Hi,
Here is my firewall the section with ip address 10.10.10.0/24 is the public hotspot I only want to allow ports listed and drop everything else which seems to work ok, Only problem is if I add a mac address to the IP Bindings section in the hotspot to bypass the login page they have no internet access because of this rule on the 3 last line in red. Internet access works fine for other users who have logged in.
Can anyone advise please?
ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here”
add chain=input comment=“allow icmp” protocol=icmp
add chain=input comment=“accept vpn gre” protocol=gre
add chain=input comment=“accept vpn” dst-port=1723 protocol=tcp
add chain=input comment=“allow winbox” dst-port=8291 protocol=tcp
add chain=input comment=“allow api” dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login
address-list-timeout=1d chain=input comment=
“list IP’s who try remote login” dst-port=20-23 protocol=tcp
add action=drop chain=input comment=“drop ssh brute forcers” dst-port=22
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist
address-list-timeout=1w3d chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3
address-list-timeout=1h chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2
address-list-timeout=1h chain=input connection-state=new dst-port=22
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1h chain=input connection-state=new dst-port=22
protocol=tcp
add chain=input comment=“allow ssh” disabled=yes dst-port=22 protocol=tcp
add action=drop chain=input comment=“drop ftp” dst-port=21 protocol=tcp
add action=drop chain=forward comment=“drop invalid connections”
connection-state=invalid
add chain=forward comment=“allow already established connections”
connection-state=established
add chain=forward comment=“allow related connections” connection-state=
related
add action=drop chain=input comment=“drop Invalid connections”
connection-state=invalid
add chain=input comment=“allow established connections” connection-state=
established
add chain=input comment=“acccept lan” in-interface=!ether1-gateway
src-address=192.168.5.0/24
add action=drop chain=input comment=“drop everything else”
add chain=forward comment=“Allow HTTP” dst-port=80 protocol=tcp src-address=
10.10.10.0/24
add chain=forward comment=“Allow HTTPS” dst-port=443 protocol=tcp
src-address=10.10.10.0/24
add chain=forward comment=“Allow SMTP” disabled=yes dst-port=25 protocol=tcp
src-address=10.10.10.0/24
add chain=forward comment=“Allow SMTP Secure” disabled=yes dst-port=567
protocol=tcp src-address=10.10.10.0/24
add chain=forward comment=“Allow POP” dst-port=110 protocol=tcp src-address=
10.10.10.0/24
add chain=forward comment=“Allow IMAP” dst-port=143 protocol=tcp src-address=
10.10.10.0/24
add chain=forward comment=“Allow IMAP4-SSL” dst-port=585 protocol=tcp
src-address=10.10.10.0/24
add chain=forward comment=“Allow IMAP4-SSL” dst-port=993 protocol=tcp
src-address=10.10.10.0/24
add chain=forward comment=“Allow POP-SSL” dst-port=995 protocol=tcp
src-address=10.10.10.0/24
add chain=forward comment=“Allow DNS” dst-port=53 protocol=tcp src-address=
10.10.10.0/24
add chain=forward comment=“” dst-port=5251 protocol=tcp
src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=4244 protocol=tcp
src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=5243 protocol=udp
src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=7985 protocol=udp
src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=5222-5223
protocol=tcp src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=3478-3497 protocol=udp
src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=16384-16387 protocol=udp
src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=16393-16402 protocol=udp
src-address=10.10.10.0/24
add chain=forward comment=“” dst-port=123 protocol=udp src-address=
10.10.10.0/24
add action=drop chain=forward comment=“drop everything else” disabled=yes
src-address=10.10.10.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“default configuration”
out-interface=ether1-gateway