block the modem page expect ip

namo · Wed Nov 11, 2009 8:10 am

I want to block the ADSL modem page so I use the comand

/ip firewall filter add chain=forward action=drop src-address-list=!192.168.1.254/32 dst-address=192.168.0.10/32

But I can still view the modem page from other IPs.

Note:
My modem LAN IP 192.168.0.10 subnet 255.255.255.0
My Mikrotik router WAN IP is 192.168.0.70/24
Mikrotik router LAN 192.168.1.1/24

namo · Wed Nov 11, 2009 9:48 am

this method worked for website IP but it doesn't seems to block the modem page for other Hotspot users

bens · Wed Nov 11, 2009 10:44 am

HI there,

try
/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.0.0/24 action=drop

this will block all traffic from your lan network going to the wan network inluding the modem.

Make sure this rule is at the top of the list before any allow rulles.

Another thing to check that has caused me issues is the masquerading rule.

I find it works best as

/ip firewall nat add chain=src-nat out-interface"your wan interface here" action=masquerade

namo · Fri Sep 03, 2010 8:56 am

HI there,

try
/ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=192.168.0.0/24 action=drop

this will block all traffic from your lan network going to the wan network inluding the modem.

Make sure this rule is at the top of the list before any allow rulles.

Another thing to check that has caused me issues is the masquerading rule.

I find it works best as

/ip firewall nat add chain=src-nat out-interface"your wan interface here" action=masquerade

It didn't work beside I want the IP 192.168.1.254 to be able to access the modem page but not other IPs

fewi · Fri Sep 03, 2010 2:59 pm

Post the output of "/ip firewall nat export" and "/ip address print".

namo · Sat Sep 04, 2010 3:27 am

Post the output of "/ip firewall nat export" and "/ip address print".

add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" \
    disabled=yes
add action=masquerade chain=srcnat comment="masquerade hotspot network" disabled=\
    no src-address=192.168.1.0/24
add action=masquerade chain=src-nat comment="" disabled=yes out-interface=outside1

Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE                
 0   192.168.1.1/24     192.168.1.0     192.168.2.255   hotspot                     
 1   192.168.0.50/24    192.168.0.0     192.168.0.255   outside1                    
 2   192.168.5.1/32     192.168.5.1     192.168.5.1     hotspot

I see that there is error in hotspot broadcast but the internet is working and when I change it to 192.168.1.255, the internet stop working .
The third line is fake gatway to prevent netCut

edit: I change the broadcast to 192.168.1.255 and then reboot and the internet work. Still the block modem problem?

fewi · Sat Sep 04, 2010 4:21 am

/ip firewall filter add chain=forward action=drop src-address=!192.168.1.254 dst-address=192.168.0.10

namo · Sat Sep 04, 2010 4:37 am

/ip firewall filter add chain=forward action=drop src-address=!192.168.1.254 dst-address=192.168.0.10

what is the difference from this :

/ip firewall filter add chain=forward action=drop src-address-list=!192.168.1.254/32 dst-address=192.168.0.10/32

fewi · Sat Sep 04, 2010 4:38 am

Read it.

src-address-list vs src-address. You were referencing an address list that didn't exist.

Also, /32 masks are unnecessary.

namo · Sat Sep 04, 2010 4:48 am

Read it.

src-address-list vs src-address. You were referencing an address list that didn't exist.

Also, /32 masks are unnecessary.

the modem page still work with all IPs

fewi · Sat Sep 04, 2010 4:51 am

Post the output of "/ip firewall filter export"

namo · Sat Sep 04, 2010 5:41 am

add action=drop chain=forward comment="" disabled=no dst-address=\
    192.168.0.10 src-address=!192.168.1.254
add action=drop chain=input comment="" disabled=no dst-port=\
    21,22,23,80,443,8291,8728 protocol=tcp src-address=!192.168.1.254
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=reject chain=forward comment="Reject if in the 24-hour-list" \
    disabled=yes reject-with=icmp-network-unreachable src-address-list=\
    24-hour-list
add action=jump chain=forward comment="Check if dest is an open customer" \
    disabled=no dst-address-list=open-customers jump-target=open-customers
add action=jump chain=forward comment="Check Known Bad Hosts" disabled=no \
    jump-target=bad-hosts
add action=reject chain=forward comment="Reject if in the 24-hour-list" \
    disabled=no reject-with=icmp-network-unreachable src-address-list=\
    24-hour-list
add action=return chain=bad-host-detection comment="Take no action on bogons" \
    disabled=no src-address-list=bogons
add action=add-src-to-address-list address-list=30-seond-list \
    address-list-timeout=30s chain=bad-host-detection comment=\
    "Add to the 30 second list" disabled=no dst-address=192.168.1.0/24 \
    dst-port=137 protocol=udp src-address=192.168.1.0/24 src-port=137
add action=return chain=bad-host-detection comment="" disabled=no
add action=jump chain=forward comment="jump to the bad-host-detection chain" \
    disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=jump chain=forward comment="jump to the bad-host-detection chain" \
    disabled=no jump-target=bad-host-detection src-address-list=!our-networks
add action=log chain=forward comment="log and reject the rest" disabled=yes \
    log-prefix=""
add action=reject chain=forward comment="" disabled=yes reject-with=\
    icmp-network-unreachable
add action=accept chain=forward comment="" disabled=yes dst-port=1863 \
    protocol=tcp
add action=accept chain=forward comment="" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=output comment="" disabled=no protocol=udp src-port=\
    5678
add action=add-src-to-address-list address-list=src-conficker \
    address-list-timeout=3d chain=forward comment=\
    "ADD to address-list src-conficker" disabled=no dst-address-list=\
    conficker

fewi · Sat Sep 04, 2010 5:55 am

With that rule at the top of the forward chain I don't see how ANY client can access 192.168.0.10. You're NAT'd out the outside interface to 192.168.0.50 so not even 192.168.1.254 should be able to get to the modem.

I don't know what I'm missing but I grudgingly give up.

namo · Sat Sep 04, 2010 8:30 am

thank you fewi any way. there one thing I din't understand in

Flags: X - disabled, I - invalid, D - dynamic
#   ADDRESS            NETWORK         BROADCAST       INTERFACE               
0   192.168.1.1/24     192.168.1.0     192.168.2.255   hotspot                     
1   192.168.0.50/24    192.168.0.0     192.168.0.255   outside1                   
2   192.168.5.1/32     192.168.5.1     192.168.5.1     hotspot

how come the broadcast IP in hotspot was 192.168.2.255 and the every thing was working fine. Is it better now since I change it to 192.168.1.255. Did I change it before for a purpose that I forget?!

SurferTim · Sat Sep 04, 2010 3:13 pm

Did you enter an ip/netmask of 192.168.2.1/24 initially, then edit the ip/netmask or do some other edit on that entry? If you edit the ip/netmask, it does not change the broadcast address.

block the modem page expect ip

block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Re: block the modem page expect ip

Who is online