Hello,
I manage a public wifi network in an hotel.
I configured everything with CAPsMan.
In the datapath I configured client to client forward disabled.
Everything is fine and client can’t communicate eachother.
But if I try an ipscan (fing or other tools) I can see all clients connected.
There is a way to prevent this issue?
Thanks
Isacco
Hi,
Drop your config here so we can take a look to see what’s going on.
It might be that on that specific AP clients can’t see each other, but, it’s able to see other clients on the same L2 segment (clients on other AP’s) if bridge horizon or another form of isolation is not employed.
This can happen if you allow local forwarding on the datapath.
Here the CAPsMan and Cap configurations.
Thank you
Isacco
capOK.rsc (844 Bytes)
capsmanOK.rsc (3.22 KB)
How many caps have you got connected..?
/ip address
add address=192.168.111.1/24 interface=ether2 network=192.168.111.0
That should be on bridge1 as ether2 is a bridge port
Try using bridge split horizon instead of bridge firewall to isolate ports.
Any bridge port with a split horizon can only communicate with other bridge ports with a different split horizon value, or the bridge(the router) itself.
Add the same split horizon value to any other bridge ports you do not wish them to communicate with, i.e. all other bridge ports if you only want them to access the internet.
/caps-man datapath
add bridge=bridge1 client-to-client-forwarding=no local-forwarding=no name=datapath1 bridge-horizon=1
Thank you.
Please let me understand.
My CapsMan router is connected with 2 mikrotik poe switch (routeros lev 5) where the access point are fisically connected.
Where I have to put the bridge-horizon to prevent fing or ipscan to list other connected devices?
Thank you very much.
Isacco