[Mikrotik] Restrict hotspot interface from snooping

Rory McCann rmm.lists at gmail.com
Wed Jun 6 09:14:27 CDT 2012


I guess the way I do it is by creating deny actions involving 
communication between subnets, eg:

/ip firewall filter
add action=drop chain=forward disabled=no dst-address=192.168.2.0/28 
src-address=192.168.1.0/24
add action=drop chain=forward disabled=no dst-address=192.168.1.0/24 
src-address=192.168.2.0/28

 From there you could create some rules preventing Winbox, Telnet, etc 
access to the router on your "public AP subnet". I've done this on one 
of my routers with masquerade rules and it works fine. I can't see or 
talk to the other subnet.

Rory McCann
Minn-Kota Ag Products
P: 701-403-4877 | E: rory at mkap.com


On 6/6/2012 9:01 AM, Josh Luthman wrote:
> Doing that now with an address list.  It feels messy, though.
>
> Josh Luthman
> Office: 937-552-2340
> Direct: 937-552-2343
> 1100 Wayne St
> Suite 1337
> Troy, OH 45373
> On Jun 6, 2012 9:59 AM, "Scott Reed"<sreed at nwwnet.net>  wrote:
>
>> Deny those addresses before the accept the port
>>
>>
>> On 6/6/2012 9:34 AM, Josh Luthman wrote:
>>
>>> That would let them snoop on the office network.
>>>
>>> Josh Luthman
>>> Office: 937-552-2340
>>> Direct: 937-552-2343
>>> 1100 Wayne St
>>> Suite 1337
>>> Troy, OH 45373
>>> On Jun 6, 2012 7:50 AM, "Scott Reed"<sreed at nwwnet.net>   wrote:
>>>
>>>   What about accept src-address=172.31.31.0/24 out-interface=WAN
>>>> and deny everything else?
>>>>
>>>> On 6/6/2012 1:20 AM, Josh Luthman wrote:
>>>>
>>>>   I have an insecured wifi (virtual AP) on my home router.  I don't mind
>>>>> people using it.  I do want to make it impossible for them to ever
>>>>> reach anything they shouldn't.  If I do a new subnet on ether5 or my
>>>>> known subnet on ether2 (home LAN).
>>>>>
>>>>> I was thinking I could do something like accept
>>>>> src-address=172.31.31.0/24 dst-address=gateway and then drop
>>>>> everything else with that src but if it's masqueraded, would that
>>>>> work?  Doesn't seem to, but I haven't tested it thoroughly.
>>>>>
>>>>> Any other suggestions or methods to try?
>>>>>
>>>>> Josh Luthman
>>>>> Office: 937-552-2340
>>>>> Direct: 937-552-2343
>>>>> 1100 Wayne St
>>>>> Suite 1337
>>>>> Troy, OH 45373
>>>>> ______________________________****_________________
>>>>> Mikrotik mailing list
>>>>> Mikrotik at mail.butchevans.com
>>>>> http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
>>>>> <http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>>> RouterOS
>>>>>
>>>>>
>>>>> -----
>>>>> No virus found in this message.
>>>>> Checked by AVG - www.avg.com
>>>>> Version: 2012.0.2178 / Virus Database: 2433/5046 - Release Date:
>>>>> 06/05/12
>>>>>
>>>>>
>>>>>
>>>>>   --
>>>> Scott Reed
>>>> Owner
>>>> NewWays Networking, LLC
>>>> Wireless Networking
>>>> Network Design, Installation and Administration
>>>>
>>>>
>>>>
>>>> Mikrotik Advanced Certified
>>>>
>>>> www.nwwnet.net
>>>> (765) 855-1060
>>>> (765) 439-4253
>>>> (855) 231-6239
>>>>
>>>>
>>>> ______________________________****_________________
>>>> Mikrotik mailing list
>>>> Mikrotik at mail.butchevans.com
>>>> http://www.butchevans.com/****mailman/listinfo/mikrotik<http://www.butchevans.com/**mailman/listinfo/mikrotik>
>>>> <http**://www.butchevans.com/mailman/**listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>>> RouterOS
>>>>
>>>>   -------------- next part --------------
>>> An HTML attachment was scrubbed...
>>> URL:<http://www.butchevans.**com/pipermail/mikrotik/**
>>> attachments/20120606/6be2b2b1/**attachment.html<http://www.butchevans.com/pipermail/mikrotik/attachments/20120606/6be2b2b1/attachment.html>
>>> ______________________________**_________________
>>> Mikrotik mailing list
>>> Mikrotik at mail.butchevans.com
>>> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>>
>>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>>> RouterOS
>>>
>>>
>>> -----
>>> No virus found in this message.
>>> Checked by AVG - www.avg.com
>>> Version: 2012.0.2178 / Virus Database: 2433/5051 - Release Date: 06/06/12
>>>
>>>
>>>
>> --
>> Scott Reed
>> Owner
>> NewWays Networking, LLC
>> Wireless Networking
>> Network Design, Installation and Administration
>>
>>
>>
>> Mikrotik Advanced Certified
>>
>> www.nwwnet.net
>> (765) 855-1060
>> (765) 439-4253
>> (855) 231-6239
>>
>>
>> ______________________________**_________________
>> Mikrotik mailing list
>> Mikrotik at mail.butchevans.com
>> http://www.butchevans.com/**mailman/listinfo/mikrotik<http://www.butchevans.com/mailman/listinfo/mikrotik>
>>
>> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik
>> RouterOS
>>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:<http://www.butchevans.com/pipermail/mikrotik/attachments/20120606/83225194/attachment.html>
> _______________________________________________
> Mikrotik mailing list
> Mikrotik at mail.butchevans.com
> http://www.butchevans.com/mailman/listinfo/mikrotik
>
> Visit http://blog.butchevans.com/ for tutorials related to Mikrotik RouterOS

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.butchevans.com/pipermail/mikrotik/attachments/20120606/248ad0f8/attachment.html>


More information about the Mikrotik mailing list