MikroTik

Hi!

IS there a way to forbid ONLY the widows file sharing between my users.
This need to be done to users that are logged in into hotspot, and also
to users that are not logged in...

how this could be done???

maybe firewall > forward chain????

one thing: i DO NOT want to turn off DEFAULT FORWARDING...


any ideas???

Hi!

IS there a way to forbid ONLY the widows file sharing between my users.
This need to be done to users that are logged in into hotspot, and also
to users that are not logged in...

how this could be done???

maybe firewall > forward chain????

one thing: i DO NOT want to turn off DEFAULT FORWARDING...


any ideas???

Yes, uninstall client for microsoft networks at all users pc's .....
Seriously, you should turn off DEFAULT FORWARDING if your users are within same IP subnet.

Disallow netbios traffic on your APs firewalling it out.

And then block ports 135-139 tcp/udp in the forwarding firewall table, which will kill windows networking between users.

Hi!

Thanks guys for your replies, i tried all that but windows file sharing still works...

Because i have hotspot and enabled address login method my users can log in to hotspot, but also they can skip the login procedure and communicate between themselfs freeely because default forwarding is ON...

is there a way to forbid users that are not logged in to use windows file sharing, and same for users that ARE logged in???

can somebody send a more detailed reply...???
for example:
in what firewall chains should i put rules for users that are not logged in?
and for those that are logged in???


please help i need this ....

Just disallow following in your forward chain:
netbios-ns 137/tcp # NETBIOS Name Service
netbios-ns 137/udp
netbios-dgm 138/tcp # NETBIOS Datagram Service
netbios-dgm 138/udp
netbios-ssn 139/tcp # NETBIOS session service
netbios-ssn 139/udp

Another advice is to set up a syslog server and log all your firewall traffic to it, then analize it and see what happens and block desired stuff.
And why in heavens do you want to enable default forwarding ?
Your users will abuse your links and set up services on their private networks eating up all your BW.
You should at least set up some shaping.

You need to block 445 (tcp & udp) as well. This port is used for a newer version (extension) to netbios introduced in XP.

And is one of the most abused ports by internet worms as well.

hmm...

tnx for advice people....

maybe i will disable default forwarding after all...

tnx again for your help guys.....

Respect!

very interesting all this. We would like to set up a file sharing system (traffic will be using pppoe to the mikrotik pppoe server concentrator).

We are thinking about Direct Connect and of course disable window sharing.

Any suggestion?

1. Disable Default forwarding
2. In DHCP server for Radionet you need set mask to 32 (255.255.255.255), but leave parameters of net the same.
For example:
/ ip dhcp-server network add address=192.168.0.0/24 gateway=192.168.0.253 netmask=32

3. Only AFTER this steps you CAN setup firewalls and shapers

Thus size of net is 24, client have net 32 and ALL traffic whill send throuth gateway.

But there still one problem: if client connect to PPTP server in another network, ALL LOCAL traffic will go throuth VPN tunnel.

For this time I don't know how solve this problem

I doubt what goes throught the VPN is a problem anyway, the goal is to keep windows users off the same AP from doing something stupid like leaving their file shares available to every other user of the AP I believe.