before nothing, very many thanks to answer:).could you be more specific what is your needs, what you already achieved, what needs to be accessed and what has to be denied?
Well I'd need to ban only de guest user from hotspot log-in.If you want to drop 184.108.40.206/8 network for all users or for the specific users,
use simple rule,
'ip firewall filter add chain=forward dst-address=220.127.116.11/8 action=drop'.
Specify src-address, if you need to block access for the specific users.
As well self created chain does accept any traffic unless you have configured jump on main chains input, forward, output.
Forward is router's users default chain.
No, I just want to block the 18.104.22.168/8 network to those users who are called 'guest' (or logged as 'guest')Do you want to block unauthorized users to get displayed HotSpot login page ?
HiAdd one rule to chain=forward,
'ip firewall filter add action=jump jump-target=hotspot chain=forward',
set for 'guest' user profile,
'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffoc to chain=1.
Add rule to chain 1 to drop traffic with specific dst-address,
'ip firewall filter add chain=1 dst-address=22.214.171.124/8 action=drop'.
[admin@MikroTik] ip firewall filter> pr Flags: X - disabled, I - invalid, D - dynamic 0 ;;; To deny acces to the router via Telnet (protocol TCP, port 23) chain=input protocol=tcp dst-port=23 action=drop 1 ;;; Drop Invalid connections chain=input connection-state=invalid action=drop 2 ;;; Allow Established connections chain=input connection-state=established action=accept 3 ;;; Allow UDP chain=input protocol=udp action=accept 4 ;;; Allow ICMP chain=input protocol=icmp action=accept 5 ;;; drop invalid connections chain=forward protocol=tcp connection-state=invalid action=drop 6 ;;; Allow already established connections chain=forward connection-state=established action=accept 7 ;;; allow related connections chain=forward connection-state=related action=accept 8 ;;; deny BackOriffice chain=udp protocol=udp dst-port=3133 action=drop 9 ;;; drop invalid connections chain=icmp protocol=icmp icmp-options=0:0 action=accept 10 ;;; allow established connections chain=icmp protocol=icmp icmp-options=3:0 action=accept 11 ;;; allow already established connections chain=icmp protocol=icmp icmp-options=3:1 action=accept 12 chain=forward action=jump jump-target=hotspot 13 chain=1 dst-address=126.96.36.199/8 action=drop
[admin@MikroTik] ip hotspot user> print Flags: X - disabled, D - dynamic # SERVER NAME ADDRESS PROFI 0 admin defau 1 invitado invi1
Then for my it would be:Yes, it can be done by NAT, e.g. to redirect user with address=188.8.131.52 to web-page with address=184.108.40.206,
'ip firewall nat add action=dstnat dst-address=220.127.116.11 action=dst-nat to-addresses=18.104.22.168'
ip firewall nat add action=dstnat dst-address=22.214.171.124/8 action=dst-nat to-addresses=192.168.1.1
Who is user guest ?
1) Clients who do not have HotSpot login/password, they will get HotSpot page instead of internet access.
2) Specific client is using 'guest' login, then you can specify particular dst-address in the following rule.
Add one rule to chain=forward, 'ip firewall filter add action=jump jump-target=hotspot chain=forward', set for 'guest' user profile, 'ip hotspot user profile set profile_name incoming-filter=1 outgoing-filter=1', that will redirect current profile traffoc to chain=1. Add rule to chain 1 to drop traffic with specific dst-address, 'ip firewall filter add chain=1 dst-address=126.96.36.199/8 action=drop'.