I have a 750 running 4.11 setup as a basic NAT’d router for a small 22 unit apartment complex. Without running hotspot, what is the best method for preventing any host to host traffic? There are 3 machines however that I do want file sharing capabilities allowed.
How should I proceed?
Thanks.
Hotspots don’t prevent host to host traffic on the same subnet.
Machines on the same subnet don’t use the router to pass traffic between one another, they talk directly. If the machines are wired you have to either use the switching infrastructure to block host to host traffic (which has nothing to do with the router), or use the router in bridged mode and write bridge filters.
http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Packet_Filter
If the machines are wireless and connect via a radio interface on the router you can either set the default forwarding property to not allow hosts to talk directly via that interface and make access list entries to permit the few hosts that may, or vice versa - whatever makes more sense to you:
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Basic_settings
default-forwarding (yes or no; default value: yes) : This is the value of forwarding for clients that do not match any entry in the access-list.
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Access_lists
forwarding (yes or no) :
no - Client cannot send frames to other station that are connected to same access point.
yes - Client can send frames to other stations on the same access point.
If you need more specific help post a lot more details, including a network diagram. The more specific the question, the more specific the answer.
If it’s a wired network, I would run separate networks (vlans) to each apartment. We have a 32 unit apartment complex set up that way and it has been running great for the past 3 to 4 years. The switches are used Cisco. The router is an RB532a. Each apartment has its own private NAT’d network and DHCP server. We use the apartment number as the third octet for each network. That makes it easy to troubleshoot.
Since we moved from a flat network, the complaints and service calls have been very few.
Tom
Thanks for the in depth details as always Fewi.
I like the VLAN idea Roc-Noc. I will need to get a different switch however. Just a basic DLink 24 port.
Roc-Noc,
I have read the wiki on setting up VLAN’s but have yet to practice it. This situation, I believe, would be different from what is covered in the Wiki. Can you provide some insight on just how I should setup the 450g to replicate your setup?
Most appreciated fellas!