Hi,
I have a RB2011L-IN with hotspot configured on it. Users can log in using HTTP CHAP and Trial.
What I would like to do is to limit trial users to only be able to send http traffic.
I have setup a firewall rule on a separate chain ‘trialChain’ to do just that, and i’ve configured a separate user profile for trial users with ‘trialChain’ as outgoing filter.
But it appears that this firewall chain receives no traffic at all. So I guess the problem lies with the ‘Outgoing filter’ setting in the user profile.
Is ‘Outgoing filter’ the correct setting to use or am I using it incorrectly?
Export of current config:
/ip hotspot profile
set [ find default=yes ] dns-name=“” hotspot-address=0.0.0.0 html-directory=
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=
cookie,http-chap name=default rate-limit=“” smtp-server=0.0.0.0
split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] name=default shared-users=unlimited
status-autorefresh=1m transparent-proxy=no
add advertise=no name=trialUP open-status-page=always outgoing-filter=
trialChain shared-users=unlimited status-autorefresh=1m
transparent-proxy=yes
/ip hotspot profile
add dns-name=login.poiel.org hotspot-address=192.168.1.1 html-directory=
hotspot http-proxy=0.0.0.0:0 login-by=http-chap,trial name=hsprof1
rate-limit=“” smtp-server=0.0.0.0 split-user-domain=no trial-uptime=
30m/1d trial-user-profile=trialUP use-radius=no
/ip hotspot
add address-pool=dhcp_pool1 addresses-per-mac=1 disabled=no idle-timeout=5m
interface=LAN keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add disabled=no name=admin password=****** profile=default
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s
tcp-close-wait-timeout=10s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=reject chain=trialChain disabled=no dst-port=!80 protocol=tcp
reject-with=icmp-port-unreachable
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=
“place hotspot rules here” disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat disabled=no out-interface=WAN
add action=masquerade chain=srcnat comment=“masquerade hotspot network”
disabled=no src-address=192.168.1.0/24 to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
Thanks in advance