Hello,
after much ado I have a router running with three wireless networks, one private, one vipguests and one guests. But I fail at the last step, blocking anything but internet access and hotspot login for the two guest networks. So far the guests seems to be unable to reach the private subnet, but they still can see the webfig of the router. I'd rather be sure that all but internet is dropped. I have locked myself out with final drop all-rules twice now and would appreciate some help!
Here's what I have so far:
/ip firewall address-list
add address=172.20.3.0/24 list=vipguests
add address=192.168.45.0/24 list=guests
add address=10.23.5.0/24 list=private
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=forward dst-address-list=private src-address-list=landsort
add action=drop chain=forward dst-address-list=private src-address-list=utklippan
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=172.20.3.0/24
add action=masquerade chain=srcnat comment="masquerade hotspot network" src-address=192.168.45.0/24
-
-
aaronhun22
Frequent Visitor
- Posts: 97
- Joined:
- Location: Las Vegas, Nevada, USA
Re: Blocking subnet from anything but internet access?
This will drop all requests to webmin (assuming its still port 80) from 172.20.3.0/24 network.
Code: Select all
ip firewall filter add chain=input protocol=tcp port=80 src-address-list=vipguests action=dropRe: Blocking subnet from anything but internet access?
I would prefer to block them entirely, from all ports. But, still let them access 192.168.45.1:80 and 172.20.3.1:80 for hotspot auth. And I realise all of them, 10.23.5.1, 172.20.3.1 and 192.168.45.1 are on the same machine :P
I've made changes, added bridges rather than adress-lists, and seem to be able to block them entirely from 10.23.5.0/24 except, they are still reaching 10.23.5.1!?
Please see output below:
/ip firewall filter
add chain=input comment="Accept established input" connection-state=established
add chain=input comment="Accept related input" connection-state=related
add chain=input comment="Accept ICMP input" protocol=icmp
add chain=input comment="Accept MikroTik Neighbour Discovery" dst-address=255.255.255.255 dst-port=5678 protocol=udp
Accepts DHCP and DNS from guests
add chain=input dst-port=67,53 in-interface=bridge-guests protocol=udp
add chain=input dst-port=67,53 in-interface=bridge-vipguests protocol=udp
add chain=input dst-port=53 in-interface=bridge-vipguests protocol=tcp
add chain=input dst-port=53 in-interface=bridge-guests protocol=tcp
These are disabled, they are still able to reach hotspot auth on port 80...
add chain=input comment="Let guests authenticate to hotspotserver" disabled=yes dst-address=192.168.45.1 dst-port=80 protocol=tcp
add chain=input disabled=yes dst-address=172.20.3.1 dst-port=80 protocol=tcp
"Log/drop guests connecting to router"
add action=log chain=input in-interface=bridge-guests log-prefix=Guest->router
add action=log chain=input in-interface=bridge-vipguests log-prefix=Guest->router
add action=drop chain=input in-interface=bridge-guests
add action=drop chain=input in-interface=bridge-vipguests
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
"Log/drop guests connecting to bridge-private"
add action=log chain=forward in-interface=bridge-guests log-prefix=Guest->privat out-interface=bridge-private
add action=log chain=forward in-interface=bridge-vipguests log-prefix=Guest->privat out-interface=bridge-private
add action=drop chain=forward in-interface=bridge-guests out-interface=bridge-private
add action=drop chain=forward in-interface=bridge-vipguests out-interface=bridge-private
add action=drop chain=forward comment="Dont forward invalid packets" connection-state=invalid
Would really appreciate help, I suspect it is very close =)
I've made changes, added bridges rather than adress-lists, and seem to be able to block them entirely from 10.23.5.0/24 except, they are still reaching 10.23.5.1!?
Please see output below:
/ip firewall filter
add chain=input comment="Accept established input" connection-state=established
add chain=input comment="Accept related input" connection-state=related
add chain=input comment="Accept ICMP input" protocol=icmp
add chain=input comment="Accept MikroTik Neighbour Discovery" dst-address=255.255.255.255 dst-port=5678 protocol=udp
Accepts DHCP and DNS from guests
add chain=input dst-port=67,53 in-interface=bridge-guests protocol=udp
add chain=input dst-port=67,53 in-interface=bridge-vipguests protocol=udp
add chain=input dst-port=53 in-interface=bridge-vipguests protocol=tcp
add chain=input dst-port=53 in-interface=bridge-guests protocol=tcp
These are disabled, they are still able to reach hotspot auth on port 80...
add chain=input comment="Let guests authenticate to hotspotserver" disabled=yes dst-address=192.168.45.1 dst-port=80 protocol=tcp
add chain=input disabled=yes dst-address=172.20.3.1 dst-port=80 protocol=tcp
"Log/drop guests connecting to router"
add action=log chain=input in-interface=bridge-guests log-prefix=Guest->router
add action=log chain=input in-interface=bridge-vipguests log-prefix=Guest->router
add action=drop chain=input in-interface=bridge-guests
add action=drop chain=input in-interface=bridge-vipguests
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
"Log/drop guests connecting to bridge-private"
add action=log chain=forward in-interface=bridge-guests log-prefix=Guest->privat out-interface=bridge-private
add action=log chain=forward in-interface=bridge-vipguests log-prefix=Guest->privat out-interface=bridge-private
add action=drop chain=forward in-interface=bridge-guests out-interface=bridge-private
add action=drop chain=forward in-interface=bridge-vipguests out-interface=bridge-private
add action=drop chain=forward comment="Dont forward invalid packets" connection-state=invalid
Would really appreciate help, I suspect it is very close =)