Boa noite a todos.
Estou postando as regras manuais do firewall do hotspot do mikrotik FILTER E NAT, para quem ele não cria automaticamente, pois precisei delas e não as vi em nenhum lugar aqui no forum, fiz no meu servidor e funcionou beleza.
Essas regras foram criadas na versão 2.9.27, mais eu testei na 3.x e na 4.x e funcionarão muito bem.
Ai estão as regras :
FILTER
/ ip firewall filter
add chain=forward hotspot=from-client,!auth action=jump jump-target=hs-unauth \
comment="INICIO FIREWALL HOTSPOT " disabled=no
add chain=forward hotspot=from-client,!auth action=jump \
jump-target=hs-unauth-to comment="" disabled=no
add chain=input hotspot=from-client action=jump jump-target=hs-input \
comment="" disabled=no
add chain=hs-input action=jump jump-target=pre-hs-input comment="" disabled=no
add chain=hs-input protocol=udp dst-port=64872 action=accept comment="" \
disabled=no
add chain=hs-input protocol=tcp dst-port=64872-64875 action=accept comment="" \
disabled=no
add chain=hs-input hotspot=!auth action=jump jump-target=hs-unauth comment="" \
disabled=no
add chain=hs-unauth protocol=tcp action=reject reject-with=tcp-reset \
comment="" disabled=no
add chain=hs-unauth action=reject reject-with=icmp-net-prohibited comment="" \
disabled=no
add chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited \
comment="FIM FIREWALL HOTSPOT" disabled=no
add chain=input src-address=200.253.201.115 action=drop comment="" disabled=no
add chain=input in-interface=INTERNET protocol=tcp dst-port=3128 action=drop \
comment="BLOQUEIO PROXY EXTERNO" disabled=no
add chain=forward src-address=0.0.0.0 protocol=tcp tcp-flags=syn \
connection-limit=20,24 action=drop comment="N° MÁXIMO DE CONEXÃO - 20" \
disabled=no
NAT
/ ip firewall nat
add chain=dstnat hotspot=from-client action=jump jump-target=hotspot \
comment="INICIO NAT HOTSPOT" disabled=no
add chain=hotspot action=jump jump-target=pre-hotspot comment="" disabled=no
add chain=hotspot protocol=udp dst-port=53 action=redirect to-ports=64872 \
comment="" disabled=no
add chain=hotspot protocol=tcp dst-port=53 action=redirect to-ports=64872 \
comment="" disabled=no
add chain=hotspot protocol=tcp dst-port=80 hotspot=local-dst action=redirect \
to-ports=64873 comment="" disabled=no
add chain=hotspot protocol=tcp dst-port=443 hotspot=local-dst action=redirect \
to-ports=64875 comment="" disabled=no
add chain=hotspot protocol=tcp hotspot=!auth action=jump jump-target=hs-unauth \
comment="" disabled=no
add chain=hotspot protocol=tcp hotspot=auth action=jump jump-target=hs-auth \
comment="" disabled=no
add chain=hs-unauth protocol=tcp dst-port=80 action=redirect to-ports=64874 \
comment="" disabled=no
add chain=hs-unauth protocol=tcp dst-port=3128 action=redirect to-ports=64874 \
comment="" disabled=no
add chain=hs-unauth protocol=tcp dst-port=8080 action=redirect to-ports=64874 \
comment="" disabled=no
add chain=hs-unauth protocol=tcp dst-port=443 action=redirect to-ports=64875 \
comment="" disabled=no
add chain=hs-unauth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp \
comment="" disabled=no
add chain=hs-auth protocol=tcp hotspot=to-client action=redirect \
to-ports=64874 comment="" disabled=no
add chain=hs-auth protocol=tcp dst-port=25 action=jump jump-target=hs-smtp \
comment="FIM NAT HOTSPOT" disabled=no
Estão ai as regras postadas, não sei se ajudei muito mais espero que sirva para alguem.