I want to block the ADSL modem page so I use the comand
/ip firewall filter add chain=forward action=drop src-address-list=!192.168.1.254/32 dst-address=192.168.0.10/32
But I can still view the modem page from other IPs.
Note:
My modem LAN IP 192.168.0.10 subnet 255.255.255.0
My Mikrotik router WAN IP is 192.168.0.70/24
Mikrotik router LAN 192.168.1.1/24
this method worked for website IP but it doesn’t seems to block the modem page for other Hotspot users
HI there,
try
/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.0.0/24 action=drop
this will block all traffic from your lan network going to the wan network inluding the modem.
Make sure this rule is at the top of the list before any allow rulles.
Another thing to check that has caused me issues is the masquerading rule.
I find it works best as
/ip firewall nat add chain=src-nat out-interface"your wan interface here" action=masquerade
It didn’t work beside I want the IP 192.168.1.254 to be able to access the modem page but not other IPs
Post the output of “/ip firewall nat export” and “/ip address print”.
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=\
no src-address=192.168.1.0/24
add action=masquerade chain=src-nat comment="" disabled=yes out-interface=outside1
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.1.1/24 192.168.1.0 192.168.2.255 hotspot
1 192.168.0.50/24 192.168.0.0 192.168.0.255 outside1
2 192.168.5.1/32 192.168.5.1 192.168.5.1 hotspot
I see that there is error in hotspot broadcast but the internet is working and when I change it to 192.168.1.255, the internet stop working .
The third line is fake gatway to prevent netCut
edit: I change the broadcast to 192.168.1.255 and then reboot and the internet work. Still the block modem problem?
/ip firewall filter add chain=forward action=drop src-address=!192.168.1.254 dst-address=192.168.0.10
what is the difference from this :
/ip firewall filter add chain=forward action=drop src-address-list=!192.168.1.254/32 dst-address=192.168.0.10/32
Read it.
src-address-list vs src-address. You were referencing an address list that didn’t exist.
Also, /32 masks are unnecessary.
the modem page still work with all IPs
Post the output of “/ip firewall filter export”
add action=drop chain=forward comment="" disabled=no dst-address=\
192.168.0.10 src-address=!192.168.1.254
add action=drop chain=input comment="" disabled=no dst-port=\
21,22,23,80,443,8291,8728 protocol=tcp src-address=!192.168.1.254
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=reject chain=forward comment="Reject if in the 24-hour-list" \
disabled=yes reject-with=icmp-network-unreachable src-address-list=\
24-hour-list
add action=jump chain=forward comment="Check if dest is an open customer" \
disabled=no dst-address-list=open-customers jump-target=open-customers
add action=jump chain=forward comment="Check Known Bad Hosts" disabled=no \
jump-target=bad-hosts
add action=reject chain=forward comment="Reject if in the 24-hour-list" \
disabled=no reject-with=icmp-network-unreachable src-address-list=\
24-hour-list
add action=return chain=bad-host-detection comment="Take no action on bogons" \
disabled=no src-address-list=bogons
add action=add-src-to-address-list address-list=30-seond-list \
address-list-timeout=30s chain=bad-host-detection comment=\
"Add to the 30 second list" disabled=no dst-address=192.168.1.0/24 \
dst-port=137 protocol=udp src-address=192.168.1.0/24 src-port=137
add action=return chain=bad-host-detection comment="" disabled=no
add action=jump chain=forward comment="jump to the bad-host-detection chain" \
disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=jump chain=forward comment="jump to the bad-host-detection chain" \
disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=log chain=forward comment="log and reject the rest" disabled=yes \
log-prefix=""
add action=reject chain=forward comment="" disabled=yes reject-with=\
icmp-network-unreachable
add action=accept chain=forward comment="" disabled=yes dst-port=1863 \
protocol=tcp
add action=accept chain=forward comment="" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=output comment="" disabled=no protocol=udp src-port=\
5678
add action=add-src-to-address-list address-list=src-conficker \
address-list-timeout=3d chain=forward comment=\
"ADD to address-list src-conficker" disabled=no dst-address-list=\
conficker
With that rule at the top of the forward chain I don’t see how ANY client can access 192.168.0.10. You’re NAT’d out the outside interface to 192.168.0.50 so not even 192.168.1.254 should be able to get to the modem.
I don’t know what I’m missing but I grudgingly give up.
thank you fewi any way. there one thing I din’t understand in
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.1.1/24 192.168.1.0 192.168.2.255 hotspot
1 192.168.0.50/24 192.168.0.0 192.168.0.255 outside1
2 192.168.5.1/32 192.168.5.1 192.168.5.1 hotspot
how come the broadcast IP in hotspot was 192.168.2.255 and the every thing was working fine. Is it better now since I change it to 192.168.1.255. Did I change it before for a purpose that I forget?!
Did you enter an ip/netmask of 192.168.2.1/24 initially, then edit the ip/netmask or do some other edit on that entry? If you edit the ip/netmask, it does not change the broadcast address.