Community discussions

MikroTik App
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Need Help to block access to MT from hotspot users

Thu Jun 23, 2022 4:24 am

Good day!

Any advice on how to prevent unauthorized access to MT when someone has already logged-in to the hotspot service? Once someone has successfully logged into the hotspot service portal and put any of the IP Gateways below (except the gateway of the hotspot he is currently logged-in to) in the browser, it will automatically be directed to the Mikrotik log-in page.

Please see below config for your reference.

/ip address

add address=10.5.5.1/23 interface="bridge-PPPoE - Ether" network=10.5.5.0
add address=192.168.1.81/24 interface=ether1-ISP network=192.168.1.0
add address=192.168.21.1/24 interface=bridge-VLAN-21 network=192.168.21.0
add address=192.168.22.1/24 interface=bridge-VLAN-22 network=192.168.22.0
add address=192.168.23.1/24 interface=bridge-VLAN-23 network=192.168.23.0
add address=192.168.123.1/24 interface="bridge-PPPoE - Ether" network=\
192.168.123.0

/ip dhcp-server
add address-pool=HS-NoVLAN-Pool disabled=no interface="bridge-PPPoE - Ether" \
lease-time=1h name="dhcp - NoVLAN"
add address-pool=HS-V21 disabled=no interface=bridge-VLAN-21 lease-time=1h \
name="dhcp - V21"
add address-pool=HS-V22 disabled=no interface=bridge-VLAN-22 lease-time=1h \
name="dhcp - V22"
add address-pool=HS-V23 disabled=no interface=bridge-VLAN-23 lease-time=1h \
name="dhcp - V23"
/ip dhcp-server network
add address=192.168.21.1/24 comment="hotspot network" gateway=192.168.21.1
add address=192.168.22.1/24 comment="hotspot network" gateway=192.168.22.1
add address=192.168.22.1/24 comment="hotspot network" gateway=192.168.22.1
add address=192.168.123.1/24 comment="hotspot network" gateway=192.168.123.1


Sample Scenario:
A customer has logged in to the Hotspot Portal with subnet (192.168.123.1/24). Once already logged-in, if he types any of the other gateway addresses (10.5.5.1 / 192.168.1.81 / 192.168.21.1 / 192.168.22.1 / 192.168.23.1) in his device browser, he will be directed to the Mikrotik log-in page.

Any solution how to fix and secure this from any unauthorized access to the MT? This might be easily solved by the network experts, but I am just new to networking.

Thank you in advance for your help.
 
User avatar
k6ccc
Forum Guru
Forum Guru
Posts: 1490
Joined: Fri May 13, 2016 12:01 am
Location: Glendora, CA, USA (near Los Angeles)
Contact:

Re: Need Help to block access to MT from hotspot users

Thu Jun 23, 2022 5:37 pm

Should be easy enough with firewall rules. However without knowing your configuration, we are only guessing. Please post your configuration.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
 
LdB
Member Candidate
Member Candidate
Posts: 141
Joined: Thu May 20, 2021 4:23 pm

Re: Need Help to block access to MT from hotspot users

Fri Jun 24, 2022 6:23 am

It's reasonably well covered in

https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Essentially you limit access to the router itself to a very limited trusted IP range and you have not explained where the trusted range interface is.
If you need further help we need the ISP(WAN) interface name and the Trusted IP and range interface (you can use xxx.xxx.xxx.xxx/y) if it's Public

A worked example
https://www.manitonetworks.com/networki ... -hardening
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Need Help to block access to MT from hotspot users

Fri Jun 24, 2022 12:53 pm

Should be easy enough with firewall rules. However without knowing your configuration, we are only guessing. Please post your configuration.
To export and paste your configuration (and I'm assuming you are using WebFig or Winbox), open a terminal window, and type (without the quotes) "/export hide-sensitive file=any-filename-you-wish". Then open the files section and right click on the filename you created and select download in order to download the file to your computer. It will be a text file with whatever name you saved to with an extension of .rsc. Suggest you then open the .rsc file in your favorite text editor and redact any sensitive information. Then in your message here, click the code display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.

Hi Sir,

Thank you for the response and my apology for the late reply because I had to figure out first how to edit the text file. As requested here is the current configuration of the MT i am working with. I just edited/changed the IP addresses for security purposes and also removed the PPPoE Secrets and Hotspot Users.

Note: Firewall and Route entries were already set by the previous IT guy who initially configured the MT. It seems that he put some recursive routing for the failover but I just leave them as is because I don't have a full understanding yet on how recursive routing works. If you have a better recommendation, I am very much open.
# jun/24/2022 09:39:14 by RouterOS 6.48.3
#
# model = CCR1009-7G-1C-1S+
# serial number = XXXXXXXXXXXX
/interface bridge
add name="bridge-PPPoE - Ether"
add name=bridge-VLAN-21
add name=bridge-VLAN-22
add name=bridge-VLAN-23
/interface ethernet
set [ find default-name=combo1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full disabled=yes \
    name=ether1-VTT-DIA rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether2-VTT-DSL rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether3 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    ether3-PNT-DSL rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether4 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    "ether4  OLT 1 - Area1 " rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether5 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full name=\
    "ether5-OLT 2 - Area2" rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether6 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full \
    rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether7 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full,10000M-full \
    loop-protect=on name="ether7 " rx-flow-control=auto tx-flow-control=auto
set [ find default-name=sfp-sfpplus1 ] advertise=\
    1000M-full,2500M-full,5000M-full,10000M-full
/interface vlan
add interface="ether4  OLT 1 - Area1 " name=VLAN-21_eth4 vlan-id=21
add interface="ether5-OLT 2 - Area2" name=VLAN-21_eth5 vlan-id=21
add interface="ether4  OLT 1 - Area1 " name=VLAN-22_eth4 vlan-id=22
add interface="ether5-OLT 2 - Area2" name=VLAN-22_eth5 vlan-id=22
add interface="ether4  OLT 1 - Area1 " name=VLAN-23_eth4 vlan-id=23
add interface="ether5-OLT 2 - Area2" name=VLAN-23_eth5 vlan-id=23
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
add dns-name=wifi-hotspot-portal.net hotspot-address=192.168.21.1 login-by=\
    http-chap,mac-cookie name="V21 - WIFI Hotspot Portal"
add dns-name=gaming.portal hotspot-address=192.168.22.1 html-directory=\
    hotspot_ML login-by=http-chap,mac-cookie name=\
    "V22 - Gaming Portal"
add dns-name=adventure-park.wifi hotspot-address=192.168.23.1 \
    html-directory=hotspot_PARK login-by=http-chap,mac-cookie name=\
    "V23 - Adventure Park WiFi"
add dns-name=wifi.hotspot hotspot-address=192.168.123.1 login-by=\
    http-chap,mac-cookie name="WIFI Hotspot"
/ip hotspot user profile
add name=admin_test on-login=":put (\",,0,,,noexp,Disable,\")" parent-queue=\
    none rate-limit="50M/50M 100M/100M 30/30" shared-users=4 \
    transparent-proxy=yes
/ip pool
add name=HS-V21 ranges=192.168.21.2-192.168.21.254
add name=HS-V22 ranges=192.168.22.2-192.168.22.254
add name=HS-V23 ranges=192.168.23.2-192.168.23.254
add name=HS-NoVLAN-Pool ranges=192.168.123.100-192.168.123.254
/ip dhcp-server
add address-pool=HS-NoVLAN-Pool disabled=no interface="bridge-PPPoE - Ether" \
    lease-time=1h name="dhcp1 - No VLAN"
add address-pool=HS-V21 disabled=no interface=bridge-VLAN-21 lease-time=\
    1h name="dhcp2 - V21"
add address-pool=HS-V22 disabled=no interface=bridge-VLAN-22 lease-time=\
    1h name="dhcp2 - V22"
add address-pool=HS-V23 disabled=no interface=bridge-VLAN-23 lease-time=\
    1h name="dhcp2 - V23"
/ip hotspot
add address-pool=HS-V21 addresses-per-mac=1 disabled=no interface=\
    bridge-VLAN-21 name="V21 - WIFI Hotspot Portal" profile=\
    "V21 - WIFI Hotspot Portal"
add address-pool=HS-V22 addresses-per-mac=1 disabled=no interface=\
    bridge-VLAN-22 name="V22 - Gaming Portal" profile=\
    "V22 - Gaming Portal"
add address-pool=HS-V23 addresses-per-mac=1 disabled=no interface=\
    bridge-VLAN-23 name="V23 - Adventure Park WiFi" profile=\
    "V23 - Adventure Park WiFi"
add address-pool=HS-NoVLAN-Pool addresses-per-mac=1 disabled=no interface=\
    "bridge-PPPoE - Ether" name="WIFI Hotspot Server" profile=\
    "WIFI Hotspot"
/ip hotspot user profile
add address-pool=HS-NoVLAN-Pool name=EagleStore-30Mins-1M-burst-5M on-login=":\
    put (\",ntfc,0,30m,5,,Enable,\"); {:local date [ /system clock get date ];\
    :local year [ :pick \$date 7 11 ];:local month [ :pick \$date 0 3 ];:local\
    \_comment [ /ip hotspot user get [/ip hotspot user find where name=\"\$use\
    r\"] comment]; :local ucode [:pic \$comment 0 2]; :if (\$ucode = \"vc\" or\
    \_\$ucode = \"up\" or \$comment = \"\") do={ /sys sch add name=\"\$user\" \
    disable=no start-date=\$date interval=\"30m\"; :delay 2s; :local exp [ /sy\
    s sch get [ /sys sch find where name=\"\$user\" ] next-run]; :local getxp \
    [len \$exp]; :if (\$getxp = 15) do={ :local d [:pic \$exp 0 6]; :local t [\
    :pic \$exp 7 16]; :local s (\"/\"); :local exp (\"\$d\$s\$year \$t\"); /ip\
    \_hotspot user set comment=\$exp [find where name=\"\$user\"];}; :if (\$ge\
    txp = 8) do={ /ip hotspot user set comment=\"\$date \$exp\" [find where na\
    me=\"\$user\"];}; :if (\$getxp > 15) do={ /ip hotspot user set comment=\$e\
    xp [find where name=\"\$user\"];}; /sys sch remove [find where name=\"\$us\
    er\"]; :local mac \$\"mac-address\"; :local time [/system clock get time ]\
    ; /system script add name=\"\$date-|-\$time-|-\$user-|-0-|-\$address-|-\$m\
    ac-|-30m-|-EagleStore-30Mins-1M-burst-5M-|-\$comment\" owner=\"\$month\$ye\
    ar\" source=\$date comment=mikhmon; [:local mac \$\"mac-address\"; /ip hot\
    spot user set mac-address=\$mac [find where name=\$user]]}}" \
    parent-queue=none rate-limit="1M/1M 5M/5M 512k/512k 60/60"
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge="bridge-PPPoE - Ether" comment="olt Area1" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "ether4  OLT 1 - Area1 "
add bridge="bridge-PPPoE - Ether" comment="olt Area2" frame-types=\
    admit-only-untagged-and-priority-tagged ingress-filtering=yes interface=\
    "ether5-OLT 2 - Area2"
add bridge="bridge-PPPoE - Ether" interface=ether6
add interface="ether7 "
add bridge="bridge-PPPoE - Ether" interface=combo1
add bridge=bridge-VLAN-21 frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=VLAN-21_eth4 pvid=21
add bridge=bridge-VLAN-22 frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=VLAN-22_eth4 pvid=22
add bridge=bridge-VLAN-23 frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=VLAN-23_eth4 pvid=23
add bridge=bridge-VLAN-21 frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=VLAN-21_eth5 pvid=21
add bridge=bridge-VLAN-22 frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=VLAN-22_eth5 pvid=22
add bridge=bridge-VLAN-23 frame-types=admit-only-vlan-tagged \
    ingress-filtering=yes interface=VLAN-23_eth5 pvid=23
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface detect-internet
set detect-interface-list=all
/interface pppoe-server server
add disabled=no interface="bridge-PPPoE - Ether" service-name=WIFI
/ip accounting
set account-local-traffic=yes
/ip address
add address=111.111.122.122/30 interface=ether1-VTT-DIA network=\
    111.111.122.120
add address=111.111.121.90/30 interface=ether2-VTT-DSL network=111.111.121.88
add address=10.50.10.1/23 interface="bridge-PPPoE - Ether" network=10.50.10.0
add address=192.168.1.81/24 interface=ether3-PNT-DSL network=192.168.1.0
add address=192.168.21.1/24 interface=bridge-VLAN-21 network=192.168.21.0
add address=192.168.22.1/24 interface=bridge-VLAN-22 network=192.168.22.0
add address=192.168.23.1/24 interface=bridge-VLAN-23 network=192.168.23.0
add address=192.168.123.1/24 interface="bridge-PPPoE - Ether" network=\
    192.123.188.0
/ip dhcp-client
add add-default-route=no disabled=no interface=ether3-PNT-DSL
/ip dhcp-server network
add address=192.168.21.0/24 comment="hotspot network" gateway=192.168.21.1
add address=192.168.22.0/24 comment="hotspot network" gateway=192.168.22.1
add address=192.168.23.0/24 comment="hotspot network" gateway=192.168.23.1
add address=192.123.188.0/24 comment="hotspot network" gateway=192.123.188.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
/ip firewall address-list
add address=10.50.10.0/24 list=VIP
add address=10.50.11.0/24 list=NORMAL
add address=10.50.12.0/24 list=MED
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
/ip firewall mangle
add action=mark-routing chain=prerouting comment=VTT-DIA_VIP \
    new-routing-mark=to-gw1 passthrough=no src-address-list=VIP
add action=mark-routing chain=prerouting comment=VTT_DSL new-routing-mark=\
    to-gw2 passthrough=no src-address-list=MED
add action=mark-routing chain=prerouting comment="PNT-DSL_NORMAL " \
    new-routing-mark=to-gw3 passthrough=no src-address-list=NORMAL
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="VTT DIA" out-interface=\
    ether1-VTT-DIA
add action=masquerade chain=srcnat out-interface=ether2-VTT-DSL
add action=masquerade chain=srcnat out-interface=ether3-PNT-DSL
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.50.10.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.22.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.22.2.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.4.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.50.10.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.50.10.0/23
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.21.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.22.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.23.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.21.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.21.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.21.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.22.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.23.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.21.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.22.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.23.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.123.0/24
/ip hotspot user
add name=admin
add limit-uptime=2m name=TEST profile=admin_test

/ip route
add comment="ISP1 route" distance=1 gateway=8.8.8.8 routing-mark=to-gw1 \
    scope=10
add comment="ISP2 route" distance=1 gateway=10.2.2.2 routing-mark=to-gw2 \
    scope=10
add comment="ISP3 route" distance=1 gateway=208.67.222.222 routing-mark=\
    to-gw3 scope=10
add comment="default route ISP1" distance=1 gateway=8.8.8.8 scope=10
add comment="failover route ISP2" distance=2 gateway=10.2.2.2 scope=10
add comment="failover route ISP3" distance=3 gateway=8.8.4.4 scope=10
add comment="monitoring ip ISP2" distance=1 dst-address=1.1.1.1/32 gateway=\
    111.111.121.89 scope=10
add check-gateway=ping comment="virtual route ISP1" distance=1 dst-address=\
    8.8.8.8/32 gateway=9.9.9.9 scope=10
add comment="monitoring ip ISP3" distance=1 dst-address=8.26.56.26/32 \
    gateway=192.168.1.1 scope=10
add comment="monitoring ip ISP1" distance=1 dst-address=9.9.9.9/32 gateway=\
    111.111.122.121 scope=10
add check-gateway=ping comment="virtual route ISP2" distance=1 dst-address=\
    10.2.2.2/32 gateway=1.1.1.1 scope=10
add check-gateway=ping comment="virtual route ISP3" distance=1 dst-address=\
    208.67.222.222/32 gateway=8.26.56.26 scope=10
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh disabled=yes
/lcd
set backlight-timeout=5m color-scheme=dark default-screen=interfaces \
    read-only-mode=yes time-interval=hour
/lcd interface
set "ether5-OLT 2 - Area2" timeout=30s
/ppp profile
add local-address=10.50.10.1 name="10mbps up to 15 mbps" rate-limit=\
    "8M/7M 13M/12M 8M/8M 200/200 8 9M/9M" remote-address=*1
add local-address=10.50.11.1 name="20mbps up to 30mbps" rate-limit=\
    "25M/25M 28M/29M 25M/25M 200/200 8 25M/25M" remote-address=*1
/ppp secret
add comment=Dok local-address=10.50.12.1 name=Antonio profile=\
    "10mbps up to 15 mbps" remote-address=10.50.12.187 service=pppoe
add comment="Coffee Shop" local-address=10.50.11.1 name=SM_231 profile=\
    "10mbps up to 15 mbps" remote-address=10.50.11.231 service=pppoe
add local-address=10.50.10.1 name=SM_242 profile="10mbps up to 15 mbps" \
    remote-address=10.50.10.242 service=pppoe
add local-address=10.50.11.1 name="Branch Tower" profile=\
    "20mbps up to 30mbps" remote-address=10.50.11.252 service=pppoe
/system clock
set time-zone-name=XXXXXXX
/system identity
set name=XXXXXXX
/system logging
add action=disk prefix=-> topics=hotspot,info,debug
/system ntp client
set enabled=yes primary-ntp=192.168.92.1
/system scheduler
add comment="Monitor Profile TEST_time_limit" interval=2m40s name=\
    TEST_time_limit on-event=":local dateint do={:local montharray ( \"jan\",\
    \"feb\",\"mar\",\"apr\",\"may\",\"jun\",\"jul\",\"aug\",\"sep\",\"oct\",\"\
    nov\",\"dec\" );:local days [ :pick \$d 4 6 ];:local month [ :pick \$d 0 3\
    \_];:local year [ :pick \$d 7 11 ];:local monthint ([ :find \$montharray \
    \$month]);:local month (\$monthint + 1);:if ( [len \$month] = 1) do={:loca\
    l zero (\"0\");:return [:tonum (\"\$year\$zero\$month\$days\")];} else={:r\
    eturn [:tonum (\"\$year\$month\$days\")];}}; :local timeint do={ :local ho\
    urs [ :pick \$t 0 2 ]; :local minutes [ :pick \$t 3 5 ]; :return (\$hours \
    * 60 + \$minutes) ; }; :local date [ /system clock get date ]; :local time\
    \_[ /system clock get time ]; :local today [\$dateint d=\$date] ; :local c\
    urtime [\$timeint t=\$time] ; :foreach i in [ /ip hotspot user find where \
    profile=\"TEST_time_limit\" ] do={ :local comment [ /ip hotspot user get \
    \$i comment]; :local name [ /ip hotspot user get \$i name]; :local gettime\
    \_[:pic \$comment 12 20]; :if ([:pic \$comment 3] = \"/\" and [:pic \$comm\
    ent 6] = \"/\") do={:local expd [\$dateint d=\$comment] ; :local expt [\$t\
    imeint t=\$gettime] ; :if ((\$expd < \$today and \$expt < \$curtime) or (\
    \$expd < \$today and \$expt > \$curtime) or (\$expd = \$today and \$expt <\
    \_\$curtime)) do={ [ /ip hotspot user set limit-uptime=1s \$i ]; [ /ip hot\
    spot active remove [find where user=\$name] ];}}}" policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
    start-date=jun/01/2022 start-time=01:30:40

/tool sniffer
set memory-limit=1000KiB
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Need Help to block access to MT from hotspot users

Fri Jun 24, 2022 1:36 pm

It's reasonably well covered in

https://wiki.mikrotik.com/wiki/Manual:S ... our_Router

Essentially you limit access to the router itself to a very limited trusted IP range and you have not explained where the trusted range interface is.
If you need further help we need the ISP(WAN) interface name and the Trusted IP and range interface (you can use xxx.xxx.xxx.xxx/y) if it's Public

A worked example
https://www.manitonetworks.com/networki ... -hardening
Hi Sir.

Thank you for the links you have provided. Will definitely have a look on it and hopefully I'll be able to learn and apply them.
By the way, when you say Trusted IP and range interface are you referring to the public IP address of my ISP I used to remotely access the MT? Honestly, I only use cellular data via my mobile phone to do remote access to the MT.
 
kevinds
Long time Member
Long time Member
Posts: 642
Joined: Wed Jan 14, 2015 8:41 am

Re: Need Help to block access to MT from hotspot users

Sat Jun 25, 2022 12:42 am

Thank you for the links you have provided. Will definitely have a look on it and hopefully I'll be able to learn and apply them.
By the way, when you say Trusted IP and range interface are you referring to the public IP address of my ISP I used to remotely access the MT? Honestly, I only use cellular data via my mobile phone to do remote access to the MT.
Then you setup a VPN, connect to the VPN and have the authorized IPs set to the IPs given by the VPN.
 
AzDsL
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 61
Joined: Sun May 22, 2022 4:17 am

Re: Need Help to block access to MT from hotspot users

Sat Jun 25, 2022 8:55 am

Thank you for the links you have provided. Will definitely have a look on it and hopefully I'll be able to learn and apply them.
By the way, when you say Trusted IP and range interface are you referring to the public IP address of my ISP I used to remotely access the MT? Honestly, I only use cellular data via my mobile phone to do remote access to the MT.
Then you setup a VPN, connect to the VPN and have the authorized IPs set to the IPs given by the VPN.
Thank you for your response. Im sorry but I don't know yet how to set-up a VPN. Would appreciated if you can help me with sample configuration that I can follow through. Thank you.

Who is online

Users browsing this forum: No registered users and 16 guests