Restricting access to router before MikroTik, and WiFi not working as it should... help needed.

RouterOS Beginner Basics
1

Hello,
I managed to set up a MikroTik router for our restaurant. I have two problems:

  1. I would like to block access for our customers using Hotspot to try accessing DSL Modem.
  2. I’ve set up Wireless in my home, and it worked as it should but when I’ve moved the router to the destination location I can’t connect to it. I’m using a MacBook.

Ok so my setup is like this:

DSL Router with DHCP server (192.168.1.1) → MikroTiK
Mikrotik config:

  • ether1 - a DHCP Client for the DSL router (WAN)
    ether2 - a DHCP Server for LAN 192.168.2.0/24
    ether3 - a DHCP Server for TP-Link Router with the Hotspot 192.168.4.0/24
    ether4 - off
    ether5 - off
    wlan1 - bridged with ether2

TP-Link Router (on DD-WRT):
DHCP Server 192.168.5.0/24 - using 2 ethernet ports for Apple TV
On WiFi there is a Hotspot DHCP Server 192.182.1.0 (or something like that)

I do not want my clients connected to the Hotspot to try to hack in to Mikrotik - I manged to do that using Firewall rules. But also I do not want for them to have access to the DSL router as it security is weak but it’s also WAN gateway.

I would like to connect to the service Wireless but I can’t with my macos :confused: I could in my home, and almost nothing changed.

How to make this happen and how to fix the WiFi problem ?

2

Why don’t you make modem in bridge and have the ISP connection on mikrotik? Or how the clients can access the DSL? It has not a password? You can d add a drop forward rule with source hotspot subnet destination gateway proto TCP dstport 80 if 80 is the port of web management interface of DSL.

Sent from my Lenovo K50-t5 using Tapatalk

3

I’ve made a mistake it’s a ADSL modem, so this is why :frowning: Mikrotik has no port for telephone cable.

4

OK then block incoming connection from wlan to modem IP DST port 80
adapt this rule for you

 ip firewall filter add chain=forward protocol=tcp dst-port=80 dst-address=xxx.xxx.xxx.xxx in-interface=wlan1 out-interface=ether1-gateway action=drop

you can use on dst-address=!youripaddress to block all subnet but allow you if you have static ip
Sent from my Lenovo K50-t5 using Tapatalk

5

Wan’t it block the internet connection ?

6

Put your ADSL modem into BRIDGE mode. Then make PPPoE client in your Mikrotik to dial your ADSL.
Then your ADSL modem will be invisible for your customers.

telephone wire RJ11 <=> RJ11 bridge ADSL modem RJ45 <=> RJ45 WAN Mikrotik router

7

No it will not block internet connection. It will only block request coming from wireless interface to modem who want to connect to modem IP on port 80 witch is the management interface of the modem

Sent from my Lenovo K50-t5 using Tapatalk

8

@Plea I don’t kno if it can be done as the internet provider gices me only a user account on the router, I can change few thing but not all of them. I will check it up.

@Kianuel - I will check it tomorrow

Guys any ideas regarding the WiFi access problems on my mac ?

9

What problems?

Sent from my Lenovo K50-t5 using Tapatalk

10

I’ve described them in the first post :wink:

11

No idea but if you can connect with cable try to log wireless and dhcp maybe you will see what is happening.

Sent from my Lenovo K50-t5 using Tapatalk

12

Where can I set it up ? As the main log is not so detailed.

13

I’m sorry to say but your rule doesn’t work :confused:

14

please be more specific… why is not working? syntax? or do not block your traffic? Make sure you inserted rule before forward accept all
for logging
sys logging add topics=wireless action=memory

15

It doesn’t block traffic. I will try to move the rule on the top of rules.