How to isolate Hotspot from virtual AP?

jusis · October 5, 2010, 12:59pm

I have a hotspot service for guests (wlan1) and AP running for a local usage, for users in office (wlan2 virtual AP), everything works fine, except that i dont want that hotspot users could access local resources, servers etc. , for now hotspot users can access local resources. What should i change in configuration that hotspot users can access everything except 192.168.10.0/24 network?
I made hotspot from this manual http://www.marlwifi.org.nz/projects/basic-mt-hotspot

My configuration:
Router: RB/433AHN-WKIT

ether1 ISP connection IP 158.149.X.X
ether2 local network 192.168.10.X
wlan1 hotspot 192.168.0.X
wlan2 virtual AP 192.168.10.X

ether2 and wlan2 are bridged

fewi · October 5, 2010, 1:13pm

After packets make it through the Hotspot they are in the forward chain and can be fire walled like any other traffic

/ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.10.0/24 action=drop

Keep in mind that the Hotspot proxies HTTP requests so clients on the Hotspot may be able to access web servers within the 192.168.10.0/24 subnet even with that drop rule. If that is an issue post again and I’ll reply with configuration to lock that down, too.

jusis · October 5, 2010, 1:19pm

Thanks for swift reply!
Yes, i want that hotspot can`t access local web servers too.

fewi · October 5, 2010, 1:34pm

Then the simplest option is this:

/ip firewall nat
add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept

You will no longer be able to use the advertising function of the Hotspot and inserts ads when users load web pages in their browser, but hey will also no longer be able to access web servers on the office subnet.

jusis · October 5, 2010, 1:38pm

Thanks a lot, thats what i need, i does not use advertising feature of hotspot.

jusis · October 5, 2010, 1:47pm

Hotspot users can`t access any web resource after that:

/ip firewall nat
add chain=pre-hotspot hotspot=auth dst-address-type=!local action=accept

I did both, this too:

/ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.10.0/24 action=drop

fewi · October 5, 2010, 1:54pm

That is a little baffling. Does it work with the NAT rule removed?

jusis · October 5, 2010, 1:57pm

Sorry! My fault! Your code works excellent! I forgot about browser proxy configuration

fewi · October 5, 2010, 2:19pm

Ah, that would do it! I’m glad it’s working.