MikroTik

Hi

have MT 2.9 with hotspot enabled. How can I restrict hotspot user from communicating to other hotspot user ?

Thanks

Hi,

I would also like to do this.

Some concepts I can think of:

give each Hotspot user their own subnet and specific router address.

Set up VLANS some how.

With a wireless set up I know there are some settigns to restrict traffic between wifi clients, but with cabled clients I dont know.

Does anyone have any ideas or suggestions to implement my thoughts?

Rgds

Alex

Drop any packet that ingresses from a non-ethernet port that tries to egress from a non-ethernet port.

Thanks for the response,

But will that work? I think what we are trying to achieve is where the MT has two Ethernet NICs one is local and one is wan.

Hotspot users connect by a regular switch and cat 5 e cables to the local interface and are each given an IP in the same subnet by DHCP, they authenticate with hotspot.

We want to prevent hotspot user 1 from being able to pass any packets to hotspot user 2.

HAve I misunderstood this?

The idea is still the same.

The hotspot users are probably talking to the gateway IP which is assigned to the local ethernet port. You want to drop packets which ingress on that port and want to egress on that same port back to a different hotspot user. Valid packets would ingress on the local port and either terminate in the router because they're talking to a local service, or egress on the public port.

I could be wrong but I think you may need to add managed switches and set up separate VLANs or the traffic could be handled at the switch level without reaching the router.

Hi UniKyrn,

What you explained is a bit confusing. Can you elaborate more and let me know how can I go about it?

You add a firewall rule that drops packets that enter via the hotspot interface and that want to exit via the same interface. Or you add a firewall rule that drops packets where the source IP is your hotspot network and the destination isn't your hotspot gateway address.

Add them at the MT that is actually running the hotspot and make sure you've disabled "forwarding" on the radio interface as well so the radio doesn't try and forward packets between wireless users before then enter the router.

Hi

Unikyrn

I can drop the packets where the source IP is my hotspot network and the destination isn't my hotspot gateway address.

But in firewall rule, How can I exclude my hotspot gateway address (isn't my hotspot gateway addres)

Thanks
Ravin

At least using the winbox interface, there is a little checkbox next to the Dst. Address field that is the "not" option. Simply check that box and enter your gateway address, then it'll match on anything that is "not" the gateway address.

You could also do it by the src and dst interfaces, which might be faster to process than an IP address compare. Specify both the src and dst as the hotspot interface, and that should then block packets that wanted to originate at one hotspot client and terminate at another. Also remember to disable "forwarding" on the radio card used for the hotspot so that it doesn't route the packets directly.

Just disable the forwarding option on hotspot's wireless interface

I added the firewall rule as below:

chain=forward src-address=192.168.16.0/20 dst-address=!192.168.16.1 action=drop

192.168.16.1 is gateway.

But it drops internet connectivity of all the users.

And I don't use hotspot's wireless interface.

for wired clients you _must_ use layer 2 to filter. You need to invest in a switch with vlan capabilities. If you only need 100mb a good cheap option is the IBM / 3com switches, you can find them on ebay for $20 now. You can't truly separate clients by only using Mikrotik and a dumb switch.

These are excellent enterprise class switches, they are just cheap now because they are 10/100mb only.
http://cgi.ebay.com/3Com-Superstack-II- ... dZViewItem

http://cgi.ebay.com/3Com-3C16980-24-por ... dZViewItem

http://cgi.ebay.com/3Com-3C16980-SuperS ... dZViewItem

http://cgi.ebay.com/3Com-SuperStack-II- ... dZViewItem

Yes, that rule would kill Internet connectivity. If you're going to do this by IP address, then you need two rules, in the following order.

1) Allow anything from 192.168.16.0/20 to 192.168.16.1, so that they can talk to the gateway address.

2) Drop anything from 192.168.16.0/20 to 192.168.16.0/20 so that they can't talk to each other.