I have set up a RB532 as a hotspot on the wireless interface, but would like to secure it. I don’t want users of the hotspot to be able to access the routerboard via Winbox. How would I go about doing this? Would I create a NAT rule?
(the eth1 interface will have a separate network that will make use of the web proxy but not the hotspot)
Hi, are you Gromit from PCF SA?
Set up firewall rule that blocks(drop or reject) port 8291 if the in-interface is the wlan interface. Should do the trick.
there are many ways. changing the port, allowing chain “input” only to specific IPs, port knocking (there is a topic on this in the same section)
Yip thats me Gromit on PCF SA 
Will give it a bash, thanx
Please can you post a link to the thread
If I am creating an address pool eg. 192.168.99.0/24 for use on the hotspot. Can I not just create a firewall input rule to drop all input packets from this range of IPs?
No one have an answer for me?
/ip firewall filter add chain=input src-address=192.168.1.2(change to yours) dst-address=192.168.1.1(change to yours) action=accept comment=“allow specify login” disabled=no
disable port 8291 if you add for accept with out interface selected