does disabling Forward but brdging isolate users?

rodolfo · December 4, 2011, 8:39am

Hi all.
In one access point rb433ah, I have two wlans.
In each wlan I have Forward=off then users are isolated at L2 one each other.
If I bridge the two wlans, is also true that users of wlan1 are isolated at L2 by users at wlan2 ?

thanks

ojsa · December 4, 2011, 9:27am

No, if you bridge those to interfaces the user would be connected on L2

sup5 · December 4, 2011, 9:44am

if you put ether1, wlan1, and wlan2 in a bridge, there will be no isolation.

but if you specify horizon=1 on each wlan bridge-port, then the wlan interfaces will be isolated from each other.

rodolfo · December 4, 2011, 7:15pm

thanks!

but if I have a bridge with wlan1, wlan2 and an eoip tunnel, and I want L2 connecctivity from wlan1 and eoip and wlan2 and eoip, but not from wlan1 and wla2: is it possible?

ojsa · December 4, 2011, 7:58pm

Yes, set horizon to ex. 1 on the the port against wlan1 and wlan2, that would prevent traffic between those two and leave traffic flow between wlan and eoip as you want.

rodolfo · December 5, 2011, 5:25pm

Thanks!

do you mean: two or more ports of the same bridge, having the same horizon number, are L2 isolated?

ojsa · December 5, 2011, 7:54pm

Yes, ports with the same horizon will prevent traffic in between.

I usually use this function in a mpls/vpls where every vpls participant are directly connected and the bridge only should forward data out to external interfaces.

rodolfo · December 6, 2011, 9:15am

karmic!

rodolfo · December 10, 2011, 6:59am

and wath about wds interfaces dinamically created and bridged: it is not possible to automatically set an horizon to them?

ojsa · December 10, 2011, 9:26am

Mmm.. I haven’t tested that.

But according to http://mum.mikrotik.com/presentations/US11/workshop-wireless-2011-US.pdf is seems possible, but since your interfaces is added dynamically you could try to press the “copy” button on one of the dynamic WDS interfaces under bridge port and set the horizon value. This creates a static entry and replaces the dynamic one. Useful when you wan’t special settings for one or several dynamic assigns f.ex interfaces.

rodolfo · December 10, 2011, 3:46pm

It doesnt work

There is no method to assign an horizon to a dinami WDS interface.

Now I tried to use bridge filter to isolate users between them.
I have a bridge with eoip1, wlan1 and wlan2 (the eoip concentrate pppoe connections)
Then I write three bridge filters:

in-interface=eoip1 → allow
out-interface=eoip1 → allow
drop everithing else

I am shure these rules works from users in wlan1 against users in wlan2.

My question is: these rules works between users of the same wlan also if defautl-forward=yes
Or I need to set defautl-forward=no in the wlan interface ?

thanks

Rodolfo Rughi