Hotspot - need to block 'WAN' subnet

mintey · June 2, 2010, 2:57am

Hi All,

I just got my first Mikrotik equipment and am loving it so far. I’m trying to setup a basic hotspot for a bar, using an RB411AR (1 ethernet, 1 WLAN).

The hotspot part is straightforward enough.
The ethernet (WAN) port of the routerboard will plug into the client’s ADSL router & use DHCP to get an IP.
What I’d like to do is ensure that hotspot users cannot access any IP addresses on the customer’s LAN (ie ADSL router LAN) - obviously the hotspot will need to communicate with the ADSL router to get to the internet.

These boards with RouterOS seem so flexible, I’m sure there must be a way to configure the firewall to do this. - I’m new to RouterOS, so this is beyond me at the moment…

thanks in advance,

Steve

sergejs · June 2, 2010, 6:06am

Add rule to /ip firewall filter, which drops traffic at chain=forward, where src-address is clients network address and dst-address is LAN clients address.

mintey · June 2, 2010, 7:54am

So simple - thanks. I’ve tested this on my system and it works perfectly…

More complicated is…and not so critical — if the routerboard’s WAN IP is DHCP assigned, is there a way to configure the firewall, even though the WAN IP may not be known yet?

sergejs · June 2, 2010, 9:47am

in/out-interface can be used, there are plenty matchers in the /ip firewall filter.