Hello, I have a small problem, would like to be able to deny the access to all type of user wishes to enter to enter at 172.0.0.0 rank, but that could access to all the other resources.
I have tried to form the guest profile, but I do not see it very clear. 
Somebody can help me?
From already, very many thanks.
could you be more specific what is your needs, what you already achieved, what needs to be accessed and what has to be denied?
before nothing, very many thanks to answer:).
I explain to you:
In my case, hotspot I need to discriminate between corporative users and normal user (invited or host), the invited user must be able to less have total access to everything to the 172.0.0.0 rank so that no longer can have access to cororativos resources.
That is to say, the normal one to user can go less to all sites to 172.0.0.0 (or any name that solves that same one).
txs.
I think that i can do that
I think that t I can do this, making a filter rules by firewall, and putting them in:
IP hotspot profile>
, how must be the rule?
thanks a lot.
Any idea… it’s little bit urgent… txs a lot.
Well … I put:
[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=no_172 in-interface=LAN src-address=192.168.0.0/16 dst-address=!172.0.0.0/8 protocol=tcp
connection-state=new hotspot=auth action=return
but, doesen’t works.
Can anybody help me pplase?
If you want to drop 172.0.0.0/8 network for all users or for the specific users,
use simple rule,
‘ip firewall filter add chain=forward dst-address=172.0.0.0/8 action=drop’.
Specify src-address, if you need to block access for the specific users.
As well self created chain does accept any traffic unless you have configured jump on main chains input, forward, output.
Forward is router’s users default chain.
Well I’d need to ban only de guest user from hotspot log-in.
It will works ?
I mean:
I have 2 kind of users in the hotspot:
admin (they can browse all)
guest → this user must not browse by 172.0.0.0/8
Do you want to block unauthorized users to get displayed HotSpot login page ?
No, I just want to block the 172.0.0.0/8 network to those users who are called ‘guest’ (or logged as ‘guest’)
I didi try this… without no positive result 
[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward in-interface=LAN out-interface=WAN-83 dst-address=172.0.0.0/8 hotspot=from-client
action=reject reject-with=icmp-network-unreachable
Add one rule to chain=forward,
‘ip firewall filter add action=jump jump-target=hotspot chain=forward’,
set for ‘guest’ user profile,
‘ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1’, that will redirect current profile traffoc to chain=1.
Add rule to chain 1 to drop traffic with specific dst-address,
‘ip firewall filter add chain=1 dst-address=172.0.0.0/8 action=drop’.
Hi
I have this:
[admin@MikroTik] ip firewall filter> pr
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; To deny acces to the router via Telnet (protocol TCP, port 23)
chain=input protocol=tcp dst-port=23 action=drop
1 ;;; Drop Invalid connections
chain=input connection-state=invalid action=drop
2 ;;; Allow Established connections
chain=input connection-state=established action=accept
3 ;;; Allow UDP
chain=input protocol=udp action=accept
4 ;;; Allow ICMP
chain=input protocol=icmp action=accept
5 ;;; drop invalid connections
chain=forward protocol=tcp connection-state=invalid action=drop
6 ;;; Allow already established connections
chain=forward connection-state=established action=accept
7 ;;; allow related connections
chain=forward connection-state=related action=accept
8 ;;; deny BackOriffice
chain=udp protocol=udp dst-port=3133 action=drop
9 ;;; drop invalid connections
chain=icmp protocol=icmp icmp-options=0:0 action=accept
10 ;;; allow established connections
chain=icmp protocol=icmp icmp-options=3:0 action=accept
11 ;;; allow already established connections
chain=icmp protocol=icmp icmp-options=3:1 action=accept
12 chain=forward action=jump jump-target=hotspot
13 chain=1 dst-address=172.0.0.0/8 action=drop
[admin@MikroTik] ip hotspot user> print
Flags: X - disabled, D - dynamic
# SERVER NAME ADDRESS PROFI
0 admin defau
1 invitado invi1
Invitado = guest (in spanish)
great!!! it works!!!
I’d need one more a functionality:
If ‘geust’ try to access at 172.0.0.0 /8 then, he must be returned at advertise URL that must to say ‘You Don’t have permission’ or somethig like this.
Can it be ?
thanks a lot!
Can it be with the NAT menu?
I’m triying…
Yes, it can be done by NAT, e.g. to redirect user with address=1.1.1.1 to web-page with address=2.2.2.2,
‘ip firewall nat add action=dstnat dst-address=1.1.1.1 action=dst-nat to-addresses=2.2.2.2’
Then for my it would be:
ip firewall nat add action=dstnat dst-address=172.0.0.0/8 action=dst-nat to-addresses=192.168.1.1
But… how could I do to do that NAT rule works only for the user 'guest?
thanks a lot
Who is user guest ?
The called user ‘guest’ is that one that will not be able to accede to 172.0.0.0 /8 and that when it tries to accede to that rank will be redirected to 192.168.1.1
And… how ca I to assign to that user (guest)?
This rule makes that you say ?
txs.
I tried this:
chain=dstnat src-address=178.0.0.0/8 hotspot=to-client action=dst-nat to-addresses=192.168.1.1 to-ports=0-65535
It’s correct?