Hi,

is it possible by a Firewall Foward Rule to force some packet from an interface ( lets say WLAN1 ) to go for the next step to the Gateway IP.

Here is an exemple;
We already deactivate " Default Foward " on eatch WLAN interface on ALL of our AP and we also use " Split Horizon " on our bridge so that traffic can go from a WLAN interface to an other WLAN interface.

But some RouterBoard are connected to the same dummy switch ( in this case, a DSL modem with 4 ports switch build-in ), so traffic can go from a client on WLAN1 of AP1 to a client of an other wireless interface of an other RouterBoard connected to the same DSL modem.

So my question is .... Is there any way to force packet from an interface ( WLAN ) to go directly to the Gateway by a foward rule ?

It will be great to have this functionality ! Most DSLAM or WIMAX Base Station have this functionality so that even if we connect many Base Station or DSLAM on the same layer 2 network ( VLAN for example ) client of eatch DSLAM or BaseStation will not be able to ping eatch other or exchange packet directly. The packet will have to go thru the gateway where we can filter connexion type !

Nobody give a reply on this thread ...

Today I was searching the same thing an other time on Google ... and the first link was my own thread on this forum ...

But this time, I check all the possibility myself an think I find exactly what I search for more that a year ago ...


Suppose you have a central hotspot controller ( Maybe a 750G ) and many AP ( maybe 751U 2HnD ) bridged together in the same vlan. But you don't want a client on AP 1 on the first floor of the building to talk to a client on AP 3 directly. You want to force all traffic by the hotspot controller ... ( And possibly deny traffic between client in hotel situation etc ... )


On each AP you will probably already have a bridge to bridge together an ethernet port and the wireless interface that broadcast the hotspot SSID... The magic is just after that ....

You simply have to add a rule to make the DST-MAC of each packet that coming from the wireless lan, the mac-address of the gateway in your network.
This way, all the packet that client send will be transmit directly to the gateway ( in this case, let say an hotspot service on a RB750G ) and for example in an hotel deployment each client will not be able to see the windows share or iTunes library of other client in the hotel....

And this without having to run the hotspot service directly on eatch AP

** Don't miss to also deactivate " Default Foward " on eatch WLAN interface to be sure that client on the same AP will not be able to talk to each other ...

I've never done that kind of wifi deployments before, that your solution could be usefull to address that "interclient" traffic

Thanks!!