Wed Sep 28, 2011 1:22 am
Wirelessly you'd need to disable forwarding on the wireless interface so that frames between users aren't forwarded in hardware on the radio itself. Then all traffic to the router or other APs goes through the firewall, where you can drop it. You may have to include bridge filters here, or turn on use of the IP firewall for bridged interfaces depending on your network. That's for RouterOS APs, if you are using other APs you will have to see if they support client isolation.
For wired connections you will need to buy switches that can implement layer 2 security. Many implementations call these 'private VLANs'. The router is unaware of it, it's all in the switches.
You cannot implement solutions such as 'one VLAN per user'. You'll have to find a way to make your current equipment implement client isolation, or purchase equipment that has such a feature if your current equipment doesn't support it.