1stHotSpot install - General questions
Posted: Sat Jul 09, 2016 11:48 pm
Dear all,
I'm on it to install my first HotSpot system in a small restaurant - only trial users for 2 hours internet, 4 hours reset time - 10.10.10.0/24.
There is another subnet in Mikrotik - 192.168.1.0/24 for the inside restaurant system.
I have done the setup with the built-in setup helper and after made some changing.
My first problem is the automatically generated firewall: how to change it to make a good one? Here is how it works now (I did changes, but I don't think it is good enough, I always have problems doing firewalls):
My second question is that what is the perfect way if I have an accesspoint and want to do some queue restrictions? Now I have a two pcq rules 256k/768k with burst and priority 8, and I did another queue with unlimited rates and priority 7 for the accesspoint - 10.10.10.2.
I saw that in User Profiles I can add rx/tx rate and doing and IP Binding to the MAC (or IP) address for the AP also works.
Thanks in advance,
Tom
I'm on it to install my first HotSpot system in a small restaurant - only trial users for 2 hours internet, 4 hours reset time - 10.10.10.0/24.
There is another subnet in Mikrotik - 192.168.1.0/24 for the inside restaurant system.
I have done the setup with the built-in setup helper and after made some changing.
My first problem is the automatically generated firewall: how to change it to make a good one? Here is how it works now (I did changes, but I don't think it is good enough, I always have problems doing firewalls):
Code: Select all
0 chain=input action=drop connection-state=invalid log=no log-prefix=""
1 chain=input action=accept connection-state=established log=no
log-prefix=""
2 chain=input action=accept connection-state=related log=no log-prefix=""
3 ;;; winbox
chain=input action=accept protocol=tcp src-address=!10.10.10.0/24
dst-port=8291 log=no log-prefix=""
4 ;;; ssh webfig belso
chain=input action=accept protocol=tcp src-address=192.168.1.0/24
in-interface=bridge-local dst-port=22,7080 log=no log-prefix=""
5 XI ;;; hotspot autogeneralt
chain=unused-hs-chain action=passthrough log=no log-prefix=""
6 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
log=no log-prefix=""
7 D chain=forward action=jump jump-target=hs-unauth-to
hotspot=to-client,!auth log=no log-prefix=""
8 D chain=input action=jump jump-target=hs-input hotspot=from-client log=no
log-prefix=""
9 D chain=input action=drop protocol=tcp hotspot=!from-client
dst-port=64872-64875 log=no log-prefix=""
10 D chain=hs-input action=jump jump-target=pre-hs-input log=no log-prefix=""
11 D chain=hs-input action=accept protocol=udp dst-port=64872 log=no
log-prefix=""
12 D chain=hs-input action=accept protocol=tcp dst-port=64872-64875 log=no
log-prefix=""
13 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth log=no
log-prefix=""
14 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp log=no
log-prefix=""
15 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited log=no
log-prefix=""
16 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited log=no
log-prefix=""
17 XI ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough log=no log-prefix=""
18 chain=input action=drop log=no log-prefix=""
19 chain=forward action=drop connection-state=invalid log=no log-prefix=""
20 ;;; dvr1-dvr2 http-sdk
chain=forward action=accept protocol=tcp in-interface=bridge-uplink
dst-port=70,8000,60,7999 log=no log-prefix=""
21 ;;; forward belso
chain=forward action=accept src-address=192.168.1.0/24
out-interface=bridge-uplink log=no log-prefix=""
22 chain=forward action=accept connection-state=established
dst-address=192.168.1.0/24 in-interface=bridge-uplink log=no
log-prefix=""
23 chain=forward action=accept connection-state=related
dst-address=192.168.1.0/24 in-interface=bridge-uplink log=no
log-prefix=""
24 ;;; forward hotspot
chain=forward action=accept src-address=10.10.10.0/24
out-interface=bridge-uplink log=no log-prefix=""
25 chain=forward action=accept connection-state=established
dst-address=10.10.10.0/24 in-interface=bridge-uplink log=no
log-prefix=""
26 chain=forward action=accept connection-state=related
dst-address=10.10.10.0/24 in-interface=bridge-uplink log=no
log-prefix=""
27 chain=forward action=drop log=no log-prefix=""
I saw that in User Profiles I can add rx/tx rate and doing and IP Binding to the MAC (or IP) address for the AP also works.
Thanks in advance,
Tom