I'm on it to install my first HotSpot system in a small restaurant - only trial users for 2 hours internet, 4 hours reset time - 10.10.10.0/24.
There is another subnet in Mikrotik - 192.168.1.0/24 for the inside restaurant system.
I have done the setup with the built-in setup helper and after made some changing.
My first problem is the automatically generated firewall: how to change it to make a good one? Here is how it works now (I did changes, but I don't think it is good enough, I always have problems doing firewalls):
Code: Select all
0 chain=input action=drop connection-state=invalid log=no log-prefix=""
1 chain=input action=accept connection-state=established log=no
log-prefix=""
2 chain=input action=accept connection-state=related log=no log-prefix=""
3 ;;; winbox
chain=input action=accept protocol=tcp src-address=!10.10.10.0/24
dst-port=8291 log=no log-prefix=""
4 ;;; ssh webfig belso
chain=input action=accept protocol=tcp src-address=192.168.1.0/24
in-interface=bridge-local dst-port=22,7080 log=no log-prefix=""
5 XI ;;; hotspot autogeneralt
chain=unused-hs-chain action=passthrough log=no log-prefix=""
6 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
log=no log-prefix=""
7 D chain=forward action=jump jump-target=hs-unauth-to
hotspot=to-client,!auth log=no log-prefix=""
8 D chain=input action=jump jump-target=hs-input hotspot=from-client log=no
log-prefix=""
9 D chain=input action=drop protocol=tcp hotspot=!from-client
dst-port=64872-64875 log=no log-prefix=""
10 D chain=hs-input action=jump jump-target=pre-hs-input log=no log-prefix=""
11 D chain=hs-input action=accept protocol=udp dst-port=64872 log=no
log-prefix=""
12 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 log=no
log-prefix=""
13 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth log=no
log-prefix=""
14 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp log=no
log-prefix=""
15 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited log=no
log-prefix=""
16 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited log=no
log-prefix=""
17 XI ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""
18 chain=input action=drop log=no log-prefix=""
19 chain=forward action=drop connection-state=invalid log=no log-prefix=""
20 ;;; dvr1-dvr2 http-sdk
chain=forward action=accept protocol=tcp in-interface=bridge-uplink
dst-port=70,8000,60,7999 log=no log-prefix=""
21 ;;; forward belso
chain=forward action=accept src-address=192.168.1.0/24
out-interface=bridge-uplink log=no log-prefix=""
22 chain=forward action=accept connection-state=established
dst-address=192.168.1.0/24 in-interface=bridge-uplink log=no
log-prefix=""
23 chain=forward action=accept connection-state=related
dst-address=192.168.1.0/24 in-interface=bridge-uplink log=no
log-prefix=""
24 ;;; forward hotspot
chain=forward action=accept src-address=10.10.10.0/24
out-interface=bridge-uplink log=no log-prefix=""
25 chain=forward action=accept connection-state=established
dst-address=10.10.10.0/24 in-interface=bridge-uplink log=no
log-prefix=""
26 chain=forward action=accept connection-state=related
dst-address=10.10.10.0/24 in-interface=bridge-uplink log=no
log-prefix=""
27 chain=forward action=drop log=no log-prefix=""
I saw that in User Profiles I can add rx/tx rate and doing and IP Binding to the MAC (or IP) address for the AP also works.
Thanks in advance,
Tom