Page 1 of 1

Hotspot allow addresslist and drop rest

Posted: Mon Oct 07, 2019 2:29 pm
by harjeetv
Hi,

I have been trying to allow only certain ip pool for hotspot authentication and drop all other for single ethernet port.

configuration is as follows:
/ip firewall address-list
add address=172.16.118.64/26 comment="Ether 5 Allowed Client IP's" list="ether5 allowed ip"

/ip firewall filter (this rule is in position 0)
add action=drop chain=input in-interface=ether5 log=yes log-prefix="Dropped " src-address-list="!ether5 allowed ip"

still i can see other IP address being authenticated from ether5 for hotspot. i had tried changing the chain to forward, hs-input but still does not work.

Re: Hotspot allow addresslist and drop rest

Posted: Mon Oct 07, 2019 2:45 pm
by dmitris
Try in mangle on prerouting chain...
/ip firewall mangle
add action=drop chain=prerouting in-interface=ether5 log=yes log-prefix="Dropped " src-address-list="!ether5 allowed ip"

Re: Hotspot allow addresslist and drop rest

Posted: Mon Oct 07, 2019 2:51 pm
by harjeetv
Try in mangle on prerouting chain...
/ip firewall mangle
add action=drop chain=prerouting in-interface=ether5 log=yes log-prefix="Dropped " src-address-list="!ether5 allowed ip"
But Firewall Mangle does not have action=drop

Re: Hotspot allow addresslist and drop rest

Posted: Mon Oct 07, 2019 4:59 pm
by dmitris
Sorry my fault..

Look at mikrotik packet flow diagramm:
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

"hotspot-in" on prerouting chain and it's first stage where packet goes this is why u can't block others ip. I think you should setup ip blocking in hotspot itself....

Re: Hotspot allow addresslist and drop rest

Posted: Tue Oct 08, 2019 5:56 am
by harjeetv
There must be a way. I don't want the Client IP's to pass through router and then reject with radius server. Instead i want to reject in the router interface itself.

Re: Hotspot allow addresslist and drop rest  [SOLVED]

Posted: Tue Oct 08, 2019 6:16 am
by laxmimikrotik
HI,

You can do it in IP>>Hotspot>IP-Binding.

In this section you can achieve your requirement.

let me know.!!

http://laxmidharnetworking.blogspot.com ... tspot.html

Re: Hotspot allow addresslist and drop rest

Posted: Tue Oct 08, 2019 8:01 am
by harjeetv
Great, didn't knew there was a regular(not bypass) option too, will test using this. Thanks

HI,

You can do it in IP>>Hotspot>IP-Binding.

In this section you can achieve your requirement.

let me know.!!

http://laxmidharnetworking.blogspot.com ... tspot.html