Hi Guys,
I run a wisp with a few different packaged, for our most restricted package users are put in a vlan which has access to a mikrotik hotspot. I want to restrict them users to only being able to web browse, send and collect email so port 80, 443, 25, 110 & 53
What is the easiest way of achieving this ?
Thanks in advance for your help.
Darren
There’s several ways to do this. Here’s a simple one, assuming that the hotspot to restrict runs on its on VLAN:
First, via mangle insert a packet mark on undesired traffic. Here, mark all TCP traffic that is coming in on the restricted VLAN and is not destined for permitted ports as well as all UDP traffic that isn’t DNS:
/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=drop_this passthrough=yes protocol=tcp in-interface=vlan-interface dst-port=!25,53,110,443
/ip firewall mangle add chain=prerouting action=mark-packet new-packet-mark=drop_this passthrough=yes protocol=udp in-interface=vlan-interface dst-port=!53
Then add a simple drop to the firewall, firing on the packet mark:
/ip firewall filter add chain=forward action=drop packet-mark=drop_this
Hope that helps,
Felix
Thankyou for your help. will these rules block those ports or allow them ? I need to block everything apart from them
Regards
Darren
Felix’s rules will block all packets from an interface named “vlan-interface” except those destined for TCP ports 25,53,110,443 and UDP port 53. Mind you, these people will not be able to browse the internet because TCP port 80 is not included in the list. To allow browsing, just include port 80 in the list.
Thats fantastic, thank you all for your help !
Regards
Darren