Hi!
I try to block connection sharing for users from one of th hotspot user profile.
I try to set outgoing-packet-mark in specified hotspot user profile and then set ttl value in mangle rule based on the packet mark set in hotspot. But there is no one packet in mangle rule statistics - it seems most likely packets are not marked - so ANY rule based on mark have nothing to do.
Is there any good way to avoid Internet sharing for specified (by hotspot profile) user?

thanks and regards!
kjagus

Hi!
I try to block connection sharing for users from one of th hotspot user profile.
I try to set outgoing-packet-mark in specified hotspot user profile

Code: Select all

 2   name="BASIC" keepalive-timeout=10m status-autorefresh=1m 
     shared-users=unlimited rate-limit="32k/256k" incoming-filter="no-p2p" 
     outgoing-filter="no-p2p" incoming-packet-mark="ttl" 
     outgoing-packet-mark="ttl" transparent-proxy=yes open-status-page=always 
     advertise=no 

and then set ttl value in mangle rule based on the packet mark set in hotspot.

Code: Select all

 0   chain=postrouting out-interface==Klienci-bridge packet-mark=ttl 
     action=change-ttl new-ttl=set:2

But there is no one packet in mangle rule statistics - it seems most likely packets are not marked - so ANY rule based on mark have nothing to do.
Is there any good way to avoid Internet sharing for specified (by hotspot profile) user?

thanks and regards!
kjagus

You cant block ICS...

serious!!!

no option to stop ICS or NAT on the client side?

if there is any option... how to set it up !

thank u

not possible at all...

of course not - how can you tell what your client is doing in his local network?

exactly my point

Once the packet is properly translated, there is nothing in the packet to identify it as coming from a different network...

ttl is decremented

"ONLY" if you use ICS ???

i think the best way around this is to use session limitation.

Nazem you're Lebanese and you have your work in Iraq? what kind of work?

thanks

Perhaps the only way could be to limit the number of simoultaneous connections (connlimit) that one user could do (40-60) if your client is sharing with others there would be more connections and they are going to be droped, the only problem is that if the other users use all the connections the ICS computer wont be able to use the internet.

In most cases TTL limit is good... until user don't know how to modify ttl value. I know, that it is no problem for anybody on this forum, but TTL limit IS problem for most of my customers. They are "ordinary people", not guru

I block ics on iptables :

I use in linux box :

iptables -I FORWARD -m ttl --ttl-lt 127 -j DROP (block nat in windows)

or

iptables -I FORWARD -m ttl --ttl-lt 63 -j DROP (block nat in linux)


And Mikrotik?

How translate this rules to Mikrotik?

Or drop all packets if ttl is lower than 128 if you`ve got only windows hosts.

Hi!
I try to block connection sharing for users from one of th hotspot user profile.
I try to set outgoing-packet-mark in specified hotspot user profile

Code: Select all

 2   name="BASIC" keepalive-timeout=10m status-autorefresh=1m 
     shared-users=unlimited rate-limit="32k/256k" incoming-filter="no-p2p" 
     outgoing-filter="no-p2p" incoming-packet-mark="ttl" 
     outgoing-packet-mark="ttl" transparent-proxy=yes open-status-page=always 
     advertise=no 

and then set ttl value in mangle rule based on the packet mark set in hotspot.

Code: Select all

 0   chain=postrouting out-interface==Klienci-bridge packet-mark=ttl 
     action=change-ttl new-ttl=set:2

But there is no one packet in mangle rule statistics - it seems most likely packets are not marked - so ANY rule based on mark have nothing to do.
Is there any good way to avoid Internet sharing for specified (by hotspot profile) user?

thanks and regards!
kjagus

What is the problem exactly? I think you are on the wrong way to solving it.