Default Forwarding Issues

Hi Guys.
We have several Mikrotik systems running on RB532s. Well anyway, they are linked together by Bridging . Also, on each RB, we set a 2.4Ghz to AP Bridge, no IP, PPPoE which authenticates by Radius. Default Forwarding is Disabled on the AP interfaces on all RBs. However, we have a common gateway for all the RBs - a Linux Box.
All clients have firewalls.
All Client Radios are set in the access list with disabled forwarding.

Questions:
If I ping any client on the same tower, it is a success. Cannot run Port scan to identify other ports because of Client Firewall Port Scan Protection.
So, does “Disable Default Forwarding” still allow some ports?
Does PPPoE overide Interface Settings?
Or am I being able to ping via a route through the Linux Box?

If the latter is true, then are ports available between the clients based on the firewall settings of the gateway? Rem: Clients running on PPPoE to RBs and my questions target clients on the same AP Interfaces, not different interfaces or towers because I know that clients can communicate between different towers or interfaces even if default forwarding is disabled on the APs.

Thx in Advance

No one to help?

Not a whole lot to go by here, but…

The wireless forwarding setting (default, or individual) only blocks L2 traffic between clients on the same interface.

Since you are using PPPoE, the packets will be routed at the concentrator, so blocking L2 forwarding will not stop L3 packets from getting across.

When wireless forwarding is disabled, everything from one client to another (at L2) is blocked.

PPPoE does not override interface settings, but it does provide a path around the L2 wireless forwarding block.

If the Linux box is your concentrator, then yes, you are able to ping through a route there. If the RBs are doing the PPPoE concentration, then they are providing the path.

If you want to prevent your customers from talking to each other, it will need to be done with an IP filter at the concentrator.

–Eric