I would like to block all traffic between my internet subscribers.
But i do not want to block traffic between my infrastructure equipment. I keep my infrastructure on a separate ip address range than my customers.
Network: 172.16.0.0/20
Infrastructure: 172.16.0.1-172.16.0.254
Customers: 172.16.1.1-172.16.15.254
I have the customers addresses and infrastructure addresses on a separate /ip firewall address-list.
I was thinking of implementing a rule that blocks traffic where source and destination ip both match the customer address list, like below:
/ ip firewall filter add chain=forward src-address-list=clients dst-address-list=clients action=drop comment=“Block interclient traffic” disabled=no
this rule seems to work good, but if 2 people are connected to the same radio, it does not block at all.
If anyone else has tried to block traffic between their customers before i would like to hear how they did it, or point out any problems with the rule i am using.
Thanks!