Block port 25 with hotspot

peterke · August 25, 2012, 4:29pm

Hello,

I’ve bought recentst a assembled RB493G with RouterOs 5.18 preinstalled. It took some time to configure it, but I’ve succeeded

Now I want to block port 25 for the hotspot users. I’ve tried several rules but they are all ignored.

Anyone an idea how to get this working.

peterke · August 27, 2012, 8:02pm

Just found out that the hotspot creates two dynamic nat rules with dst port 25 and jump to chain hs-smtp. These seem to overrule a forward filter i’m using.

If I remove the dynamic rules, it’s working. But afther a reboot the rules are back in place.

Any one a solution for this?

Feklar · August 27, 2012, 8:57pm

The most basic rule is this. If you want to only block it for a specific interface, you can always specify the appropriate in-interface.

/ip firewall filter
add chain=forward action=drop dst-port=25 protocol=tcp

peterke · August 28, 2012, 1:29pm

Feklar:

The most basic rule is this. If you want to only block it for a specific interface, you can always specify the appropriate in-interface.
/ip firewall filter
add chain=forward action=drop dst-port=25 protocol=tcp

I’m trying to blok this port only from my hotspot, when using your rule it’s blocking this port also from my normal lan network.

/ip firewall filter
chain=forward action=drop protocol=tcp src-address=10.5.50.0/24 dst-port=25

Tried to use the above rule, but doesn’t work. Only manual removing the two dynamics rules from the hostspot with port 25 will make this work, but these dynamic rules will be active afther a reboot or even sooner.

Feklar · August 28, 2012, 2:22pm

What dynamic rules are you referring too specifically? The only ones that are generated for SMTP are in NAT, not in the filter section. If you could provide a more complete diagram of your network we would be able to help a lot more.

You can also narrow down the rule by specifying the in-interface to the interface of your hotspot.

peterke · August 28, 2012, 3:12pm

Your last tip has done the job!!!.

/ip firewal filter
add chain=forward action=drop protocol=tcp in-interface=wlan2 dst-port=25 comment="Block port 25 for hotspot users"

The configuration is very straight forward. Created the config with the Quick setup (ap) and created some rules to protect my local network from the internet. Added a VirtualAp (wlan2) on which I’ve created a hotspot (with the setup wizard)
Added rules (filter and NAT) to protect my local network from hotspot users.

And with your help added a filter to block port 25 for hotspot users.

Thanks!!!