Drop forward rules NOT worked between devices connected via Wi-Fi

Example. My Mikrotik-router Model 951Ui-2HnD
RouterOS v6.43.8 (stable) (192.168.1.1)
with Firewall rules (IP > Firewall > Filter Rules):

/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.11 src-address=192.168.1.12
add action=drop chain=forward dst-address=192.168.1.12 src-address=192.168.1.11
Interface settings.
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
   use-ip-firewall-for-vlan=yes

/interface wireless
set [ find default-name=wlan1 ] mode=ap-bridge

First (expected) situation:
Notebook (192.168.1.11) connected to Mikrotik via Ethernet.
Tablet (192.168.1.12) connected to Mikrotik via Wi-Fi.
If we send ping packages from Notebook to Tablet they are drops, as should be according Firewall rules.

Second (not expected) situation:
Notebook (192.168.1.11) connected to Mikrotik via Wi-Fi.
Tablet (192.168.1.12) connected to Mikrotik via Wi-Fi.
In this case, if we send ping packages from Notebook to Tablet we got it back. Firewall rules not applied.

No traffic if you watch traffic through: Tools - > Torch.
No icmp packets between Tablet and Notebook if use Second situation.

What’s wrong and what to do to fix it for work rules Firewall and was in sight packages in Tools - > Torch?

+Attached picture below.

Would have to see complete config to assess properly.
/export hide=sensitive file=yourlatestconfig

In general, if items are in the same LAN or VLAN, there is no way to block traffic between them because they are connected at layer 2, whilst firewall rules are applied at the router, layer 3.
Thus the trick is to put one LAN on a bridge, and the other not on a bridge, or both on separate bridges, or both off bridges and on separate LANs.

This may be a case for VLANs for example where you have ethernet and wifi for home users and then you provide separate WIFI for guest users.
In this case on your bridge you create a VLAN and then use one chain on the AP for the guest user or a virtual WLAN for the guest user.

It appears your unit is an AP and not a router??? However, perhaps via RouterOS, it has some use as a router.
Looks like a 2.4Ghz two chain unit??

There are also two specific functions in Mikrotik APs for client isolation. Not sure since its been awhile since I looked at that but one is easy to find and the other not so easy.
At least one of them is for Client to Client ISOLATION. In this case you want to block two users on the same WLAN from seeing each other. It is probably based on mac address.
It should work for you but the VLAN method and use of the router firewall is better security.

All settings default. These are Wi-fi settings that you asked:

/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    arp=reply-only arp-timeout=23h band=2ghz-g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b="" \
    channel-width=20/40mhz-Ce comment="my Wi-Fi" \
    default-authentication=no default-forwarding=no disabled=no distance=\
    indoors frequency=2437 hw-protection-mode=rts-cts mode=ap-bridge \
    rate-set=configured security-profile=Wi-Fi-Profile ssid=AnastasiaWiFi \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled \
    wps-mode=disabled
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.11 src-address=192.168.1.12
add action=drop chain=forward dst-address=192.168.1.12 src-address=192.168.1.11

Hmm I thought version 6.43.8 got rid of slave and master interface configurations??
In any case please post entire config…
/export hide=sensitive file=yourlatestconfig

(shows up in files, download to PC, open in notepad++ cut and paste here and apply code parenthesis from above text modification line)

It did. But if some device started life pre-6.40 and received upgrades, then upgrade script didn’t change names of interfaces. Only setting master-port=ether2-master on all slave ports was removed …


@Anastasia: are you completely sure that laptop indeed uses address 192.168.1.11 in both wired and wireless case?

the address is definitely the same. I installed and checked it with my hands.

the code below…
Where can I see more possible settings for how firewall rules work?

# jan/22/2019 23:53:56 by RouterOS 6.43.8
# software id = 1111-2222
#
# model = 951Ui-2HnD
# serial number = 111111111
/interface bridge
add admin-mac=AA:AA:AA:AA:AA:01 arp=reply-only auto-mac=no fast-forward=no \
    name=bridge-local
/interface ovpn-server
add disabled=yes name=ovpn-MiniLocalca user=""
/interface ethernet
set [ find default-name=ether1 ] advertise=100M-full,1000M-full comment=\
    "internet" name=ether1-gateway
set [ find default-name=ether2 ] advertise=100M-full,1000M-full arp=\
    reply-only comment=Computer name=ether2-master-local
set [ find default-name=ether3 ] advertise=100M-full,1000M-full arp=\
    reply-only comment=Notebook name=ether3-slave-local
set [ find default-name=ether4 ] advertise=100M-full,1000M-full arp=\
    reply-only name=ether4-slave-local
set [ find default-name=ether5 ] advertise=100M-full,1000M-full arp=\
    reply-only name=ether5-slave-local
/interface list
add exclude=dynamic name=discover
add name=mactel
add name=mac-winbox
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk management-protection=allowed mode=\
    dynamic-keys name=Wi-Fi-Profile supplicant-identity=MikroTik
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    arp=reply-only arp-timeout=23h band=2ghz-g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b="" \
    channel-width=20/40mhz-Ce comment="my Wi-Fi"  \
    default-authentication=no default-forwarding=no distance=indoors \
    frequency=2437 hw-protection-mode=rts-cts mode=ap-bridge rate-set=\
    configured security-profile=Wi-Fi-Profile ssid=AnastasiaWiFi  \
    supported-rates-b=11Mbps wireless-protocol=802.11 wmm-support=enabled \
    wps-mode=disabled
/interface wireless manual-tx-power-table
set wlan1 comment="my Wi-Fi"
/interface wireless nstreme
set wlan1 comment="my Wi-Fi" enable-polling=no
/ip ipsec peer profile
set [ find default=yes ] dh-group=modp2048 enc-algorithm=blowfish \
    hash-algorithm=md5
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=null enc-algorithms=blowfish \
    pfs-group=modp2048
/ip pool
add name=dhcp-Lan-Pool ranges=192.168.1.230-192.168.1.250
/ip dhcp-server
add add-arp=yes address-pool=dhcp-Lan-Pool authoritative=after-2sec-delay \
    disabled=no interface=bridge-local lease-time=23h name="DHCP serv Lan"

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/user group

/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=ether3-slave-local
add bridge=bridge-local interface=ether4-slave-local
add bridge=bridge-local interface=ether5-slave-local
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes use-ip-firewall-for-pppoe=yes \
    use-ip-firewall-for-vlan=yes
/ip neighbor discovery-settings
set discover-interface-list=none
/ip settings
set allow-fast-path=no route-cache=no
/interface l2tp-server server
set authentication=mschap2
/interface list member
add list=discover
add interface=ether2-master-local list=mactel
add interface=ether3-slave-local list=mactel
add interface=ether2-master-local list=mac-winbox
add interface=ether4-slave-local list=mactel
add interface=ether3-slave-local list=mac-winbox
add interface=ether5-slave-local list=mactel
add interface=ether4-slave-local list=mac-winbox
add interface=bridge-local list=mactel
add interface=ether5-slave-local list=mac-winbox
add interface=bridge-local list=mac-winbox
/interface ovpn-server server
set auth=sha1 cipher=aes256
/interface sstp-server server
set authentication=mschap2 force-aes=yes pfs=yes tls-version=only-1.2 \
    verify-client-certificate=yes
/interface wireless access-list
add comment="Tablet" interface=wlan1 mac-address=AA:AA:AA:AA:AA:12 \
    vlan-mode=no-tag
add comment=Notebook interface=wlan1 mac-address=AA:AA:AA:AA:AA:11 vlan-mode=\
    no-tag

/interface wireless connect-list
add comment="Tablet" interface=wlan1 mac-address=AA:AA:AA:AA:AA:12 \
    security-profile=Wi-Fi-Profile
/ip address
add address=192.168.1.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.1.0
/ip cloud
set update-time=no
/ip dhcp-client
add comment="default configuration" default-route-distance=2 dhcp-options=\
    hostname,clientid disabled=no interface=ether1-gateway use-peer-dns=no \
    use-peer-ntp=no

/ip dhcp-server lease
add address=192.168.1.11 always-broadcast=yes comment="My Notebook LAN" \
    mac-address=AA:AA:AA:AA:AA:11 server="DHCP serv Lan"

add address=192.168.121.185 client-id=1:AA:AA:AA:AA:AA:12 comment="Phone W" \
    mac-address=AA:AA:AA:AA:AA:12 server="DHCP serv Lan"
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" gateway=\
    192.168.1.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1d servers=\
    1.1.1.1,1.0.0.1

/ip firewall address-list

/ip firewall filter
add action=drop chain=forward dst-address=192.168.1.11 src-address=192.168.1.12
add action=drop chain=forward dst-address=192.168.1.12 src-address=192.168.1.11

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway

/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip proxy

/ip proxy access
add dst-port=80
/ip route

/ip service
set api disabled=yes
set winbox disabled=yes
set api-ssl disabled=yes
/ip smb
set allow-guests=no interfaces=bridge-local
/ip smb shares
set [ find default=yes ] disabled=yes
/ip socks

/ip socks access

/system identity
set name=MikroTik
/system leds
set 5 interface=wlan1

/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no

Your config is wrong.

Your second “unexpected” condition is correct and is totally expected for me.
The traffic doesn’t even enter the bridge - it remains in the wireless interface, the two devices use your wlan interface as a wireless switch.
Mitigation would be disabling default-forward on the AP - this will isolate clients connected to the same wireless interface.

-Chris

OP set default-forwarding=no on wireless interface already. However, manual says that

This is the value of forwarding for clients that do not match any entry in the access-list

. OP has access-list constructed and there’s again “forwarding=” with default value of “yes”.

The problem might be then the following: does bridge send packets back to the ingress port? If forwarding was set to no, then all packets from wireless client 1 would be sent to bridge. Even if bridge rules would allow those packets to be delivered to wireless client 2, do those packets get sent back to wifi “port”?

Sorry, didn’t notice the default-fwd=no in the config.
As OP also set default-authentication=no and created an access list with default-forward=yes per client, this setting overrides the setting in the interface setting.
So we’re still talking about a default-forward issue on the w/l interface.
-Chris

I found a possible problem. in settings Wireless → Access_List are the leaf access. Where indicated in the hand value of the Forwarding = Yes. if you remove the check mark (Forwarding = No), then everything is fine, the data exchange stops. Seems the problem solved.