How to make firewall allowing non http traffic

Hi,

We have a router board with software version 3.0 for hotspot which is using a x86 Level 6 licensed RADIUS server. which is ver. 3.7.

All we need seems to work fine, except that when a user logs successfully in the hotspot he can only surf the net, but no other applications work. I mean no ssh, no ftp, no icq etc.

By default in the router board’s firewall there were no rules.

I added the following:

/ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough

1 chain=forward action=accept layer7-protocol=ICQ

2 chain=forward action=accept dst-port=22 protocol=tcp

3 chain=forward action=accept p2p=all-p2p protocol=tcp


But no change!

Please give me a hint what and where should be changed to allow ALL the traffic for the hotspot users.

I installed a test unlicensed 3.7 mikrotik which allows everything when used as hotspot with the same radius server. And it has no rules in /ip firewall filter too.

Any ideas?

Thank you!

Try disabling the hotspot and see if that changes the behavior. I suspect it will not and you have a problem in MTU or NAT, but disabling the hotspot gateway will help you narrow down where the problem might exist.

OK, I will try that, but I really have no idea what problem there could be with the MTU ot NAT as the browsing works fine.

Is there something else anywhere in the configuration that could forbid (ot just breaking down) non http traffic?

The problem was that the router had no rules under
/ip firewall nat

And in this case no masquerading rule.

Command like that solved the problem:

add action=masquerade chain=srcnat comment=“masquerade hotspot network” disabled=no src-address=172.16.0.0/24

It was strange that it has been working for the http traffic without this rule. But any way, now all the traffic passes.