IP addresses as only applies to local logins. Rublon correctly reports the IP address of the RDP client machine.

Helpful Links

Rublon 2FA for Windows Logon and RDP - Documentation