hi guys i want to disable hotspot users 10.0.0.0/24 to reach 192.168.1.0/24 i tried a couple of rulers but it’s doesn’t work
i want to deny all network protocols between this two network if its possible

Hard to say without any diagrams depicting network, or knowing what rules you have in place?
Without any of that you could try two FW rules:
-IP firewall forwarding chain drop rule, Drop any LAN1 to LAN2 traffic
-IP firewall forwarding chain drop rule. Drop any LAN2 to LAN1 traffic.

There is also in IP settings an IP FORWARD checkbox, which if unchecked I believe has the same affect as the above two rules.

Agree, as per anav, you need to provide more info, as you can potentially block hotspot users from accessing the hotspot service

I thought hotspot isolated it’s network from your main LAN anyway.
Please post an export with more information.

i have a 3g router witch is the source of the internet and i use 192.168.1.0/24
3g router ip is 192.168.1.1 and ether1 ip is 192.168.1.100 and hotspot users ip range is 10.0.0.0/24
it’s look like there is a default route between 192.168.1.0/24 & 10.0.0.0/24 so hotspot users can
ping any device in 192.168.1.0/24 and access to my 3g router page and i don’t want hotspot users to communicate with 192.168.1.0/24
i use ver 5.20 pc case
& thank

try to ping your devices in your modem area
nice web site

i tried
-IP firewall forwarding chain drop rule, Drop any LAN1 to LAN2 traffic

i can’t access to internet any more

/ip firewall filter add action=drop chain=forward dst-address=192.168.1.0/24 src-address=10.0.0.0/24

/ip firewall filter add action=drop chain=forward dst-address=192.168.1.0/24 src-address=10.0.0.0/24
done
i can’t ping any device in 192.168.1.0/24 but i still able to access my 3g web page

Did you already have a session open to your 3g web page? It works as expected for me.

i still able to access to any devices in 192.168.1.0/24 and i am sure there is no active session in firewall connection

Can you provide:

/export hide-sensitive

did you mean
/export file=compact hide-sensitive OR
/export file=verbose hide-sensitive

I just havent ever tried the one suggested LOL, new tricks!!
/export hide sensitive

Using file= simply saves it to a file instead of just printing it to terminal. Since ROS v6, Compact is default export. Verbose saved to file export.rsc would be:

/export verbose file=export

your hotspot users and indeed all your LAN clients have access to 192.168.1.1 as it is the gateway of your Internet feed . The route to access 192.168.1.0/24 is dynamically created by the router and I don’t think you can remove it. but if anyone else can suggest an alternative, i’ve learned something new.

Can you step back as I am confused by your setup.
I do not even see where it is indicated you are even using a mikrotik device?
can you post a diagram.

If I had to guess, we are not even talking about modem IP access because all that is discussed is private IPs.
Suspect its MODEM to 3G Router to Mikrotik Router
where the MIKROTIK is hanging off a LANIP from the 3G router (as its WANIP).

MODEM----- WANIP ---- #3G ROUTER — DHCP Server with gateway 192.168.1.1

------> WANIP (192.168.1.100) ---- (ether1) MIKROTIK-------- DHCP/HOTSPOT Server with gateway 10.0.0.1 (ether Y?)

So it appears Im guessing big time here, is that you are working under a double NAT scenario.
Typically and by that I mean NORMAL, that no one from the 192.168.1.X can ping MIKROTIK devices but since the MIKROTIK is on the 3G LAN, all devices behind the MIKROTIK can ping the 3G Lan devices.

So the question being asked is… is there a way to block all hotspot users from the 3G Lan network.
My response is twofold.
NO from mikrotik
YES from the 3G.
IN the 3G router one would have to setup a firewall rule such that
FW Rule From LAN interface, source 192.168.1.100, destination INTERNET ALLOW
FW Rule From LAN interface, source 192.168.1.100 Destination LAN, BLOCK

Basically a a LAN to WAN allow rule and a LAN to LAN block rule for LAN interface from source 192.168.1.100

mar/22/2018 16:07:16 by RouterOS 5.20

software id = xxx-xxx

/interface ethernet
set 0 arp=enabled auto-negotiation=yes cable-settings=default
disable-running-check=yes disabled=no full-duplex=yes mac-address=
xx:xx:xx:xx:xx:xx mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes cable-settings=default
disable-running-check=yes disabled=no full-duplex=yes mac-address=
xx:xx:xx:xx:xx:xx mtu=1500 name=ether2 speed=100Mbps
/interface wireless security-profiles
set [ find default=yes ] authentication-types="" eap-methods=passthrough
group-ciphers=aes-ccm group-key-update=5m interim-update=0s
management-protection=disabled mode=none name=default
radius-eap-accounting=no radius-mac-accounting=no
radius-mac-authentication=no radius-mac-caching=disabled
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=
none static-sta-private-algo=none static-transmit-key=key-0
supplicant-identity=MikroTik tls-certificate=none tls-mode=
no-certificates unicast-ciphers=aes-ccm
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=
cookie,http-chap name=default rate-limit="" smtp-server=0.0.0.0
split-user-domain=no use-radius=no
add dns-name=login.com hotspot-address=10.0.0.5 html-directory=hotspot
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=
mac,cookie,http-chap,http-pap mac-auth-password="" name=Hotspot
rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default
shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des
lifetime=30m name=default pfs-group=modp1024
/ip pool
add name=Hotspot ranges=10.0.0.10-10.0.0.254
add name=pool2 ranges=10.0.0.10-11.255.255.254
/ip dhcp-server
add address-pool=Hotspot authoritative=after-2sec-delay bootp-support=static
disabled=no interface=ether2 lease-time=3d name=DHCP
/ip hotspot
add address-pool=Hotspot disabled=no idle-timeout=none interface=ether2
keepalive-timeout=none name=Hotspot profile=Hotspot
/ip hotspot user profile
add address-pool=Hotspot advertise=no idle-timeout=none keepalive-timeout=2m
name=512Kbps open-status-page=always rate-limit=512K/512K shared-users=1
status-autorefresh=1m transparent-proxy=yes
add address-pool=Hotspot advertise=no name=100Mbps open-status-page=always
rate-limit=100M/100M shared-users=1 status-autorefresh=1m
transparent-proxy=yes
/port
set 0 baud-rate=9600 data-bits=8 flow-control=none name=serial0 parity=none
stop-bits=1
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default
remote-ipv6-prefix-pool=none use-compression=default use-encryption=
default use-ipv6=yes use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default
remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes
use-ipv6=yes use-mpls=default use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20
red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no
ignore-as-path-len=no name=default out-filter="" redistribute-connected=
no redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no
redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=
ospf-in metric-bgp=auto metric-connected=20 metric-default=1
metric-other-ospf=auto metric-rip=20 metric-static=20 name=default
out-filter=ospf-out redistribute-bgp=no redistribute-connected=no
redistribute-other-ospf=no redistribute-rip=no redistribute-static=no
router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=
backbone type=default
/routing ospf-v3 instance
set [ find default=yes ] disabled=no distribute-default=never metric-bgp=auto
metric-connected=20 metric-default=1 metric-other-ospf=auto metric-rip=20
metric-static=20 name=default redistribute-bgp=no redistribute-connected=
no redistribute-other-ospf=no redistribute-rip=no redistribute-static=no
router-id=0.0.0.0
/routing ospf-v3 area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=
backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-protocol=MD5
encryption-protocol=DES name=public read-access=yes security=none
write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100
disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote=:: remote-port=514 src-address=0.0.0.0
syslog-facility=daemon syslog-severity=auto target=remote
/tool user-manager customer
add backup-allowed=yes disabled=no login=admin paypal-accept-pending=no
paypal-allowed=no paypal-secure-response=no permissions=owner
signup-allowed=yes time-zone=+02:00
/tool user-manager profile limitation
add address-list="" download-limit=1073741824B group-name="" ip-pool="" name=
1GB rate-limit-min-rx=524288B rate-limit-min-tx=524288B rate-limit-rx=
524288B rate-limit-tx=524288B transfer-limit=0B upload-limit=1073741824B
uptime-limit=0s
/user group
set read name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,w
eb,sniff,sensitive,api,!ftp,!write,!policy" skin=default
set write name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,pa
ssword,web,sniff,sensitive,api,!ftp,!policy" skin=default
set full name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,
winbox,password,web,sniff,sensitive,api" skin=default
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=
no
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=
default enabled=no keepalive-timeout=60 mac-address=FE:2F:58:7C:6E:9A
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=
default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=
disabled port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192.168.1.100/24 disabled=no interface=ether1 network=192.168.1.0
add address=10.0.0.1/24 disabled=no interface=ether2 network=10.0.0.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.0.0.0/24 dhcp-option="" dns-server=10.0.0.1 gateway=10.0.0.1
ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=no cache-max-ttl=1w cache-size=2048KiB
max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
"place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=c profile=512Kbps server=Hotspot
add disabled=no name=a profile=512Kbps server=Hotspot
add disabled=no name=b profile=512Kbps server=Hotspot
/ip neighbor discovery
set ether1 disabled=no
set ether2 disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4
cache-on-disk=no enabled=no max-cache-size=none max-client-connections=
600 max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0
parent-proxy-port=0 port=8080 serialize-connections=no src-address=
0.0.0.0
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30
target-scope=10
/ip service
set telnet address="" disabled=no port=23
set ftp address="" disabled=no port=21
set www address="" disabled=no port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=no port=443
set api address="" disabled=no port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=
all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no
max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=no show-dummy-rule=yes
/ipv6 nd
set [ find default=yes ] advertise-dns=no advertise-mac-address=yes disabled=
no hop-limit=unspecified interface=all managed-address-configuration=no
mtu=unspecified other-configuration=no ra-delay=3s ra-interval=3m20s-10m
ra-lifetime=30m reachable-time=unspecified retransmit-interval=
unspecified
/ipv6 nd prefix default
set autonomous=yes preferred-lifetime=1w valid-lifetime=4w2d
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no
lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0
use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s
multiplier=5
/routing igmp-proxy
set query-interval=2m5s query-response-interval=10s quick-leave=no
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m
gateway-selection=no-gateway origination-interval=5s preferred-gateway=
0.0.0.0 timeout=1m ttl=50
/routing pim
set switch-to-spt=yes switch-to-spt-bytes=0 switch-to-spt-interval=1m40s
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no
redistribute-connected=no redistribute-ospf=no redistribute-static=no
routing-table=main timeout-timer=3m update-timer=30s
/routing ripng
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1
metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no
redistribute-connected=no redistribute-ospf=no redistribute-static=no
timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=no engine-id="" location="" trap-generators=""
trap-target="" trap-version=1
/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
set [ find port=serial0 ] channel=0 disabled=no port=serial0 term=vt102
set [ find vcno=1 ] channel=0 disabled=no term=linux
set [ find vcno=2 ] channel=0 disabled=no term=linux
set [ find vcno=3 ] channel=0 disabled=no term=linux
set [ find vcno=4 ] channel=0 disabled=no term=linux
set [ find vcno=5 ] channel=0 disabled=no term=linux
set [ find vcno=6 ] channel=0 disabled=no term=linux
set [ find vcno=7 ] channel=0 disabled=no term=linux
set [ find vcno=8 ] channel=0 disabled=no term=linux
/system console screen
set blank-interval=10min line-count=25
/system gps
set channel=0 enabled=no set-system-time=no
/system hardware
set multi-cpu=yes
/system health
set state-after-reboot=enabled
/system identity
set name=MikroTik
/system lcd
set contrast=0 enabled=no port=parallel type=24x4
/system lcd page
set time disabled=yes display-time=5s
set resources disabled=yes display-time=5s
set uptime disabled=yes display-time=5s
set packets disabled=yes display-time=5s
set bits disabled=yes display-time=5s
set version disabled=yes display-time=5s
set identity disabled=yes display-time=5s
set ether2 disabled=yes display-time=5s
set ether1 disabled=yes display-time=5s
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=no mode=unicast primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0
/system ntp server
set broadcast=no broadcast-addresses="" enabled=no manycast=yes multicast=no
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
set 4 cpu=auto
set 5 cpu=auto
set 6 cpu=auto
set 7 cpu=auto
set 8 cpu=auto
set 9 cpu=auto
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=
100
/tool e-mail
set address=0.0.0.0 from=<> password="" port=25 starttls=no user=""
/tool graphing
set page-refresh=300 store-every=5min
/tool mac-server
set [ find default=yes ] disabled=no interface=all
/tool mac-server mac-winbox
set [ find default=yes ] disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no
/tool sniffer
set file-limit=1000KiB file-name="" filter-ip-address="" filter-ip-protocol=
"" filter-mac-address="" filter-mac-protocol="" filter-port=""
filter-stream=yes interface=all memory-limit=100KiB memory-scroll=yes
only-headers=no streaming-enabled=no streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=10.10.10.100 log=
auth-fail name=RadServer shared-secret=xxxx use-coa=no
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s
use-radius=no

I see no reason for this to not work. Alternatively, you could even do:

ip firewall filter add action=drop chain=forward dst-address=192.168.1.0/24