Hi
have MT 2.9 with hotspot enabled. How can I restrict hotspot user from communicating to other hotspot user ?
Thanks
-
-
alex_rhys-hurn
Member
- Posts: 353
- Joined:
- Location: Kenya
- Contact:
Hi,
I would also like to do this.
Some concepts I can think of:
give each Hotspot user their own subnet and specific router address.
Set up VLANS some how.
With a wireless set up I know there are some settigns to restrict traffic between wifi clients, but with cabled clients I dont know.
Does anyone have any ideas or suggestions to implement my thoughts?
Rgds
Alex
I would also like to do this.
Some concepts I can think of:
give each Hotspot user their own subnet and specific router address.
Set up VLANS some how.
With a wireless set up I know there are some settigns to restrict traffic between wifi clients, but with cabled clients I dont know.
Does anyone have any ideas or suggestions to implement my thoughts?
Rgds
Alex
-
-
alex_rhys-hurn
Member
- Posts: 353
- Joined:
- Location: Kenya
- Contact:
Thanks for the response,
But will that work? I think what we are trying to achieve is where the MT has two Ethernet NICs one is local and one is wan.
Hotspot users connect by a regular switch and cat 5 e cables to the local interface and are each given an IP in the same subnet by DHCP, they authenticate with hotspot.
We want to prevent hotspot user 1 from being able to pass any packets to hotspot user 2.
HAve I misunderstood this?
But will that work? I think what we are trying to achieve is where the MT has two Ethernet NICs one is local and one is wan.
Hotspot users connect by a regular switch and cat 5 e cables to the local interface and are each given an IP in the same subnet by DHCP, they authenticate with hotspot.
We want to prevent hotspot user 1 from being able to pass any packets to hotspot user 2.
HAve I misunderstood this?
The idea is still the same.
The hotspot users are probably talking to the gateway IP which is assigned to the local ethernet port. You want to drop packets which ingress on that port and want to egress on that same port back to a different hotspot user. Valid packets would ingress on the local port and either terminate in the router because they're talking to a local service, or egress on the public port.
The hotspot users are probably talking to the gateway IP which is assigned to the local ethernet port. You want to drop packets which ingress on that port and want to egress on that same port back to a different hotspot user. Valid packets would ingress on the local port and either terminate in the router because they're talking to a local service, or egress on the public port.
You add a firewall rule that drops packets that enter via the hotspot interface and that want to exit via the same interface. Or you add a firewall rule that drops packets where the source IP is your hotspot network and the destination isn't your hotspot gateway address.
Add them at the MT that is actually running the hotspot and make sure you've disabled "forwarding" on the radio interface as well so the radio doesn't try and forward packets between wireless users before then enter the router.
Add them at the MT that is actually running the hotspot and make sure you've disabled "forwarding" on the radio interface as well so the radio doesn't try and forward packets between wireless users before then enter the router.
Re: block communication between hotspot users
Hi
Unikyrn
I can drop the packets where the source IP is my hotspot network and the destination isn't my hotspot gateway address.
But in firewall rule, How can I exclude my hotspot gateway address (isn't my hotspot gateway addres)
Thanks
Ravin
Unikyrn
I can drop the packets where the source IP is my hotspot network and the destination isn't my hotspot gateway address.
But in firewall rule, How can I exclude my hotspot gateway address (isn't my hotspot gateway addres)
Thanks
Ravin
Re: block communication between hotspot users
At least using the winbox interface, there is a little checkbox next to the Dst. Address field that is the "not" option. Simply check that box and enter your gateway address, then it'll match on anything that is "not" the gateway address.
You could also do it by the src and dst interfaces, which might be faster to process than an IP address compare. Specify both the src and dst as the hotspot interface, and that should then block packets that wanted to originate at one hotspot client and terminate at another. Also remember to disable "forwarding" on the radio card used for the hotspot so that it doesn't route the packets directly.
You could also do it by the src and dst interfaces, which might be faster to process than an IP address compare. Specify both the src and dst as the hotspot interface, and that should then block packets that wanted to originate at one hotspot client and terminate at another. Also remember to disable "forwarding" on the radio card used for the hotspot so that it doesn't route the packets directly.
Re: block communication between hotspot users
Just disable the forwarding option on hotspot's wireless interface
Re: block communication between hotspot users
I added the firewall rule as below:
chain=forward src-address=192.168.16.0/20 dst-address=!192.168.16.1 action=drop
192.168.16.1 is gateway.
But it drops internet connectivity of all the users.
And I don't use hotspot's wireless interface.
chain=forward src-address=192.168.16.0/20 dst-address=!192.168.16.1 action=drop
192.168.16.1 is gateway.
But it drops internet connectivity of all the users.
And I don't use hotspot's wireless interface.
Re: block communication between hotspot users
for wired clients you _must_ use layer 2 to filter. You need to invest in a switch with vlan capabilities. If you only need 100mb a good cheap option is the IBM / 3com switches, you can find them on ebay for $20 now. You can't truly separate clients by only using Mikrotik and a dumb switch.
These are excellent enterprise class switches, they are just cheap now because they are 10/100mb only.
http://cgi.ebay.com/3Com-Superstack-II- ... dZViewItem
http://cgi.ebay.com/3Com-3C16980-24-por ... dZViewItem
http://cgi.ebay.com/3Com-3C16980-SuperS ... dZViewItem
http://cgi.ebay.com/3Com-SuperStack-II- ... dZViewItem
These are excellent enterprise class switches, they are just cheap now because they are 10/100mb only.
http://cgi.ebay.com/3Com-Superstack-II- ... dZViewItem
http://cgi.ebay.com/3Com-3C16980-24-por ... dZViewItem
http://cgi.ebay.com/3Com-3C16980-SuperS ... dZViewItem
http://cgi.ebay.com/3Com-SuperStack-II- ... dZViewItem
Re: block communication between hotspot users
Yes, that rule would kill Internet connectivity. If you're going to do this by IP address, then you need two rules, in the following order.
1) Allow anything from 192.168.16.0/20 to 192.168.16.1, so that they can talk to the gateway address.
2) Drop anything from 192.168.16.0/20 to 192.168.16.0/20 so that they can't talk to each other.
1) Allow anything from 192.168.16.0/20 to 192.168.16.1, so that they can talk to the gateway address.
2) Drop anything from 192.168.16.0/20 to 192.168.16.0/20 so that they can't talk to each other.