Community discussions

MikroTik App
  4. RouterOS
  5. General

How to firewall LAN for Hotspot users?

Post Reply
 
yottabit
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

How to firewall LAN for Hotspot users?

Mon Jul 07, 2014 10:16 pm

Hi Folks,

I'm trying to firewall hotspot users from reaching 172.16.42.2-172.16.42.254, but not having luck. What am I missing here?
Code: Select all
[admin@rb1.domehq] > export compact hide-sensitive 
# jul/07/2014 15:12:05 by RouterOS 6.15
# software id = 0ZZB-EWWY
#
/interface bridge
add l2mtu=1600 name=bridge1
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-onlyn channel-width=20/40mhz-Ce country="united states" disabled=no distance=indoors frequency=5745 frequency-mode=regulatory-domain l2mtu=1600 mode=ap-bridge multicast-helper=full name=wlan1-5G rx-chains=\
    0,1 ssid="Magrathea 5G" tdma-period-size=auto tx-chains=0,1 wireless-protocol=802.11
set [ find default-name=wlan2 ] band=2ghz-b/g/n country="united states" disabled=no distance=indoors frequency-mode=regulatory-domain l2mtu=1600 mode=ap-bridge multicast-helper=full name=wlan2-2G rx-chains=0,1 ssid=Magrathea tdma-period-size=auto \
    tx-chains=0,1 wireless-protocol=802.11
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk group-key-update=0s mode=dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=allowed name=guest supplicant-identity=""
/interface wireless
add disabled=no l2mtu=1600 mac-address=4E:5E:0C:10:CB:5D master-interface=wlan2-2G name=wlan3-guest-2G security-profile=guest ssid="Dome Guest" wds-cost-range=0 wds-default-cost=0
/ip hotspot profile
add dns-name=hotspot.domehq hotspot-address=192.168.88.1 login-by=cookie,http-chap,mac-cookie name=hsprof1 rate-limit=1M/1M
/ip pool
add name=hs-pool-6 ranges=192.168.88.2-192.168.88.254
/ip dhcp-server
add address-pool=hs-pool-6 authoritative=yes disabled=no interface=wlan3-guest-2G lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-6 disabled=no idle-timeout=1h interface=wlan3-guest-2G name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] address-pool=hs-pool-6 idle-timeout=none keepalive-timeout=1h mac-cookie-timeout=3d session-timeout=1h shared-users=unlimited
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=wlan1-5G
add bridge=bridge1 interface=wlan2-2G
/ip address
add address=172.16.42.20/24 interface=ether1 network=172.16.42.0
add address=192.168.88.1/24 comment="hotspot network" interface=wlan3-guest-2G network=192.168.88.0
/ip dhcp-client
add dhcp-options=hostname,clientid interface=bridge1
/ip dhcp-server network
add address=192.168.88.0/24 comment="hotspot network" dns-server=172.16.42.1 gateway=192.168.88.1
/ip dns
set servers=172.16.42.1
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=reject chain=input dst-address-list=172.16.42.2-172.16.42.254 in-interface=wlan3-guest-2G reject-with=icmp-admin-prohibited
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.88.0/24
/ip hotspot service-port
set ftp disabled=yes
/ip hotspot user
add limit-uptime=3h name=guest server=hotspot1
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
/ip route
add distance=1 gateway=172.16.42.1
/ip service
set www-ssl disabled=no
/ip upnp
set allow-disable-external-interface=no
/system clock
set time-zone-name=America/New_York
/system identity
set name=rb1.domehq
/system leds
set 0 interface=wlan1-5G
add interface=wlan2-2G leds=wlan2-2G_signal1-led,wlan2-2G_signal2-led,wlan2-2G_signal3-led,wlan2-
add interface=wlan2-2G leds=wlan2-2G_tx-led type=interface-transmit
add interface=wlan2-2G leds=wlan2-2G_rx-led type=interface-receive
add interface=bridge1 leds=user-led type=interface-activity
/system logging
set 0 action=disk
set 1 action=disk
set 2 action=disk
set 3 action=disk
add action=disk topics=watchdog
add prefix=debug topics=wireless
/system ntp client
set enabled=yes primary-ntp=66.228.38.73 secondary-ntp=209.114.111.1
/system routerboard settings
set cpu-frequency=600MHz
/system watchdog
set watchdog-timer=no
Top
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: How to firewall LAN for Hotspot users?

Tue Jul 08, 2014 5:53 am

Your reject rule needs to be on the forward chain not the input chain.
Top
 
yottabit
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

Re: How to firewall LAN for Hotspot users?

Tue Jul 08, 2014 6:04 am

Your reject rule needs to be on the forward chain not the input chain.
Thank you. I made that change but it had no effect.

I admit I'm practically useless with Linux ip tables. I'll have to study up. But any other ideas in the meantime are appreciated.
Top
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: How to firewall LAN for Hotspot users?

Tue Jul 08, 2014 6:33 am

Change this rule (from first post)
Code: Select all
/ip firewall filter add action=reject chain=input dst-address-list=172.16.42.2-172.16.42.254 in-interface=wlan3-guest-2G reject-with=icmp-admin-prohibited
to this
Code: Select all
/ip firewall filter add action=reject chain=forward dst-address=172.16.42.0/24 in-interface=wlan3-guest-2G reject-with=icmp-admin-prohibited
To properly use a address-list you must populate the list with entries then call the list by name when using it. Because your blocking the full subnet you may as well do so with CIDR notation.
http://wiki.mikrotik.com/wiki/Manual:IP ... dress_list
Top
 
yottabit
Member Candidate
Member Candidate
Topic Author
Posts: 198
Joined: Thu Feb 21, 2013 5:56 am

Re: How to firewall LAN for Hotspot users?

Tue Jul 08, 2014 7:07 am

I question whether I should block the whole subnet since 172.16.42.1 is the default gateway and DNS, but I tried anyway to see what would happen. No effect.
Code: Select all
e                                                
# jul/08/2014 00:04:43 by RouterOS 6.15          
# software id = 0ZZB-EWWY                        
#                                                
/interface bridge                                
add l2mtu=1600 name=bridge1                      
/interface wireless                              
set [ find default-name=wlan1 ] band=\           
    5ghz-onlyn channel-width=20/40mhz-Ce \       
    country="united states" disabled=no \        
    distance=indoors frequency=5745 \            
    frequency-mode=regulatory-domain l2mtu=\     
    1600 mode=ap-bridge multicast-helper=full \  
    name=wlan1-5G rx-chains=0,1 ssid=\           
    "Magrathea 5G" tdma-period-size=auto \       
    tx-chains=0,1 wireless-protocol=802.11       
set [ find default-name=wlan2 ] band=\           
    2ghz-b/g/n country="united states" \         
    disabled=no distance=indoors \               
    frequency-mode=regulatory-domain l2mtu=\     
    1600 mode=ap-bridge multicast-helper=full \  
    name=wlan2-2G rx-chains=0,1 ssid=Magrathea \ 
    tdma-period-size=auto tx-chains=0,1 \        
    wireless-protocol=802.11                     
/interface wireless security-profiles            
set [ find default=yes ] authentication-types=\  
    wpa2-psk group-key-update=0s mode=\          
    dynamic-keys supplicant-identity=MikroTik    
add authentication-types=wpa-psk,wpa2-psk \      
    eap-methods="" management-protection=\       
    allowed name=guest supplicant-identity=""    
/interface wireless                              
add disabled=no l2mtu=1600 mac-address=\         
    4E:5E:0C:10:CB:5D master-interface=\         
    wlan2-2G name=wlan3-guest-2G \               
    security-profile=guest ssid="Dome Guest" \   
    wds-cost-range=0 wds-default-cost=0          
/ip hotspot profile                              
add dns-name=hotspot.domehq hotspot-address=\    
    192.168.88.1 login-by=\                      
    cookie,http-chap,mac-cookie name=hsprof1 \   
    rate-limit=1M/1M                             
/ip pool                                         
add name=hs-pool-6 ranges=\                      
    192.168.88.2-192.168.88.254                  
/ip dhcp-server                                  
add address-pool=hs-pool-6 authoritative=yes \   
    disabled=no interface=wlan3-guest-2G \       
    lease-time=1h name=dhcp1                     
/ip hotspot                                      
add address-pool=hs-pool-6 disabled=no \         
    idle-timeout=1h interface=wlan3-guest-2G \   
    name=hotspot1 profile=hsprof1                
/ip hotspot user profile                         
set [ find default=yes ] address-pool=\          
    hs-pool-6 idle-timeout=none \                
    keepalive-timeout=1h mac-cookie-timeout=3d \ 
    session-timeout=1h shared-users=unlimited    
/interface bridge port                           
add bridge=bridge1 interface=ether1              
add bridge=bridge1 interface=wlan1-5G            
add bridge=bridge1 interface=wlan2-2G            
/ip address                                      
add address=172.16.42.20/24 interface=ether1 \   
    network=172.16.42.0                          
add address=192.168.88.1/24 comment=\            
    "hotspot network" interface=wlan3-guest-2G \ 
    network=192.168.88.0                         
/ip dhcp-client                                  
add dhcp-options=hostname,clientid interface=\   
    bridge1                                      
/ip dhcp-server network                          
add address=192.168.88.0/24 comment=\            
    "hotspot network" dns-server=172.16.42.1 \   
    gateway=192.168.88.1                         
/ip dns                                          
set servers=172.16.42.1                          
/ip firewall address-list                        
add address=172.16.42.0/24 list=LAN              
/ip firewall filter                              
add action=passthrough chain=unused-hs-chain \   
    comment="place hotspot rules here" \         
    disabled=yes                                 
add action=reject chain=forward \                
    dst-address-list=LAN in-interface=\          
    wlan3-guest-2G reject-with=\                 
    icmp-admin-prohibited                        
/ip firewall nat                                 
add action=passthrough chain=unused-hs-chain \   
    comment="place hotspot rules here" \         
    disabled=yes                                 
add action=masquerade chain=srcnat comment=\     
    "masquerade hotspot network" src-address=\   
    192.168.88.0/24                              
/ip hotspot service-port                         
set ftp disabled=yes                             
/ip hotspot user                                 
add name=guest server=hotspot1                   
/ip hotspot walled-garden                        
add comment="place hotspot rules here" \         
    disabled=yes                                 
/ip route                                        
add distance=1 gateway=172.16.42.1               
/ip service                                      
set www-ssl disabled=no                          
/ip upnp                                         
set allow-disable-external-interface=no          
/system clock                                    
set time-zone-name=America/New_York              
/system identity                                 
set name=rb1.domehq                              
/system leds                                     
set 0 interface=wlan1-5G                         
add interface=wlan2-2G leds="wlan2-2G_signal1-l\ 
    ed,wlan2-2G_signal2-led,wlan2-2G_signal3-le\ 
    d,wlan2-2G_signal4-led,wlan2-2G_signal5-led\ 
    " type=wireless-signal-strength              
add interface=wlan2-2G leds=wlan2-2G_tx-led \    
    type=interface-transmit                      
add interface=wlan2-2G leds=wlan2-2G_rx-led \    
    type=interface-receive                       
add interface=bridge1 leds=user-led type=\       
    interface-activity                           
/system logging                                  
set 0 action=disk                                
set 1 action=disk                                
set 2 action=disk                                
set 3 action=disk                                
add action=disk topics=watchdog                  
add prefix=debug topics=wireless                 
/system ntp client                               
set enabled=yes primary-ntp=66.228.38.73 \       
    secondary-ntp=209.114.111.1                  
/system routerboard settings                     
set cpu-frequency=600MHz                         
/system watchdog                                 
set watchdog-timer=no
Top
 
jkarras
Member Candidate
Member Candidate
Posts: 226
Joined: Fri Sep 06, 2013 3:07 am
Location: Utah, USA

Re: How to firewall LAN for Hotspot users?

Tue Jul 08, 2014 7:48 am

Default gateway doesn't matter as it's the gateway for your router not the clients even if it was it still wouldn't break anything. DNS does but you can just add a allow rule above the reject allowing only DNS (TCP/UDP port 53).

Do you see hits on your rule? Try making it purely a IP based rule so src-address=192.168.88.0/24 dst-address=172.16.42.0/24 remove the in-interface.
Top
 
antosere
just joined
Posts: 17
Joined: Mon Mar 17, 2014 11:12 pm

Re: How to firewall LAN for Hotspot users?

Mon Sep 19, 2016 3:40 pm

hello , I have a question , I have a network with hotspots , but when my user connect , and go to Windows - > LAN , viewing other users' PCs .
how can I do so that the user can not see each other in my network?
Top
Post Reply

Who is online

Users browsing this forum: No registered users and 95 guests
  4. RouterOS
  5. General