I know this is not a save rule but the only option I have ....

Please help with this firewall rule. I would like to prevent the user from opening their own hotspot or tethering. In all VLANs it should be forbidden. Only in the AdminVLAN100 it should be allowed.

What do you think of the rules?

1. Rule:
/ip firewall mangle
add chain=postrouting action=change-ttl new-ttl=set:128 out-interface=AdminVLAN100
2. Rule:
/ip firewall mangle
add chain=postrouting action=change-ttl new-ttl=set:1 out-interface=all vlan

Greetings VlanLearner
Excuse me for my bad english (google translation)

Remember that such rules do not normally end processing when they match, as "accept" does.
So you need to arrange for that or else your first rule will do nothing.

these guys who "opening their own hotspot" 100% know how to deal with ttl1 )