Hi all.

I am trying to block access from my hotspot users to go into the AP´s login page . I did some rules on firewall, but is not blocking...

Here is the export
/ip hotspot profile
set [ find default=yes ] login-by=http-chap
add hotspot-address=10.0.0.1 login-by=http-chap name=Profile-Alameda nas-port-type=ethernet use-radius=yes
/ip hotspot
add address-pool=Pool-GUEST addresses-per-mac=1 disabled=no idle-timeout=12h interface=vGUEST keepalive-timeout=1h name=
AlamedaHotspot profile=Profile-Alameda
/ip hotspot user profile
set [ find default=yes ] address-pool=Pool-GUEST idle-timeout=12h keepalive-timeout=1h name=AlamedaGRATUITO rate-limit=500K
shared-users=100
add address-pool=Pool-GUEST idle-timeout=12h keepalive-timeout=1h name=AlamedaPAGO rate-limit=3M shared-users=2
/ip hotspot user
add disabled=yes name=alameda password=20alameda11 server=AlamedaHotspot
add disabled=yes name=alameda2 password=20alameda11 profile=AlamedaPAGO server=AlamedaHotspot
/ip hotspot walled-garden
add dst-host=alameda.tur.br
add dst-host=residencia-alameda.com.br
add dst-host=googleapis.com
add dst-host=microformats.org
add dst-host=googlecode.com
add dst-host=google-analytics.com
[admin@MikroTik] > ip firewall export

jun/05/2013 14:57:07 by RouterOS 6.0rc14

software id = ZQK3-U7G0

/ip firewall address-list
add address=192.168.10.0/24 list=RedesInternas
add address=10.0.0.0/24 list=RedesInternas
add address=10.0.0.2 list=HideFromHotspot
add address=10.0.0.3 list=HideFromHotspot
add address=10.0.0.4 list=HideFromHotspot
add address=10.0.0.5 list=HideFromHotspot
add address=192.168.1.1 list=HideFromHotspot
add address=192.168.1.2 list=HideFromHotspot
add address=192.168.10.2 list=HideFromHotspot
add address=192.168.20.100 list=HideFromHotspot
add address=192.168.20.101 list=HideFromHotspot
add address=192.168.10.3 list=HideFromHotspot
add address=192.168.10.4 list=HideFromHotspot
add address=192.168.10.5 list=HideFromHotspot
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=input in-interface=eth1-Link1 protocol=icmp
add action=drop chain=input dst-port=80,443,21,22,8291 in-interface=eth1-Link1 protocol=tcp
add action=drop chain=forward dst-address-list=HideFromHotspot in-interface=vGUEST protocol=icmp
add action=drop chain=forward dst-address-list=HideFromHotspot dst-port=80,443,21,22,8291 in-interface=vGUEST protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="NAT SAIDA LINK1" out-interface=eth1-Link1
add action=dst-nat chain=dstnat comment=DVR01 dst-port=37777 in-interface=eth1-Link1 protocol=tcp to-addresses=
192.168.20.101 to-ports=37777
add action=dst-nat chain=dstnat comment=Proxy dst-address=!192.168.20.0/24 dst-port=80 protocol=tcp src-address-list=
RedesInternas to-addresses=192.168.20.100 to-ports=3128
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes

If your access points share the same subnet as your guests, they need not talk through the router to reach the access points. No amount of firewalling in the network will prevent communication. That needs to be done at the edge of the network.

The best solution would be to place the management VLAN of the access points on something different than what the guests connect to and have a separate subnet in the MikroTik to run that.

That makes sense!

Ok, let’s assume that my hotspot network is 10.0.0.0/24, and the Ap’s are in this subnet too, I cant block access to the AP’s, but I can block to my other servers like 192.168.20.100 , correct ? even this server with the rules in firewall gets accessed by the hotspot network, why ? What am I missing on the rules that I’ve created ?

You can control routed access via the router by using filter rules in the forward chain.

Are your servers on the same layer2 interface? If they are sharing the same physical port, a guest can change their IP to connect to the server. If you have it on a separate routed interface (recommended) setup the necessary forward filter rules to prevent communication.

they are in a different vLan.