Hi
I have a hotspot and trying to ban clients from my internal network ( i have few test subnet, which one of them is used to manage access points devices ). I dont want them to have access to those devices not piging, tracerouting, no smb file sharing etc. THEY CAN ONLY GO TO INTERNET that its.
I know i can disable all of it, the protocal, ports etc, but that is getting to complicated cause as admin i want to be able to go everywhere.
I tried to use the : Walled Garden IP list in my hotspot panel, without luck, only works when i explicitly create a firewall rule to block user accessing my router that is: INPUT chain source ip net: 192.168.0.0/16 action = drop
Ex. hotspot subnet: 192.168.100.1/24
It works they can not ping router but users can still ping all my pc on my admin subnet: 192.168.88.1/24
I tried with FORWARD chain with no luck.
thanks for you help
Re: How to ban all hotspot users to hacking my inside subnet
Forward
drop
src=192.168.100.0/24
dst=192.168.0.0/16
that rule will stop all but the router.
drop
src=192.168.100.0/24
dst=192.168.0.0/16
that rule will stop all but the router.
Re: How to ban all hotspot users to hacking my inside subnet
Thanks man, i really appreciate that.
I still can not figure out how to do the last thing. F.Y.I, all work except one rule.
;;; Drop all hotspot clients accessing ISP subnets.
chain=forward action=drop src-address-list=hotspotSubnet hotspot=""
out-interface=!ether1-gateway
This is my address list, list of hotspot subnets to drop when they try to sneak to my own ISP subnet that is: 192.168.88.0/24. Radius server has ip 192.168.88.5. on the subnet.
I don't know why it works ok. From my understanding the firewall rule should ban the hotspot from accessing the radius server 192.168.88.5. The hotspot is on MTik box ip: 192.168.44.1/24. WHy the rule doesent block the hotspot from accessing the Radius server.
I have in walledgarden the server ip address to allow access but i have the one firewall filter rule the one obove to block all the ips from the hotspot subnets trying to access any inside subnet except the WAN , internet 0.0.0.0.
Just courisus, why it works when it should not, from my understanding.
Thx for input
I still can not figure out how to do the last thing. F.Y.I, all work except one rule.
;;; Drop all hotspot clients accessing ISP subnets.
chain=forward action=drop src-address-list=hotspotSubnet hotspot=""
out-interface=!ether1-gateway
This is my address list, list of hotspot subnets to drop when they try to sneak to my own ISP subnet that is: 192.168.88.0/24. Radius server has ip 192.168.88.5. on the subnet.
I don't know why it works ok. From my understanding the firewall rule should ban the hotspot from accessing the radius server 192.168.88.5. The hotspot is on MTik box ip: 192.168.44.1/24. WHy the rule doesent block the hotspot from accessing the Radius server.
I have in walledgarden the server ip address to allow access but i have the one firewall filter rule the one obove to block all the ips from the hotspot subnets trying to access any inside subnet except the WAN , internet 0.0.0.0.
Just courisus, why it works when it should not, from my understanding.
Thx for input
Re: How to ban all hotspot users to hacking my inside subnet
They are probably slipping out with dst address 0.0.0.0/0
Have you tagged the traffic and defined internet routes for dst address 0.0.0.0/0
Have you tagged the traffic and defined internet routes for dst address 0.0.0.0/0
Re: How to ban all hotspot users to hacking my inside subnet
try entering all allow rules in forward chain then last rule just forward and drop (no entries).
So allow forward to Internet, allow forward from your admin computer IP to admin IPs of network, last rule forward drop. This way you specify routes you want to allow then drop any other forward (can be protocol specific like ping).
So allow forward to Internet, allow forward from your admin computer IP to admin IPs of network, last rule forward drop. This way you specify routes you want to allow then drop any other forward (can be protocol specific like ping).
Who is online
Users browsing this forum: No registered users and 59 guests