Trying not to let pass to an user group to certain network

Solusan · Wed Jan 24, 2007 1:58 pm

Hello, I have a small problem, would like to be able to deny the access to all type of user wishes to enter to enter at 172.0.0.0 rank, but that could access to all the other resources.

I have tried to form the guest profile, but I do not see it very clear.

Somebody can help me?

From already, very many thanks.

janisk · Wed Jan 24, 2007 3:54 pm

could you be more specific what is your needs, what you already achieved, what needs to be accessed and what has to be denied?

Solusan · Wed Jan 24, 2007 5:34 pm

could you be more specific what is your needs, what you already achieved, what needs to be accessed and what has to be denied?

before nothing, very many thanks to answer:).

I explain to you:

In my case, hotspot I need to discriminate between corporative users and normal user (invited or host), the invited user must be able to less have total access to everything to the 172.0.0.0 rank so that no longer can have access to cororativos resources.

That is to say, the normal one to user can go less to all sites to 172.0.0.0 (or any name that solves that same one).

txs.

Solusan · Wed Jan 24, 2007 7:13 pm

I think that i can do that

I think that t I can do this, making a filter rules by firewall, and putting them in:

IP hotspot profile>

, how must be the rule?

thanks a lot.

Solusan · Thu Jan 25, 2007 11:51 am

Any idea... it's little bit urgent..... txs a lot.

Solusan · Thu Jan 25, 2007 2:25 pm

Well ... I put:

[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=no_172 in-interface=LAN src-address=192.168.0.0/16 dst-address=!172.0.0.0/8 protocol=tcp
connection-state=new hotspot=auth action=return

but, doesen't works.

Can anybody help me pplase?

Thu Jan 25, 2007 3:26 pm

If you want to drop 172.0.0.0/8 network for all users or for the specific users,
use simple rule,
'ip firewall filter add chain=forward dst-address=172.0.0.0/8 action=drop'.
Specify src-address, if you need to block access for the specific users.

As well self created chain does accept any traffic unless you have configured jump on main chains input, forward, output.
Forward is router's users default chain.

Solusan · Thu Jan 25, 2007 4:48 pm

If you want to drop 172.0.0.0/8 network for all users or for the specific users,
use simple rule,
'ip firewall filter add chain=forward dst-address=172.0.0.0/8 action=drop'.
Specify src-address, if you need to block access for the specific users.

As well self created chain does accept any traffic unless you have configured jump on main chains input, forward, output.
Forward is router's users default chain.

Well I'd need to ban only de guest user from hotspot log-in.

It will works ?

Solusan · Thu Jan 25, 2007 5:27 pm

I mean:

I have 2 kind of users in the hotspot:

admin (they can browse all)

guest --> this user must not browse by 172.0.0.0/8

Thu Jan 25, 2007 5:29 pm

Do you want to block unauthorized users to get displayed HotSpot login page ?

Solusan · Thu Jan 25, 2007 5:43 pm

Do you want to block unauthorized users to get displayed HotSpot login page ?

No, I just want to block the 172.0.0.0/8 network to those users who are called 'guest' (or logged as 'guest')

I didi try this.... without no positive result :'(

[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward in-interface=LAN out-interface=WAN-83 dst-address=172.0.0.0/8 hotspot=from-client
action=reject reject-with=icmp-network-unreachable

Thu Jan 25, 2007 6:10 pm

Add one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffoc to chain=1.

Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop'.

Solusan · Thu Jan 25, 2007 6:30 pm

Add one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffoc to chain=1.

Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop'.

Hi

I have this:

[admin@MikroTik] ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; To deny acces to the router via Telnet (protocol TCP, port 23)
     chain=input protocol=tcp dst-port=23 action=drop 

 1   ;;; Drop Invalid connections
     chain=input connection-state=invalid action=drop 

 2   ;;; Allow Established connections 
     chain=input connection-state=established action=accept 

 3   ;;; Allow UDP
     chain=input protocol=udp action=accept 

 4   ;;; Allow ICMP
     chain=input protocol=icmp action=accept 

 5   ;;; drop invalid connections
     chain=forward protocol=tcp connection-state=invalid action=drop 

 6   ;;; Allow already established connections 
     chain=forward connection-state=established action=accept 

 7   ;;; allow related connections 
     chain=forward connection-state=related action=accept 

 8   ;;; deny BackOriffice 
     chain=udp protocol=udp dst-port=3133 action=drop 

 9   ;;; drop invalid connections 
     chain=icmp protocol=icmp icmp-options=0:0 action=accept 

10   ;;; allow established connections 
     chain=icmp protocol=icmp icmp-options=3:0 action=accept 

11   ;;; allow already established connections 
     chain=icmp protocol=icmp icmp-options=3:1 action=accept 

12   chain=forward action=jump jump-target=hotspot 

13   chain=1 dst-address=172.0.0.0/8 action=drop

[admin@MikroTik] ip hotspot user> print
Flags: X - disabled, D - dynamic 
 #   SERVER  NAME                                                   ADDRESS         PROFI
 0           admin                                                                  defau
 1           invitado                                                               invi1

Invitado = guest (in spanish)

Solusan · Thu Jan 25, 2007 7:36 pm

great!!! it works!!!!

I'd need one more a functionality:

If 'geust' try to access at 172.0.0.0 /8 then, he must be returned at advertise URL that must to say 'You Don't have permission' or somethig like this.

Can it be ?

thanks a lot!

Solusan · Fri Jan 26, 2007 10:20 am

Can it be with the NAT menu?

I'm triying....

Fri Jan 26, 2007 11:09 am

Yes, it can be done by NAT, e.g. to redirect user with address=1.1.1.1 to web-page with address=2.2.2.2,
'ip firewall nat add action=dstnat dst-address=1.1.1.1 action=dst-nat to-addresses=2.2.2.2'

Solusan · Fri Jan 26, 2007 12:11 pm

Yes, it can be done by NAT, e.g. to redirect user with address=1.1.1.1 to web-page with address=2.2.2.2,
'ip firewall nat add action=dstnat dst-address=1.1.1.1 action=dst-nat to-addresses=2.2.2.2'

Then for my it would be:

ip firewall nat add action=dstnat dst-address=172.0.0.0/8 action=dst-nat to-addresses=192.168.1.1

But..... how could I do to do that NAT rule works only for the user 'guest?

thanks a lot

Fri Jan 26, 2007 12:16 pm

Who is user guest ?
1) Clients who do not have HotSpot login/password, they will get HotSpot page instead of internet access.
2) Specific client is using 'guest' login, then you can specify particular dst-address in the following rule.

Solusan · Fri Jan 26, 2007 12:34 pm

Who is user guest ?
1) Clients who do not have HotSpot login/password, they will get HotSpot page instead of internet access.
2) Specific client is using 'guest' login, then you can specify particular dst-address in the following rule.

The called user 'guest' is that one that will not be able to accede to 172.0.0.0 /8 and that when it tries to accede to that rank will be redirected to 192.168.1.1

And... how ca I to assign to that user (guest)?

This rule makes that you say ?

txs.

Solusan · Fri Jan 26, 2007 12:55 pm

I tried this:

 chain=dstnat src-address=178.0.0.0/8 hotspot=to-client action=dst-nat to-addresses=192.168.1.1 to-ports=0-65535

It's correct?

Solusan · Fri Jan 26, 2007 1:48 pm

I am not having much luck with the tests that I am doing.

Any idea about, this?

Many very thanks.

Solusan · Mon Jan 29, 2007 10:17 am

Well:

I'll try to expliain better:

I did this:

Add one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffoc to chain=1.

Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop'.

And I applied this rule at the user 'guest'

I did that for locking to the user 'guest' couldn't acceed to 172.0.0.0/8 but as you can see I obtain a drop
But now I would need that the user could redirect to the hotspot home page or to nay error page where the user can be alerted that can not be acceed to the rank
How could I do it?

Many thanks for your help and understanding.

Trying not to let pass to an user group to certain network

Trying not to let pass to an user group to certain network

Who is online