Block hotspot users to see each other (block client-client traffic)

RouterOS General
1

Hi,

I’ve searched the forum and found some hints, but no real solution.
My setup;

  • WAN1/WAN2/WAN3 (Internet access via PPC) - WAN3 only active now.
  • LAN3 (no hotspot)
  • LAN5 (hotspot) – clients are connected to this via cable modems so no AP /wLAN)

The issue I have is, that my clients can see each other (after logon) on the hotspot network (LAN5)
I don’t wan’t that to happen…

I expect it happened when I changed one of the following settings:

  • disabled NAT on the hotspot (LAN5) port, as NAT was already done leaving via WANx.
  • enabled the PPC load balancing feature.

Everything seems to flow fine. Users need to login, when they login they can internet through the router.

Findings;

  • I find strange is that my filter rule ‘Accept / Forward - established/related’ has enormous high -traffic count. Can’t really find the reason for this (does all hotspot traffic also flow throug this rule?)?
  • Seeing dynamics mangle rules (mark) for all hotspot clients (1 for in, 1 for out), but these rules don’t show any traffic?

If you need configuration print/output, please let me know!

Hoping someone can help me,

Remon

2

Please tell me, why the clients use cable modem to connect and use Hotspot for this?

I assume you want to have xxx amount of people to connect. For example 10 users…

Why not use PPPoE which is exactly used for these situations multiple (enormous) amount of users to be allowed or denied access…

Maybe you should consider the possibility to change it to PPPoE, and use an access list.

3

Hi haik,

Thanks for the reply..

I use hotspot to limit the number of simultaneous users per cable modem…

PPPoE would be an hurdle, I dont’t want people to need to configure their phones to use pppoe.

This is not a real answer to my question is it?

Anyone else got an answer?

4

What I mean, is that seemingly your clients use a cable modem for the physical connection. Fine.

So they have cable modems or modem routers at their premises… Correct?

Usually these modems have PPPoE capabilities. Or use MAC authentication, and assign VLAN’s to each MAC. That way you can separate the users without any configuration. VLAN’s can also be used in conjuction with Hotspot.

5

Haik,

Thanks again.

Correct, thay all have a modem, with buildin router/wifi.have to check on pppoe, but mac’s they have :wink:

Can you point me in a direction on how to configure mac authentication and vlan assignment, it sounds like a (clean) solution.

Thanks