Hi Folks,
I’m trying to firewall hotspot users from reaching 172.16.42.2-172.16.42.254, but not having luck. What am I missing here?
[admin@rb1.domehq] > export compact hide-sensitive
# jul/07/2014 15:12:05 by RouterOS 6.15
# software id = 0ZZB-EWWY
#
/interface bridge
add l2mtu=1600 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyn channel-width=20/40mhz-Ce country="united states" disabled=no distance=indoors frequency=5745 frequency-mode=regulatory-domain l2mtu=1600 mode=ap-bridge multicast-helper=full name=wlan1-5G rx-chains=\
0,1 ssid="Magrathea 5G" tdma-period-size=auto tx-chains=0,1 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n country="united states" disabled=no distance=indoors frequency-mode=regulatory-domain l2mtu=1600 mode=ap-bridge multicast-helper=full name=wlan2-2G rx-chains=0,1 ssid=Magrathea tdma-period-size=auto \
tx-chains=0,1 wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-key-update=0s mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=guest supplicant-identity=""
/interface wireless
add disabled=no l2mtu=1600 mac-address=4E:5E:0C:10:CB:5D master-interface=wlan2-2G name=wlan3-guest-2G security-profile=guest ssid="Dome Guest" wds-cost-range=0 wds-default-cost=0
/ip hotspot profile
add dns-name=hotspot.domehq hotspot-address=192.168.88.1 login-by=cookie,http-chap,mac-cookie name=hsprof1 rate-limit=1M/1M
/ip pool
add name=hs-pool-6 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=hs-pool-6 authoritative=yes disabled=no interface=wlan3-guest-2G lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-6 disabled=no idle-timeout=1h interface=wlan3-guest-2G name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=hs-pool-6 idle-timeout=none keepalive-timeout=1h mac-cookie-timeout=3d session-timeout=1h shared-users=unlimited
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1-5G
add bridge=bridge1 interface=wlan2-2G
/ip address
add address=172.16.42.20/24 interface=ether1 network=172.16.42.0
add address=192.168.88.1/24 comment="hotspot network" interface=wlan3-guest-2G network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 comment="hotspot network" dns-server=172.16.42.1 gateway=192.168.88.1
/ip dns
set servers=172.16.42.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=reject chain=input dst-address-list=172.16.42.2-172.16.42.254 in-interface=wlan3-guest-2G reject-with=icmp-admin-prohibited
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.88.0/24
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add limit-uptime=3h name=guest server=hotspot1
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip route
add distance=1 gateway=172.16.42.1
/ip service
set www-ssl disabled=no
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=rb1.domehq
/system leds
set 0 interface=wlan1-5G
add interface=wlan2-2G leds=wlan2-2G_signal1-led,wlan2-2G_signal2-led,wlan2-2G_signal3-led,wlan2-
add interface=wlan2-2G leds=wlan2-2G_tx-led type=interface-transmit
add interface=wlan2-2G leds=wlan2-2G_rx-led type=interface-receive
add interface=bridge1 leds=user-led type=interface-activity
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk topics=watchdog
add prefix=debug topics=wireless
/system ntp client
set enabled=yes primary-ntp=66.228.38.73 secondary-ntp=209.114.111.1
/system routerboard settings
set cpu-frequency=600MHz
/system watchdog
set watchdog-timer=no
Your reject rule needs to be on the forward chain not the input chain.
Thank you. I made that change but it had no effect.
I admit I’m practically useless with Linux ip tables. I’ll have to study up. But any other ideas in the meantime are appreciated.
Change this rule (from first post)
/ip firewall filter add action=reject chain=input dst-address-list=172.16.42.2-172.16.42.254 in-interface=wlan3-guest-2G reject-with=icmp-admin-prohibited
to this
/ip firewall filter add action=reject chain=forward dst-address=172.16.42.0/24 in-interface=wlan3-guest-2G reject-with=icmp-admin-prohibited
To properly use a address-list you must populate the list with entries then call the list by name when using it. Because your blocking the full subnet you may as well do so with CIDR notation.
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Address_list
I question whether I should block the whole subnet since 172.16.42.1 is the default gateway and DNS, but I tried anyway to see what would happen. No effect.
e
# jul/08/2014 00:04:43 by RouterOS 6.15
# software id = 0ZZB-EWWY
#
/interface bridge
add l2mtu=1600 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=\
5ghz-onlyn channel-width=20/40mhz-Ce \
country="united states" disabled=no \
distance=indoors frequency=5745 \
frequency-mode=regulatory-domain l2mtu=\
1600 mode=ap-bridge multicast-helper=full \
name=wlan1-5G rx-chains=0,1 ssid=\
"Magrathea 5G" tdma-period-size=auto \
tx-chains=0,1 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=\
2ghz-b/g/n country="united states" \
disabled=no distance=indoors \
frequency-mode=regulatory-domain l2mtu=\
1600 mode=ap-bridge multicast-helper=full \
name=wlan2-2G rx-chains=0,1 ssid=Magrathea \
tdma-period-size=auto tx-chains=0,1 \
wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=\
wpa2-psk group-key-update=0s mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk \
eap-methods="" management-protection=\
allowed name=guest supplicant-identity=""
/interface wireless
add disabled=no l2mtu=1600 mac-address=\
4E:5E:0C:10:CB:5D master-interface=\
wlan2-2G name=wlan3-guest-2G \
security-profile=guest ssid="Dome Guest" \
wds-cost-range=0 wds-default-cost=0
/ip hotspot profile
add dns-name=hotspot.domehq hotspot-address=\
192.168.88.1 login-by=\
cookie,http-chap,mac-cookie name=hsprof1 \
rate-limit=1M/1M
/ip pool
add name=hs-pool-6 ranges=\
192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=hs-pool-6 authoritative=yes \
disabled=no interface=wlan3-guest-2G \
lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-6 disabled=no \
idle-timeout=1h interface=wlan3-guest-2G \
name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=\
hs-pool-6 idle-timeout=none \
keepalive-timeout=1h mac-cookie-timeout=3d \
session-timeout=1h shared-users=unlimited
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1-5G
add bridge=bridge1 interface=wlan2-2G
/ip address
add address=172.16.42.20/24 interface=ether1 \
network=172.16.42.0
add address=192.168.88.1/24 comment=\
"hotspot network" interface=wlan3-guest-2G \
network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=\
bridge1
/ip dhcp-server network
add address=192.168.88.0/24 comment=\
"hotspot network" dns-server=172.16.42.1 \
gateway=192.168.88.1
/ip dns
set servers=172.16.42.1
/ip firewall address-list
add address=172.16.42.0/24 list=LAN
/ip firewall filter
add action=passthrough chain=unused-hs-chain \
comment="place hotspot rules here" \
disabled=yes
add action=reject chain=forward \
dst-address-list=LAN in-interface=\
wlan3-guest-2G reject-with=\
icmp-admin-prohibited
/ip firewall nat
add action=passthrough chain=unused-hs-chain \
comment="place hotspot rules here" \
disabled=yes
add action=masquerade chain=srcnat comment=\
"masquerade hotspot network" src-address=\
192.168.88.0/24
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add name=guest server=hotspot1
/ip hotspot walled-garden
add comment="place hotspot rules here" \
disabled=yes
/ip route
add distance=1 gateway=172.16.42.1
/ip service
set www-ssl disabled=no
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=rb1.domehq
/system leds
set 0 interface=wlan1-5G
add interface=wlan2-2G leds="wlan2-2G_signal1-l\
ed,wlan2-2G_signal2-led,wlan2-2G_signal3-le\
d,wlan2-2G_signal4-led,wlan2-2G_signal5-led\
" type=wireless-signal-strength
add interface=wlan2-2G leds=wlan2-2G_tx-led \
type=interface-transmit
add interface=wlan2-2G leds=wlan2-2G_rx-led \
type=interface-receive
add interface=bridge1 leds=user-led type=\
interface-activity
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk topics=watchdog
add prefix=debug topics=wireless
/system ntp client
set enabled=yes primary-ntp=66.228.38.73 \
secondary-ntp=209.114.111.1
/system routerboard settings
set cpu-frequency=600MHz
/system watchdog
set watchdog-timer=no
Default gateway doesn’t matter as it’s the gateway for your router not the clients even if it was it still wouldn’t break anything. DNS does but you can just add a allow rule above the reject allowing only DNS (TCP/UDP port 53).
Do you see hits on your rule? Try making it purely a IP based rule so src-address=192.168.88.0/24 dst-address=172.16.42.0/24 remove the in-interface.
hello , I have a question , I have a network with hotspots , but when my user connect , and go to Windows - > LAN , viewing other users’ PCs .
how can I do so that the user can not see each other in my network?