Hotspot equivalent of the FORWARD chain

Hello,

I am a noob and a bit confused by the filter chain traversal of the packets of the hotspot authenticated clients.

In a normal basic setup, the packets not directly destined to or originated from the router traverse the FORWARD chain. So basically packets to and from clients traverse the FORWARD chain, regardless of protocol, port, etc

What happens with the packets to/from authenticated clients of a hotspot? What is then the equivalent of the FORWARD chain? For example if I want to set some layer 7 filter rules (which have to “see” both sides of a connection) applicable to my hotspot authenticated clients, where should I place them?

It’s either still in the forward chain or got redirected to the Hotspot acting like a proxy and got torn into two connections, which makes it impossible to run a layer 7 filter on the traffic. Redirected traffic includes SMTP and HTTP.

Tough you can restore traffic flow for authenticated clients via this:

/ip firewall nat add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept

That doesn’t exempt non-authenticated clients including bypassed ones, though. Those are impossible to change flow for.