Hotspot Firewall Rules

enricocottee · January 6, 2016, 5:04am

Good day,

We have a hotspot system setup and we have users with capped accounts. The mikrotik connects to an external radius server which then sends a response to the mikrotik as to when the user should be capped.

Im finding that the radius server issues the user to be capped when reaching their limit but there is a jump rule on the mikrotik which is causing the users to be able to connect again once they have reached their cap.

Im trying to figure out what possibly could the jump rule be. This a copy of our config:

/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here”
disabled=yes
add action=return chain=hs-unauth-to comment=“UNIFI CONTROLLER (Macrolan)”
disabled=yes out-interface=BR-LAN src-address=154.70.214.94
add action=return chain=hs-unauth comment=“UNIFI CONTROLLER (Macrolan)”
disabled=yes dst-address=154.70.214.94 in-interface=BR-LAN
add chain=l2tprestricted connection-state=new dst-address=196.7.127.15
dst-port=80 protocol=tcp
add chain=l2tprestricted dst-address=196.7.127.15 icmp-options=8:0 protocol=
icmp
add chain=l2tprestricted dst-port=23 protocol=tcp
add chain=l2tprestricted disabled=yes dst-port=22 protocol=tcp
add chain=l2tprestricted dst-port=53 protocol=udp
add action=reject chain=l2tprestricted
add chain=voiprestricted dst-address=92.240.1.0/24
add chain=voiprestricted dst-address=92.240.0.0/24
add chain=voiprestricted src-address-list=voip-services
add chain=voiprestricted src-address=41.222.225.40
add chain=voiprestricted dst-port=23 protocol=tcp
add chain=voiprestricted disabled=yes dst-port=22 protocol=tcp
add chain=voiprestricted dst-port=53 protocol=udp
add action=reject chain=voiprestricted
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=“place hotspot rules here”
disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
src-address=10.5.50.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=“masquerade management network”
src-address=10.5.51.0/24
add action=dst-nat chain=dstnat dst-port=8080 in-interface=ether1 protocol=tcp
to-addresses=10.5.50.15 to-ports=80
add action=dst-nat chain=dstnat dst-port=8081 in-interface=ether1 protocol=tcp
to-addresses=10.5.50.17 to-ports=80
add action=masquerade chain=srcnat comment=“Vlan Hotspot” src-address=
10.10.10.0/24