Community discussions

MikroTik App
 
aliboy
newbie
Topic Author
Posts: 35
Joined: Thu Aug 01, 2019 9:09 pm

Prevent Hotspot users to access AP web interface

Thu Mar 04, 2021 7:24 am

I have a TPLink router that is configured to work as AP mode. It is connected to one of the Ethernet ports of a Mikrotik router. That port is configured to use the Hotspot Bridge.

The TPLink router got an IP address of 10.5.50.2 and its web interface is accessible from any of the Hotspot users.

I would like to prevent the other Hotspot users (or all Hotspot users) to access 10.5.50.2 using their browser.

I have tried the following but it didn't work:
/ip firewall filter add action=drop chain=forward dst-address=10.5.50.2 src-address=10.5.50.2-10.5.50.254
and
/ip firewall filter add action=drop chain=forward dst-address=10.5.50.2 src-address=10.5.50.0/24
and
/ip firewall filter add action=drop chain=forward dst-address=10.5.50.0/24 src-address=10.5.50.0/24

Thanks!
 
aliboy
newbie
Topic Author
Posts: 35
Joined: Thu Aug 01, 2019 9:09 pm

Re: Prevent Hotspot users to access AP web interface

Thu Mar 04, 2021 8:16 am

Is this because the traffic from the Hotspot users going to 10.5.50.2 does not reach the Mikrotik router anymore as it happens locally to the TPLink router?
 
aliboy
newbie
Topic Author
Posts: 35
Joined: Thu Aug 01, 2019 9:09 pm

Re: Prevent Hotspot users to access AP web interface

Sun Mar 07, 2021 12:01 am

Can anyone confirm this?
 
Cablenut9
Long time Member
Long time Member
Posts: 542
Joined: Fri Jan 08, 2021 5:30 am

Re: Prevent Hotspot users to access AP web interface

Sun Mar 07, 2021 1:08 am

The Mik can only control what passes through it. And since the TP AP acts like a simple switch between itself and its ports and the WLAN, there's no way to prevent people from accessing it, unless you change it out to a Mikrotik AP with its own Hotspot rules.

Here's something you can try but I don't know how to set up: Make a "router on a stick" setup and have the TP-Link on some VLAN, and the rest of the Hotspot network is on some other VLAN. That way, only devices with the right rules (and this the right VLAN) can access the management interface.

Who is online

Users browsing this forum: No registered users and 18 guests