hotspot users blocking a site

s0ll3kr4m · October 4, 2019, 11:01am

hello!
i recently bloked a site on my network, everything worked fine, but in the hotspot users it is accessible
my pc which directly connected to the mikrotik has no access.
how can i block it to the hotspot as well ?
here are the firewall rules

# oct/04/2019 14:00:27 by RouterOS 6.44.5
# software id = 4L42-C3TX
#
# model = RB941-2nD
# serial number = A1C30A560349
/ip firewall layer7-protocol
add comment="Mikrotik Block Torrent" name=layer7-bittorrent-exp regexp="^(\\x1\
    3bittorrent protocol|azver\\x01\$|get /scrape\\\?info_hash=get /announce\\\
    \?info_hash=|get /client/bitcomet/|GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7\
    P\\)[RP]"
add comment=facebook name=facebook regexp="^..+\\.(facebook.com|facebook.net|f\
    bcdn.com|fbsbx.com|fbcdn.net|fb.com|tfbnw.net).*\$"
/ip firewall address-list
add address=10.10.4.2-10.10.4.255 list=Clients
add address=10.10.3.1 list=router
add address=0.0.0.0/8 comment="Self-Identification [RFC 3330]" list=Bogons
add address=10.0.0.0/8 comment="Private[RFC 1918] - CLASS A # Check if you nee\
    d this subnet before enable it" list=Bogons
add address=127.0.0.0/8 comment="Loopback [RFC 3330]" list=Bogons
add address=169.254.0.0/16 comment="Link Local [RFC 3330]" list=Bogons
add address=172.16.0.0/12 comment="Private[RFC 1918] - CLASS B # Check if you \
    need this subnet before enable it" list=Bogons
add address=192.0.2.0/24 comment="Reserved - IANA - TestNet1" list=Bogons
add address=192.88.99.0/24 comment="6to4 Relay Anycast [RFC 3068]" list=\
    Bogons
add address=198.18.0.0/15 comment="NIDB Testing" list=Bogons
add address=198.51.100.0/24 comment="Reserved - IANA - TestNet2" list=Bogons
add address=203.0.113.0/24 comment="Reserved - IANA - TestNet3" list=Bogons
add address=224.0.0.0/4 comment=\
    "MC, Class D, IANA # Check if you need this subnet before enable it" \
    list=Bogons
/ip firewall filter
add action=reject chain=forward comment="block facebook" connection-mark=\
    facebook_conn protocol=tcp reject-with=tcp-reset
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward disabled=yes in-interface=\
    bridge-hotspot layer7-protocol=layer7-bittorrent-exp src-address-list=\
    !allow-bit
add action=add-src-to-address-list address-list=Torrent-Conn \
    address-list-timeout=2m chain=forward disabled=yes in-interface=\
    bridge-hotspot p2p=all-p2p src-address-list=!allow-bit
add action=drop chain=forward comment="kill P2P" dst-port=\
    !0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=tcp \
    src-address-list="BitTorrent Users"
add action=drop chain=forward dst-port=\
    !0-1024,8291,5900,5800,3389,14147,5222,59905 protocol=udp \
    src-address-list="BitTorrent Users"
add action=add-src-to-address-list address-list="BitTorrent Users" \
    address-list-timeout=none-dynamic chain=forward disabled=yes p2p=all-p2p \
    src-address-list=Clients
add action=add-src-to-address-list address-list="BitTorrent Users" \
    address-list-timeout=none-dynamic chain=forward comment=BitTorrentUsers \
    in-interface=bridge-hotspot layer7-protocol=layer7-bittorrent-exp \
    src-address-list=Clients
add action=drop chain=forward comment="KILL P2P" disabled=yes p2p=all-p2p
add action=drop chain=forward comment="KILL P2P" disabled=yes \
    layer7-protocol=layer7-bittorrent-exp
add action=add-src-to-address-list address-list=Clients address-list-timeout=\
    2m chain=forward disabled=yes p2p=all-p2p src-address-list=Clients
add action=drop chain=forward comment="KILL P2P OTHER CON" connection-mark=\
    other-con disabled=yes layer7-protocol=layer7-bittorrent-exp \
    src-address-list="BitTorrent Users"
add action=accept chain=forward comment="defconf: accept established,related" \
    connection-state=established,related
add action=drop chain=forward comment="defconf: drop invalid" \
    connection-state=invalid
add action=accept chain=input port=69 protocol=udp
add action=accept chain=forward port=69 protocol=udp
add action=drop chain=forward comment=\
    "defconf:  drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
    connection-state=new in-interface=ether1
add action=drop chain=forward comment="Drop to bogon list" dst-address-list=\
    Bogons
add action=accept chain=input protocol=icmp
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add action=accept chain=prerouting comment=router dst-address-list=router
add action=accept chain=forward comment=DNS port=53 protocol=tcp
add action=accept chain=forward comment=DNS port=53 protocol=udp
add action=mark-connection chain=forward comment="client download" \
    in-interface=ether1 new-connection-mark=client-dw-con passthrough=yes
add action=mark-packet chain=forward comment=client-dw-pk connection-mark=\
    client-dw-con new-packet-mark=client-dw-pk passthrough=yes
add action=mark-connection chain=prerouting comment=client-up-con \
    in-interface=bridge1 new-connection-mark=client-up-con passthrough=yes
add action=mark-packet chain=prerouting comment=client-up-pk connection-mark=\
    client-up-con new-packet-mark=client-up-pk passthrough=yes
add action=mark-packet chain=forward comment=http-dw-pk new-packet-mark=\
    http-dw-pk packet-mark=client-dw-pk passthrough=no port=\
    80,443,5222,5223,5228 protocol=tcp
add action=mark-packet chain=forward comment=http-up-pk new-packet-mark=\
    http-up-pk packet-mark=client-up-pk passthrough=no port=\
    80,443,5222,5223,5228 protocol=tcp
add action=mark-packet chain=forward comment=p2p-dw-pk disabled=yes \
    new-packet-mark=p2p-dw-pk p2p=all-p2p packet-mark=client-dw-pk \
    passthrough=no
add action=mark-packet chain=forward comment=p2p-dw-pk layer7-protocol=\
    layer7-bittorrent-exp new-packet-mark=p2p-dw-pk packet-mark=client-dw-pk \
    passthrough=no
add action=mark-packet chain=forward comment=p2p-up-pk disabled=yes \
    new-packet-mark=p2p-up-pk p2p=all-p2p packet-mark=client-up-pk \
    passthrough=no
add action=mark-packet chain=forward comment=p2p-up-pk layer7-protocol=\
    layer7-bittorrent-exp new-packet-mark=p2p-up-pk packet-mark=client-up-pk \
    passthrough=no
add action=mark-connection chain=forward comment=other-con \
    new-connection-mark=other-con passthrough=yes
add action=mark-packet chain=forward comment=other-dw-pk new-packet-mark=\
    other-dw-pk packet-mark=client-dw-pk passthrough=no
add action=mark-packet chain=forward comment=other-up-pk new-packet-mark=\
    other-up-pk packet-mark=client-up-pk passthrough=no
add action=mark-connection chain=prerouting comment="facebook connection" \
    layer7-protocol=facebook new-connection-mark=facebook_conn passthrough=\
    yes protocol=tcp
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.10.4.0/24
add action=dst-nat chain=dstnat dst-port=443 in-interface=ether1 \
    in-interface-list=all protocol=tcp to-addresses=10.10.3.231 to-ports=443

martinclaro · October 4, 2019, 11:30am

I think you can block the hotspot users to access those sites by adding them to the hotspot filtering rules: https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/Walled_Garden

Or you can add the same mangle and filter rules four output chain, so the proxied traffic will also match.

s0ll3kr4m · October 4, 2019, 12:17pm

hello!
thank you for your post, unfortunately did not work.
in the mangle rule and in the filter i set in.interface bridge hotspot, but didnot work again.

s0ll3kr4m · October 4, 2019, 12:35pm

it seems that i have something wrong with the code, i got back up in previous save and it worked fine