Hi there

Just noticed that it is possible for unauthorised clients to use connect to our hotspot and use it for POP/SMTP e.g. Outlook Express. However, they are not able to browse the Internet as the logon page asks for username/password which they don't have.

But how do I prevent this 'non-browser' access from happening at all? As a quick-shot I added some entries to the Firewall (chain=forward action=drop protocol=tcp dst-port=25) in order to block some essential ports, but I wonder if there is any other better method.

Any help is highly appreciated!

That should not be possible. Post the output of "/ip firewall export" and "/ip hotspot export".

Hi fewi, thanks for your reply! Below is the requested output:


/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="" disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=465 protocol=\ tcp
add action=drop chain=forward comment="" disabled=no dst-port=110 protocol=\
tcp
add action=drop chain=forward comment="" disabled=no dst-port=995 protocol=\
tcp
add action=drop chain=forward comment="" disabled=no dst-port=993 protocol=\
tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.10.0.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no


/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name=login.nacwifi hotspot-address=10.10.0.1 html-directory=hotspot \
http-proxy=0.0.0.0:0 login-by=http-chap name=hsprof1 nas-port-type=\
wireless-802.11 radius-accounting=yes radius-default-domain="" \
radius-interim-update=received radius-location-id="" \
radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" \
smtp-server=0.0.0.0 split-user-domain=no use-radius=yes
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=1 disabled=no idle-timeout=5m \
interface=wireless keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=\
1 status-autorefresh=1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21


Cheers
Danny

I come across this and I had a peek at one of my hotspots, may be a similar issue to this one, The port 25 dynamic jumps in the nat rules are showing invalid in some of my units, while others are showing fine.

Hi fewi, below are the requested outputs:


/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=\
10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="" disabled=no dst-port=25 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=465 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=110 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=995 protocol=tcp
add action=drop chain=forward comment="" disabled=no dst-port=993 protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=no src-address=\
10.10.0.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no


/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d \
http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=no
add dns-name=login.nacwifi hotspot-address=10.10.0.1 html-directory=hotspot http-proxy=0.0.0.0:0 \
login-by=http-chap name=hsprof1 nas-port-type=wireless-802.11 radius-accounting=yes \
radius-default-domain="" radius-interim-update=received radius-location-id="" \
radius-location-name="" radius-mac-format=XX:XX:XX:XX:XX:XX rate-limit="" smtp-server=0.0.0.0 \
split-user-domain=no use-radius=yes
/ip hotspot
add address-pool=hs-pool-2 addresses-per-mac=1 disabled=no idle-timeout=5m interface=wireless \
keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=\
1m transparent-proxy=no
/ip hotspot service-port
set ftp disabled=no ports=21


Cheers

That rule is used for SMTP proxies. When none are configured on the Hotspot the jump target doesn't exist and the rule is invalid. Doesn't have anything to do with actually accessing your mail via POP3.