Limited Wifi Services

zeljkobms · December 7, 2020, 5:58am

Hi All,
I am trying to configure Mikrotik CAP to provide limited wifi services through a set of firewall rules. I have been successful with Whatsapp and Be Safe (Local Covid19 registration App), however I could not get the Gmail going through even after enabling whole class IP addresses multiple servers and variety of ports. Kindly assist if you have done something similar before.

jvanhambelgium · December 7, 2020, 7:10am

So you are basically blocking everything and then want to “open up” for specific things like Whatapps and the Be Safe thing ? Now you also want to allow GMail ?
Just want to tell you that this way of thinking hardly works anymore in 2020 and Mikrotik product are not that advanced that they “recognize” easily applications.

Did you try something like this approach ?

https://www.sourceonetechnology.com/gmail-ip-address-ranges/

Why don’t you use LOGGING ?? You need to check each of your dropped packets and fix that recursively and hopefully at some point things like Gmail will start to work.

In theory what you want to achieve is probably possible, but…will be trial & error.

zeljkobms · December 7, 2020, 8:27am

Thanks, yes your assumptions are correct, the concept is to open the specifics and drop the rest at the end. Logging may work but it is a very busy AP where many packets are dropped at the time as it is a retail enviroment and where 15-20 customers can log in at the time and all non Whatsapp packets get dropped. I will review your link. Thank you.

CZFan · December 7, 2020, 8:43am

You have sent me an e-mail re above, I replied to your mail…

zeljkobms · December 7, 2020, 8:49am

Yes I did unfortunatelly I did not see any read receipt nor any response yet. Something may have gone wrong. You could possibly use zeljko110465@gmail.com. Thank you

CZFan · December 7, 2020, 9:04am

Done…

jvanhambelgium · December 7, 2020, 9:12am

Another approach would be to extremely control DNS-lookups and control/limit clients like that.
So basically deny any client to perform a lookup to any “outside” DNS server
Have a local DNS that will only answer certain things. Eg. if you would try to resolve *.microsoft.com it would always return 127.0.0.1 or something.
Then you could “whitelist” for example mail.google.com or something.

Again, needs (a lot of) fine-tuning I think.

zeljkobms · December 7, 2020, 9:28am

Interesting approach, will look into that as well. Thank you.