Disable wifi isolation on AP with VLANned SSIDs

Hi!

I have problems with Wifi Isolation between 2 devices (a cell phone and a Google Chromecast dongle).

I have one cAP AC with several Virtual Wifi interfaces creating different SSIDs.

The SSIDs are grouped in groups of 2 SSIDs (one for 2.4Ghz and another for 5Ghz) and each group uses one VLAN. I do the group with “Interface lists”.

/interface list member
add interface=wlan_one_2G list=group_one
add interface=wlan_one_5G list=group_one

The master Wireless interface of each virtual wifi interface has the Default-forward check enabled.

The virtual wifi interface has the VLAN Mode as no tag with the VLAN ID 11

I have Access Lists on the wireless using the interface lists. This one has forwarding to yes.

/interface wireless access-list
add interface=group_one signal-range=-89..120 vlan-id=11 vlan-mode=use-tag

The VLANs are also on the bridge with all the interfaces (one bridge with all the interfaces on ports)

/interface bridge port
add bridge=bridge interface=ether1
add bridge=bridge interface=ether2
...
add bridge=bridge interface=wlan_one_2G
add bridge=bridge interface=wlan_one_5G

/interface bridge vlan
add bridge=bridge tagged=ether1,ether2,wlan_one_2G,wlan_one_5G vlan-ids=11

I tag the interfaces because the DHCP comes from a router, not from capAC. And i want to separate the traffic for each group.

The cell phone has internet and it’s placed correctly on the VLAN 11 and gets IP from the DHCP of the router for VLAN 11.

I tried taggin on the Virtual Interface (changing no tag to tag). Nothing.
I tried changing the PVID on the bridge port changing the PVID:1 to PVID:11. Nothing.

Any clue about what I need to do to allow the cell phone sees the google chromecast dongle ?

Thanks for reading.

In your case, this changes nothing, because the /interface wireless access-list row overrides the interface settings for matching clients. It just seems overly complex to use the wireless access list if you use just a single VLAN ID on just a single wireless interface - tagging the virtual interface directly as you did would make the use of the wireless access list useless.

Forwarding between clients registered to the same wireless interface is a property of the logical layer of the interface, not of the physical one. So it is not enough to have default-forwarding set to yes on the master (physicalú interface, it must be set on any interface (physical or virtual) where you actually need it, or forwarding must be set to yes in the /interface wireless access-list row(s).

You haven’t disclosed to which wireless interface the chromecast dongle is registered, to the same one like the phone or to another one? If to a different one, client-to-client forwarding is not relevant and you need to enable routing between the two IP subnets corresponding to the interfaces/VLANs, but even that may not be enough - I don’t know how exactly the phone detects the chromecast, maybe it requires L2 transparency between them.

Thanks for answer. First paragraph copied, thanks.

Physical one has the default-forwarding disabled, virtual one has it enabled, and on the access-list it’s enabled. Tomorrow I will test it enabling it on the master wireless interface. Thanks for the tip.

Both devices are on the same virtual wireless interface. I checked it on the Registration tab several times.
The phone should use some kind of broadcast to all the network for sure. When the process of search of the Chromecast device fails one error message says AP Isolation should be disabled, that’s why I went with the Default forwarding option. Minutes ago I read something about IGMP Snooping should be off, I will check that too.

Since multicast plays a role, http://forum.mikrotik.com/t/multicast-mdns-wifi-to-wifi/139237/1 is relevant too.

multicast-helper = full on the virtual wireless interface solved the problem.
A thousand thanks sindy.