I'm trying to firewall hotspot users from reaching 172.16.42.2-172.16.42.254, but not having luck. What am I missing here?
Code: Select all
[admin@rb1.domehq] > export compact hide-sensitive
# jul/07/2014 15:12:05 by RouterOS 6.15
# software id = 0ZZB-EWWY
#
/interface bridge
add l2mtu=1600 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyn channel-width=20/40mhz-Ce country="united states" disabled=no distance=indoors frequency=5745 frequency-mode=regulatory-domain l2mtu=1600 mode=ap-bridge multicast-helper=full name=wlan1-5G rx-chains=\
0,1 ssid="Magrathea 5G" tdma-period-size=auto tx-chains=0,1 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n country="united states" disabled=no distance=indoors frequency-mode=regulatory-domain l2mtu=1600 mode=ap-bridge multicast-helper=full name=wlan2-2G rx-chains=0,1 ssid=Magrathea tdma-period-size=auto \
tx-chains=0,1 wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-key-update=0s mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=guest supplicant-identity=""
/interface wireless
add disabled=no l2mtu=1600 mac-address=4E:5E:0C:10:CB:5D master-interface=wlan2-2G name=wlan3-guest-2G security-profile=guest ssid="Dome Guest" wds-cost-range=0 wds-default-cost=0
/ip hotspot profile
add dns-name=hotspot.domehq hotspot-address=192.168.88.1 login-by=cookie,http-chap,mac-cookie name=hsprof1 rate-limit=1M/1M
/ip pool
add name=hs-pool-6 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=hs-pool-6 authoritative=yes disabled=no interface=wlan3-guest-2G lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-6 disabled=no idle-timeout=1h interface=wlan3-guest-2G name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=hs-pool-6 idle-timeout=none keepalive-timeout=1h mac-cookie-timeout=3d session-timeout=1h shared-users=unlimited
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1-5G
add bridge=bridge1 interface=wlan2-2G
/ip address
add address=172.16.42.20/24 interface=ether1 network=172.16.42.0
add address=192.168.88.1/24 comment="hotspot network" interface=wlan3-guest-2G network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 comment="hotspot network" dns-server=172.16.42.1 gateway=192.168.88.1
/ip dns
set servers=172.16.42.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=reject chain=input dst-address-list=172.16.42.2-172.16.42.254 in-interface=wlan3-guest-2G reject-with=icmp-admin-prohibited
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.88.0/24
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add limit-uptime=3h name=guest server=hotspot1
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip route
add distance=1 gateway=172.16.42.1
/ip service
set www-ssl disabled=no
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=rb1.domehq
/system leds
set 0 interface=wlan1-5G
add interface=wlan2-2G leds=wlan2-2G_signal1-led,wlan2-2G_signal2-led,wlan2-2G_signal3-led,wlan2-
add interface=wlan2-2G leds=wlan2-2G_tx-led type=interface-transmit
add interface=wlan2-2G leds=wlan2-2G_rx-led type=interface-receive
add interface=bridge1 leds=user-led type=interface-activity
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk topics=watchdog
add prefix=debug topics=wireless
/system ntp client
set enabled=yes primary-ntp=66.228.38.73 secondary-ntp=209.114.111.1
/system routerboard settings
set cpu-frequency=600MHz
/system watchdog
set watchdog-timer=no