I would like to setup multiple cAP ac’s such that they are all on the same VLAN, but all clients are isolated. My main switch (a D-Link DGS-1012-24) has a traffic segmentation feature which blocks package forwarding between ports (even via routes across different switches as it filters based on the MAC addresses in the dynamic MAC table) which allows to achieve client isolation (in combination with Wi-Fi client isolation on the APs), however some switches in the network (Netgear GS308E) do not have a traffic segmentation feature. If I am understanding correctly I would hence need to put each additional AP on these switches on a different VLAN which, however, would be annoying to setup (as there are multiple SSIDs) and would presumably prevent fast roaming as the client’s IP addresses would change switching between VLANs.
My question is whether there is a way to enforce client isolation on the APs directly, perhaps via some filter rules, e.g. blocking all packages addressed to other IPs within the same subnet except the gateway’s IP.
All clients on the same CAPAC can see each other but not other CAPACs clients.
All clients on all capacs on th same vlan can see each other but not see the wired clients that are on the same vlan
or every single wifi client on all capacs on the same vlan cannot see each other or wired clients on the same vlan
In “CAPsMAN forwarding” mode, client isolation works among clients of all physical cAPs (if activated of course) because the virtual wireless interface runs at the CAPsMAN machine. In “local forwarding” mode, you would need bridge filter rules on each of the cAPs, allowing only frames to/from the MAC address of the gateway (and, in more complex cases, any other devices in the subnet that have to be accessible for all wireles clients) to be forwarded across the Ethernet interface, and the rest to be dropped. I can’t say which approach uses more CPU.
I wrote “in combination with Wi-Fi client isolation on the APs”, so the third option is the closest (though, there will be no wired clients in the same VLAN, only Wi-Fi hotspots).
The first option seems to bottleneck all traffic through one of the cAPs, right? That seems to strain one device quite a bit. I think, I will go with the bridge filter rules then. Thanks.
It depends on what you mean by bottleneck. The CAPsMAN need not run on one of the APs, it can as well run on a wireless-less router, and there must be some device in the whole network that acts as a router and firewall, unless each of the cAPs has its own internet connection and serves these roles, which would contradict to what you wrote about all clients of the same SSID sharing the same VLAN. So if the packets from the wireless clients have to pass through a single device on their way to internet, there’s little difference whether they get encapsulated into VLAN frames or into CAPsMAN frames. Both is done by CPU in case of wireless traffic - the “hardware acceleration” of L2 processing only works for ethernet-to-ethernet forwarding.
I have a pfSense router which I would like to keep. I also do not want to buy and install another device, hence I will use one of the cAP’s for CAPsMAN and the configuration of all APs.
@sindy,
That is not true…
Client to client forwarding works between clients connected on the same interface. https://help.mikrotik.com/docs/display/ROS/CAPsMAN
In Manager Forwarding is controled by CapsMAN in Local Forwarding is controlled by CAPs…
If for example you create two Interfaces on a CapsMAN configuration, for example Test1 and Test2, then:
If Clients connect on same Interface e.g Test1 and Client-to-Client is enabled the result is Successful communication between each other
If Clients connect on same Interface e.g Test1 and Client-to-Client is disabled the result is unsuccessful communication between each other
If clients connect on different Interfaces, one on Test1 and the other on Test2 the communication is successful regardless if Client-to-Client is enabled or disabled…
Oops, sorry… I forgot the virtual interfaces created on
the CAPsMAN are nevertheless individual ones. But they are still connected to a single bridge so the horizon functionality may be used to isolate them.
I don’t know what is exactly possible in CAPsMAN, I am running a Unifi wireless network here (with MikroTik router).
In the Unifi APs there is a bridge filter that disallows broadcast and multicast traffic towards the wireless interface unless it is from some pre-registered MAC addresses (where you enter the router’s MAC).
That means that ARP requests from clients towards other clients are filtered even when it is accross different APs, which makes client-to-client communication difficult (I would not say impossible).
Maybe something similar can be done here?
@sindy,
Even if it was two different CAPs, completely different devices, under CapsMAN, if one Client is connected to Test1 of CAP1 and the second client on Test1 of CAP2, they will successfully communicate even if client-to-client forwarding is set to no.
Client to Client forwarding will affect clients connected on the same Interface, either if it is a virtual one or an Interface of another CAP.
So yes, split horizon i guess is what should be used …
This is actually a very useful thread.
So I have finally discerned possibly a useful capsman functionality or two to be exact.
a. the ability to isolate clients on the same capac on the same vlan
b. the ability to isolate clients on different capacs but on the same vlan.
Questions
(1) Can I assume that capsman is actually required for a, and b, and this canNOT be done with a regular setup of a capsman (local).
(2) in b., are wifi clients also isolated from wired users on the same vlan
in b. are wired users isolated from wifi users on the capac
From my point of View, the most effective way to isolate Wireless Clients is:
CapsMan Forwarding:
Disable Client to Client forwarding to isolate clients on the Same Interface, whatever that is, virtual or CAP device
Set Bridge Horizon to same Value so that wireless clients from different wireless interfaces can not communicate to each other…
Enabling Bridge Horizon disables Hardware Offload, so it would not be a good choice to enable it on an ethernet Port. So supposing that the ethernet ports are on another VLAN, communication with these ports will still be impossible with the correct VLAN implementation ofcorse.
But in case both wireless and ethernet devices are on the same VLAN, and we still want to isolate them, then i guess Bridge Firewall is the only way ( Hardware Offload must be manually disabled for Bridge Firewall to work )
Local Forwarding:
-Use of the Bridge Firewall ( on the CAP device ) to allow communication only with the Router and not between other devices on the same Layer2 Network…
-Disable Client to Client forwarding to isolate clients on the Same Interface
Is there a way to configure this kind of bridge filter in an automated manner? I am already using CAPsMAN to setup the Wi-Fi networks across all APs, but I am stuck here as there does not seem to be a function to configure the bridge in CAPsMAN.
Correct, there is unfortunately none, CAPsMAN ony takes care about the wireless interfaces. So you have to add the bridge filter rules device by device.
import paramiko
from getpass import getpass
ip_address = ["192.168.88.%i" % i for i in range(0, 100)]
user = raw_input("Input username: ")
passw = getpass()
for ip in ip_address:
ssh.connect(hostname=ip,username=user, password=passw)
stdin, stdout, stderr = ssh.exec_command("/interface bridge filter add action=allow chain=forward mac_protocol=ip dst-address=192.168.2.1 vlan-id=2")
stdin, stdout, stderr = ssh.exec_command("/interface bridge filter add action=drop chain=forward vlan-id=2")
print(stdout.read())
Question: Does that filter command make sense? It is supposed to blog any packages on VLAN 2 except those targeted at the gateway. Maybe I should also block any level 2 packets? It would be annoying to go by MAC adresses though.
Notice though, that with Bridge Firewall you can not drop communication between wireless clients connected on the same interface, because that most obviously is handled by the wireless driver.
So you should disable client to client forwarding to catch devices connected to the same interface and then use Bridge Firewall to drop the rest communication between different interfaces, either wireless or not…
Yeah, I have already disabled client-to-client forwarding using CAPsMAN.
My new problem is: How can I gain access to a cAP ac in CAPs mode. The CAPsMAN device did assign it an IP (192.168.88.235). I tried to access it via SSH, Telnet and WebFig via Ethernet 1 to no avail.
CAPsMAN only provisions wireless interfaces. The rest you have to do yourself (or some autoconfiguration magic does it for you in some mysterios way). Your best chance is to use Winbox and if it can discover xAP ac, click on its MAC address. If it doesn’t work, connect you management PC to ether2 and retry.