Dedicated subnet per client with no routing between subnets

jtham · April 13, 2015, 12:16am

I run a small WISP and would like to place a MikroTik at each of 3 tower sites. I’d like to subnet and route each site to my backhaul for optimal performance. My topology at a tower site is as follows:

CPE —[wireless]—> AP (bridge) —[hardwired]—> BACKHAUL

I’m thinking of setting it up like this:

CPE —[wireless]—> AP (bridge) —[hardwired]—> MikroTik Router —[hardwired out gateway]—> BACKHAUL

I’d like to configure each CPE with a /30 to keep broadcast traffic isolated and minimize contact between devices. I tested this scenario with 2 devices in an unmanaged switch then plugged into port 5 of a MikroTik router. I configured MikroTik port 5 with the following:

IP: 192.168.105.37/30
IP: 192.168.105.41/30

I also configured the corresponding DHCP networks and pools and configured next pool for when the single IP was used up. All of this works great. My question is this. When configured like this, both subnets seem to have some broadcasts (only certain protocols) being sent to the other network (for example, NBNS, SSDP). I’d like to prevent all broadcasts between networks but I suspect this is occurring because both devices are plugged into the same port. For what’s it’s worth, I configured port 4 of the MikroTik with another /30 and tested this way and no broadcasts spilled between the 2 subnets when watching on Wireshark. All of my CPE’s are going to be coming in on the same interface as simulated here as the AP is in bridge mode. Is there a simple way for me to prevent the broadcasts from going between subnets?

ZeroByte · April 13, 2015, 2:42pm

You don’t need to do that. Use a single subnet for the entire AP, and set default-forward=no on the wlan interface of the AP.

If you have multiple APs and want to use the same subnet for all APs and block client-to-client across APs as well, configure a bridge between them and set all AP ports to the same horizon. (horizon=1, for example).

jtham · April 13, 2015, 4:36pm

Unfortunately my AP’s are not MikroTik’s (inherited the WISP from someone else) but they are Ubiquiti’s. Otherwise I’d make things simple and do just as you said

ZeroByte · April 13, 2015, 4:44pm

Ubiquiti can do the same thing. Ubiquiti calls this feature “client isolation”

jtham · April 13, 2015, 5:05pm

Ok that would work great. So I could still have a single subnet at each tower site with a MikroTik gateway to the backhaul?

ZeroByte · April 13, 2015, 5:36pm

Yes. And to complete the isolation, block port to port communications on the Mikrotik that the client-facing APs are connected to. (if using CPU bridge, just set all ports with AP connected as horizon=1) If using hardware switch, then I’m sure that can be configured to drop broadcasts and forwards between the APs as well…

jtham · April 13, 2015, 6:12pm

Ok sounds great. Thanks for your help!