Hotspot firewall rule blocking lan to wan

RouterOS Beginner Basics
1

Hi,
My local lan network is in the 10.0.0.0 range
The modem has an IP of 10.0.0.1 which is also the gateway.
I have a RB450G running my hotspot in the 192.168.1.0 range
I need to make a firewall rule to block all clients (192.168.1.0) from accessing my local (10.0.0.0) network.

I have made a rule for that and it’s working fine when the hotspot is disabled, but once it’s enabled, the rule stops working.

Any help would be buch appreciated

2

Post the output of “/ip address print detail”, “/ip route print detail”, “/interface print detail”, “/ip firewall export” (including the rule that you made to block traffic), “/ip hotspot export”, and an accurate network diagram. Also post how exactly you’re testing whether the rule is working, what you’re expecting the test to result in, and what you’re seeing instead.

3

Sorry for my late response.
My local lan consists of a modem/gateway/dhcp server ip 10.0.0.1/gw 10.0.0.1/dhcp 10.0.0.2-254 connected to an 8 port switch.
On the switch are connected 3 x pc’s (10.0.0.51-2-3 static ip’s), a nas server (10.0.0.50), 2 x NMT and the RB450. port 2 of the RB450 connects to the AP/WDS (Ubiquiti NSM2) in bridge mode and an ip 192.168.1.254 GW 192.168.1.1 (output of RB450), and port 1 is the WAN input.

My problem is that if I logon (dhcp 192.168.1.2~240) to the AP and go to any ip in the 10.0.0.X range with the hotspot enabled it gets through (firewall rule not working), so anyone can log on to my NAS for example.
If the Hotspot is off, and the RB450 is just working in the router mode all of the 10.0.0.X range is blocked, so the firewall rule is working.

Here is what you requested.

Rule Working Hotspot not active

[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=10.0.0.15/24 network=10.0.0.0 interface=ether1-gateway
actual-interface=ether1-gateway

1 ;;; default configuration
address=192.168.1.1/24 network=192.168.1.0 interface=ether2-local
actual-interface=ether2-local
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=10.0.0.1 gateway-status=10.0.0.1 reachable ether1-gateway
distance=1 scope=30 target-scope=10

1 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.15 gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=0 scope=10

2 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether2-local
gateway-status=ether2-local reachable distance=0 scope=10
[admin@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=“ether1-gateway” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

1 R name=“ether2-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

2 name=“ether3-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

3 name=“ether4-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

4 name=“ether5-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524
[admin@MikroTik] > /ip firewall export
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s
tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment=“default configuration” disabled=no protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established
disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration” connection-state=related
disabled=no in-interface=ether1-gateway
add action=drop chain=input comment=“default configuration” disabled=yes in-interface=
ether1-gateway
add action=drop chain=forward disabled=no dst-address=10.0.0.0/24 src-address=192.168.1.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=
ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[admin@MikroTik] > /ip hotspot export
/ip hotspot profile
set default dns-name=“” hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=
3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit=“” smtp-server=
0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1
status-autorefresh=1m transparent-proxy=no
add advertise=no idle-timeout=none keepalive-timeout=2m name=ID2-USER-PROFILE
open-status-page=always shared-users=1 status-autorefresh=1m transparent-proxy=yes
/ip hotspot profile
add dns-name=“” hotspot-address=192.168.1.1 html-directory=hotspot http-cookie-lifetime=3d
http-proxy=0.0.0.0:0 login-by=cookie,http-chap,http-pap,trial name=ID2-SERVER-PROFILE
rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no trial-uptime=30m/1d
trial-user-profile=ID2-USER-PROFILE use-radius=no
/ip hotspot
add address-pool=ID2-POOL addresses-per-mac=2 disabled=yes idle-timeout=none interface=
ether2-local keepalive-timeout=none name=ID2 profile=ID2-SERVER-PROFILE
/ip hotspot service-port
set ftp disabled=no ports=21

Hotspot active -rule not working
[admin@MikroTik] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; default configuration
address=10.0.0.15/24 network=10.0.0.0 interface=ether1-gateway
actual-interface=ether1-gateway

1 ;;; default configuration
address=192.168.1.1/24 network=192.168.1.0 interface=ether2-local
actual-interface=ether2-local
[admin@MikroTik] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=10.0.0.1 gateway-status=10.0.0.1 reachable ether1-gateway
distance=1 scope=30 target-scope=10

1 ADC dst-address=10.0.0.0/24 pref-src=10.0.0.15 gateway=ether1-gateway
gateway-status=ether1-gateway reachable distance=0 scope=10

2 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.1 gateway=ether2-local
gateway-status=ether2-local reachable distance=0 scope=10
[admin@MikroTik] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 R name=“ether1-gateway” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

1 R name=“ether2-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

2 name=“ether3-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

3 name=“ether4-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524

4 name=“ether5-local” type=“ether” mtu=1500 l2mtu=1524 max-l2mtu=1524
[admin@MikroTik] > /ip firewall export

sep/02/2011 00:30:47 by RouterOS 5.6

software id = Y2LX-4TB2

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s
tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=accept chain=input comment=“default configuration” disabled=no protocol=icmp
add action=accept chain=input comment=“default configuration” connection-state=established
disabled=no in-interface=ether1-gateway
add action=accept chain=input comment=“default configuration” connection-state=related
disabled=no in-interface=ether1-gateway
add action=drop chain=input comment=“default configuration” disabled=yes in-interface=
ether1-gateway
add action=drop chain=forward disabled=no dst-address=10.0.0.0/24 src-address=192.168.1.0/24
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here” disabled=yes
add action=masquerade chain=srcnat comment=“default configuration” disabled=no out-interface=
ether1-gateway
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
[admin@MikroTik] > /ip hotspot export

sep/02/2011 00:31:15 by RouterOS 5.6

software id = Y2LX-4TB2

/ip hotspot profile
set default dns-name=“” hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=
3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit=“” smtp-server=
0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1
status-autorefresh=1m transparent-proxy=no
add advertise=no idle-timeout=none keepalive-timeout=2m name=ID2-USER-PROFILE
open-status-page=always shared-users=1 status-autorefresh=1m transparent-proxy=yes
/ip hotspot profile
add dns-name=“” hotspot-address=192.168.1.1 html-directory=hotspot http-cookie-lifetime=3d
http-proxy=0.0.0.0:0 login-by=cookie,http-chap,http-pap,trial name=ID2-SERVER-PROFILE
rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no trial-uptime=30m/1d
trial-user-profile=ID2-USER-PROFILE use-radius=no
/ip hotspot
add address-pool=ID2-POOL addresses-per-mac=2 disabled=no idle-timeout=none interface=
ether2-local keepalive-timeout=none name=ID2 profile=ID2-SERVER-PROFILE
/ip hotspot service-port
set ftp disabled=no ports=21


Thanks again for your time and effort.
Regards,
sda :smiley:

4

go to any ip in the 10.0.0.X range with the hotspot enabled it gets through (firewall rule not working), so anyone can log on to my NAS for example.

Can we assume that by that “go to any IP” you mean they can get to devices such as your NAS via their web interfaces? The rule you have should work to drop traffic - but Hotspots proxy all traffic to themselves by default, so the proxy would choose the 10/8 address of the router, and that traffic would be in the output chain rather than forward. Have you tested traffic such as ICMP? Can you ping the NAS?

There’s ways around that, but please first confirm that that assumption is correct.

5

Yes, assumption correct

When the rule is active, in both cases (hotspot on or off) ICMP traffic is blocked

Thank you

6

Add this code:

/ip firewall nat add chain=pre-hotspot dst-address-type=!local hotspot=auth action=accept

While clients aren’t logged into the Hotspot the Hotspot itself will block access. Once they’re logged in that rule will prevent the internal proxy from taking over, traffic will be in the forward chain, and web traffic should be blocked just like ICMP since the proxy no longer interferes.

7

Working like a charm :smiley:

My aim is to vlan the 192.168.1.X range on one ssid to provide free internet access (but only that) and my private 10.0.0.X range on second encrypted ssid.
The first part i’ve managed, the second part adding the 10.0.0.X to the 2nd SSID is troubling me as I don’t know if its feasable either directly or via vlan.

Thanks again,
:smiley:

8

must i add hotspot firewall rules