Community discussions

MikroTik App
  4. RouterOS
  5. General

Firewall to block access to vlan from Hotspot

Post Reply
 
delhite2
just joined
Topic Author
Posts: 13
Joined: Fri May 10, 2019 4:45 pm

Firewall to block access to vlan from Hotspot

Tue Feb 06, 2024 10:39 am

I am attaching my network diagram.
There are 2 vlans on 2 ssid running on an AP.
One ssid with vlan 100 for hotspot and one ssid with vlan 200 for CCTV which does not need internet access.
Obviously Hotspot needs WAN access on ether 1.
current config of ports are:
ether 1 = Wan
ether 2,3,4 are trunk for vlan 100, 200
ether 5 is access port for vlan 200.

My question is how to use the rules and the order given in thread viewtopic.php?f=13&t=143620 under firewall customization.

Hotspot by default has some firewall entries made under "Filter Rules" and "Nat"
so dont want to mess with captive portal.
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Hotspot bruteforce prevention" protocol=\
    tcp src-address-list=hotspot_blacklist
add action=accept chain=output comment="Hotspot bruteforce prevention" \
    content="Invalid Room Number or Last Name. Contact Reception/Front Desk Fo\
    r Assistance." dst-limit=2/1m,3,dst-address/30m protocol=tcp
add action=add-dst-to-address-list address-list=hotspot_blacklist \
    address-list-timeout=2h chain=output content="Invalid Number \
    Name. Contact Desk For Assistance." log=yes log-prefix=\
    "brute force attack" protocol=tcp
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here"
add action=reject chain=input dst-address=192.168.5.1 dst-port=80 protocol=\
    tcp reject-with=icmp-network-unreachable src-address=\
    192.168.5.2-192.168.5.254
add action=reject chain=input dst-address=10.0.0.1 dst-port=80 protocol=tcp \
    reject-with=icmp-network-unreachable src-address=\
    192.168.5.2-192.168.5.254
add action=reject chain=input dst-address=10.0.0.1 dst-port=80 protocol=tcp \
    reject-with=icmp-network-unreachable src-address=10.0.0.2-10.0.255.254
add action=reject chain=input dst-address=192.168.5.1 dst-port=80 protocol=\
    tcp reject-with=icmp-network-unreachable src-address=\
    10.0.0.2-10.0.255.254
add action=drop chain=forward comment="block interclient traffic" \
    dst-address=192.168.5.0/24 src-address=192.168.5.0/24
add action=drop chain=forward comment="block interclient traffic" \
    dst-address=10.0.0.0/16 src-address=192.168.5.0/24
add action=drop chain=forward comment="block interclient traffic" \
    dst-address=10.0.0.0/16 src-address=10.0.0.0/16
add action=drop chain=forward comment="block interclient traffic" \
    dst-address=192.168.5.0/24 src-address=10.0.0.0/16
You do not have the required permissions to view the files attached to this post.
Top
Post Reply

Who is online

Users browsing this forum: DanMos79, Google [Bot] and 31 guests
  4. RouterOS
  5. General