The issue is that Mautic needs to know the original IP from the visitor.
To confirm you have the same issue, tail your HTTP server logs and check if the real IPs are shown there or not.
There are a few ways to force passing that IP through proxies via heathers, I would suggest that you dig into the proxy protocol. Most services have implemented it (including AWS services) and it seems like the way to go, but there’s not much basic documentation around yet.
You need to implement it in all the layers your tracking data goes through, for example your bastion, LB, http server, etc.
In my case, there was a hidden (to me) proxy in LXC/LXD that I was unaware of.