Here's the scenario i'm trying to build:
Multiples Hotspot users with 3 differents users profile
Profile 1: No internet access
Profile 2: Internet access but blocking specific sites (eg.: facebook, youtube...)
Profile 3: Unrestricted internet access
I'm able to configure the hotspot, and users are able to navigate, but when i try to set incoming filter and outgoing filter to user profile, i'm unable to block according the 3 profiles above.
A jump filter rule ir created, dynamic, and then i use L7 to block, but with no succes.
Here's the configuration:
Code: Select all
/ip hotspot user profile
set [ find default=yes ] rate-limit=10M/10M transparent-proxy=yes
add incoming-filter=hs-p1 name=profile1 outgoing-filter=hs-p1 rate-limit=5M/5M \
transparent-proxy=yes
add incoming-filter=hs-p2 name=profile2 outgoing-filter=hs-p2 \
transparent-proxy=yes
add incoming-filter=hs-p3 name=profile3 outgoing-filter=hs-p3 \
transparent-proxy=yes
Code: Select all
/ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!aut>
2 D chain=input action=jump jump-target=hs-input hotspot=from-client
3 D chain=input action=drop protocol=tcp hotspot=!from-client dst-port=64872-64875
4 D chain=hs-input action=jump jump-target=pre-hs-input
5 D chain=hs-input action=accept protocol=udp dst-port=64872
6 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875
7 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
8 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
9 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
10 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
11 X ;;; place hotspot rules here chain=unused-hs-chain action=passthrough log=no log-prefix=""
12 D chain=hotspot action=jump jump-target=hs-p1 src-address=10.0.0.50
13 D chain=hotspot action=jump jump-target=hs-p1 dst-address=10.0.0.50
14 D chain=hotspot action=jump jump-target=hs-p2 src-address=10.0.0.48
15 D chain=hotspot action=jump jump-target=hs-p2 dst-address=10.0.0.48
the last 4 rules (chain hotspot jump-target:hs-px) are created automatically after set the incoming and outgoing filter in user profile. i've tried the following firewall rule witout success
Code: Select all
add action=drop chain=hs-p1 layer7-protocol="Block Facebook" protocol=tcp \
src-port=80,443
Thanks a lot