hi4ibb
April 2, 2016, 5:52pm
1
hi all,
i made hotspot server as bridge , and i created 11 vlans under ether6, and i put wlan, ether6 , and 11 vlans in bridge ports.
someone give me this filter to prevent clients from seeing ip and mac of other clients in my network ,but really i suffer from connecting with my network and i don’t know if this script good , or need some settings to be good , or i have to try another filter .
this is the filter :
/interface bridge filter
Hi,
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
hi4ibb
April 2, 2016, 7:47pm
3
ShayanFiroozi:
Hi,
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
i
thanks Shayan very much
if you don’t mind would you write ur rule , cause i am not very good in network
by the way my range is 192.168.88.0/24
nxs02
April 3, 2016, 5:14am
5
what he mean is forward chain drop src 192.168.88.0/24 dst 192.168.88.0/24
hi4ibb:
hi4ibb:
ShayanFiroozi:
Hi,
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
i
thanks Shayan very much
so i have to delete my filter and write your rule ? or i have to keep me filter ?
if you don’t mind would you write ur rule , cause i am not very good in network
by the way my range is 192.168.88.0/24
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling “Default forward” feature in your WLAN and set arp to reply only will also help you
nxs02
April 3, 2016, 6:52am
7
bridge horizon also usefull for ports and client isolation
hi4ibb
April 3, 2016, 5:20pm
8
ShayanFiroozi:
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling “Default forward” feature in your WLAN and set arp to reply only will also help you
thank you Shayan, yes your filter is good, it is an effective in ip scan software, but it is not effective in ip scan software That depend in arp scan .
maybe i have add some settings to make this rule is the best , like i have to go to dhcp server and check feature " add arp for leases" ???
hi4ibb:
ShayanFiroozi:
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling “Default forward” feature in your WLAN and set arp to reply only will also help you
thank you Shayan, yes your filter is good, it is an effective in ip scan software, but it is not effective in ip scan software That depend in arp scan .
maybe i have add some settings to make this rule is the best , like i have to go to dhcp server and check feature " add arp for leases" ???
Yes , but you should know in a bridged network always there is an security issue , do not bridged unless you have to , routed network are more reliable , more secure , also you have the firewall’s power in L3 !!
jarda
April 4, 2016, 5:24am
11
What about using the bridge horizon to disable the communication between selected bridge ports in the similar way like disabled default forward does it for wifi clients?
ShayanFiroozi:
hi4ibb:
hi4ibb:
ShayanFiroozi:
Hi,
in Bridge/Setting/enable Use IP Firewall
then in IP/Firewall add a simple rule which drop packets from same subnet which client are in !
for example drop forwarding packet from 192.168.200.0/24 to 192.168.200.0/24
i
thanks Shayan very much
so i have to delete my filter and write your rule ? or i have to keep me filter ?
if you don’t mind would you write ur rule , cause i am not very good in network
by the way my range is 192.168.88.0/24
Assume your hotspot gateway is 192.168.88.1
you should allow your clients to communicate with their gateway with this 2 rules :
add chain=forward dst-address=192.168.88.1 src-address=192.168.88.0/24
then drop every packets in same subnet(also your 192.168.88.1 would be matched with below rule but before this rule you accepted your gateway packets , so this rule will not be applied on 192.168.88.1)
add action=drop chain=forward dst-address=192.168.88.0/24 src-address=192.168.88.0/24
also disabling “Default forward” feature in your WLAN and set arp to reply only will also help you
This rule did not work on my infrastructure. I’m just looking for that.