Securing a NAT setup...

I have an SXT with a usb 3G Card. All is working as advertised.

The wifi (wlan1) interface connects to a local user group ( address 172.16.0.0/12 )
The usb (ppp-out1) connects to the internet via 3G ( default gateway )
The ethernet (eth0) connects to my local lan ( 192.168.1.0/24 )

Currently i have the default srcnat-masquerade rule with no additional limitcations in interface or ip ranges.

Is my ppp-out safe from abuse by users on the wlan ? The way i see it : if a user in same network as my wifi address sets my wifi as his gateway for his default route, my sxt will route and NAT his traffic out onto the internet. I dont want that. I want the 3G to be only natted to my eth0 port. At the same time though i also want my wifi to NAT my local lan.

Suggestions please…

BBJ

Change the NAT rule to something like this:

/ip firewall nat
add chain=srcnat action=masquerade out-interface=ppp-out1 src-address=192.168.1.0/24

However, it would be even better if you just wrote firewall filter rules that block traffic originated from the WLAN that you don’t want to pass through the router. Just by limiting the NAT rule you’re not saying “don’t use WAN bandwidth to send this traffic”, you’re just not NATing it so it will get dropped by hops further up - it’s still using up your bandwidth though.

What the firewall filter rules would look like depends on your policy of what you’d like WLAN users to have access to, which you haven’t described yet.