I need help figuring out how to setup a firewall rule:
my mikrotik hotspot router is behind a LAN/NAT router, which connects to the ISP/WAN.
I want to restrict outgoing traffic originating from the hotspot LAN to only be able to access the LAN/ISP gateway.
IOW, I dont’ want any of the hotspot clients to be able to access the next-hop LAN clients, except for the gateway.
see below:
hotspot LAN (192.168.10.0/24) ===> next-hop private LAN (192.168.0.0/24) ===> LAN/WAN gateway - NAT router (192.168.0.1<===>[public IP address])
so, I want to prevent hotspot LAN clients access to any clients on the 192.168.0.0/24 subnet EXCEPT for the gateway IP (192.168.0.1)
example:
client 192.168.10.100 ===> 192.168.0.50 (next-hop subnet LAN client)
→ packet dropped/rejected by mikrotik hotspot router
client 192.168.10.100 ===> 192.168.0.1 (next-hop gateway to WAN)
→ packet accepted/allowed to forward/pass-through by mikrotik hotspot router
How should I go about setting this up?
which firewall chain do I need to add the rule to? hs-auth?
also, in what order/at what point in the chain should I add the rules?
You could block in the firewall the traffic that comes from the Hotspot interface (in interace), whatever that is, and goes out to the Lan interface ( out interface ).
The chain you must use is the forward chain.
Also, you could use src and dst addresses instead of interfaces. Chain ofcorse remains the same.
Just a short explanation to support what @Zacharias wrote: clients wanting to connect to internet servers don’t mention nor use gateway address in IP packets (unless they try to use"Source Based Routing"), they only use gateway address to find out MAC address of device to pass those internet-bound packets. Firewall filter rules inspect IP packets and will see internet addresses as destinations even though they will be delivered to an intermediate router sitting on a network which is otherwise forbidden for packet originators.
My addition was to explain why your recommendation would work … some people might assume that it wouldn’t because upstream gateway is part of “forbidden” subnet.