CAPsMAN with local forwarding - customer separation

RouterOS Wireless Networking
1

Hi, I have a capsman based wireless network using local formarding. The configuration is very similar to this one https://wiki.mikrotik.com/wiki/Manual:CAPsMAN_with_VLANs

One of the networks is a guest network broadcast at 2.4GHz and 5GHz and it is provided by one vlan to the AP. In the configuration of these interfaces, the client-to-client-forwarding parameter is turned off, but if I understand correctly, communication between the 2.4GHz and 5GHz interfaces will still be possible. How can it be isolated ?

Thanks in advance

2

You can use split horizon to isolate bridge ports. Be aware that this will disable hw acceleration on the bridge.
Why are you using local forwarding if you don’t want to have local traffic?

3

I can only use bridge horizon with capsman forwarding. With local forwarding, the only interface on the router is vlan for the guest network (common for 2.4GHz and 5GHz interfaces). On the cap, the interferences add to the bridge dynamically so there also can’t use bridge horizon.

I use local forwarding because of better network performance.

4

How about simple drop rule in firewall with source and destination IP same subnet? Maybe excluded wan interface if breaks net, not sure you can try.

5

First of all you can always change “create dynamic enabled” to “create enabled”.
And second, even with dynamic cAP interfaces you can specify bridge horizon in datapath.

6

This traffic does not reach the router (controller). Alternatively what you say could be done on the cAP itself (using bridge filtering). However, i.e. manual configuration of each CAP and in the event of reconfiguration the need to change many to many APs.

This parameter set on the controller has no effect on local forwarding. And the bridge horizon field on dynamic interfaces is not configurable.

7

Which one?

You set it in datapath tab of capsman config together with the bridge setting, not in bridge menu.

8

We are talking here about local forwarding, not capsman forwarding. There, I do not choose the bridge on the controller, I only give the vlan on which this traffic comes to the CAP.

9

cAP interfaces has to be bridged on one side: either on cAPs or on CAPsMAN.
And if I recall correctly, both methods can be used for both local and capsman forwarding.
But I can be wrong.
Anyway, regardless of that, you can always use bridge horizon on the bridge, where they are actually added.
If in your case the bridge is on a cAP itself - configure bridge horizon there.

10

When configuring datapath for local forwarding, the bridge on cAP is in the game … although implicitly and when not set, I guess it takes first bridge it finds.

For example, on capsman I have

/caps-man datapath
add client-to-client-forwarding=yes comment="local forwarding, VID=42 (LAN)" \
    local-forwarding=yes name=local-42 vlan-id=42 vlan-mode=use-tag

(note bridge= property is not set).


On caps device then I have

[u@AP] > /interface bridge port print
Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 
 #     INTERFACE     BRIDGE        HW  PVID PR  PATH-COST INTERNA...    HORIZON
 0   H ether1-lan    bridge        yes    1 0x         10         10       none
 1 I H ether2-rbDS   bridge        yes    1 0x         10         10       none
 2 I H ether3-pil... bridge        yes    1 0x         10         10       none
 3 I H ether4-pil... bridge        yes    1 0x         10         10       none
 4 I H ether5-DSL    bridge        yes    1 0x         10         10       none
 5  D  wlan1         bridge              42 0x         10         10       none

capsman-controlled wifi interface is wlan1 interface (the one dynamically created).

So I guess if one would configure bridge-horizon property on capsman datapath, it would get actually set on caps bridge.

11

Thanks for all the answers.
I also got info from the support - the only option to separate clients from different cAP interfaces is to introduce traffic filtering rules on the bridge.