Greetings,
There was a breach long time ago because I’m still learning Mikrotik and managing hundreds of client in multiple sites.
I want to check my sanity level on firewall. My raw firewall is 150 lines because I’m a little anxious.
At the moment, I’m isolating client just like in the attachment.
Is there any efficient way to isolate client or IP address?
I have different brand of APs and its controller
What are you trying to accomplish with all that?
Can you supply a network drawing and your configuration. Else, we’re just guessing.
To export and paste your configuration (and I’m assuming you are using WebFig or Winbox), open a terminal window,
and type (without the quotes) “/export hide-sensitive file=any-filename-you-wish”. Then open the files section
and right click on the filename you created and select download in order to download the file to your computer.
It will be a text file with whatever name you saved to with an extension of .rsc. Open that file in your favorite
text editor and redact any sensitive information if desired / needed. Then in your message here, click the code
display icon in the toolbar above the text entry (the code display icon is the 7th one from the left and looks
like a square with a blob in the middle). Then paste the text from the file in between the two code words in brackets.
Insanity is handling many clients with inadequate knowledge of MT.
The easiest way to block clients from each other is to use VLANs and a block all rule at the end of the forward chain.
Done…
Is hide sensitive only for password?
Is there any way to hide Wireguard public key, comments, mac address?
or should I manually review it first?
Yes I agree, this is insane. I was in CCIE but then I realize Mikrotik is better 
I don’t like tinkering VLAN because I have to config on the APs
V6 firmware
/export hide-sensitive file=anynameyouwish (minus router serial number, public WANIP information, keys etc )
V7 firmware
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc )
I’m on V7.7 and tried everything, even hide sensitive still I can found public IP on openvpn config. I believe this is some kind of bug
I tried my best to block sensitive information. Please inform me if any. Here it is
From your config, better using VLAN. All port except WAN into bridge-port. I use http://forum.mikrotik.com/t/using-routeros-to-vlan-your-network/126489/1 for my RB4011 and hAP-AC3. In my case I dont need VLAN tag for my dumb-AP after the mikrotik.
Simplify as much as possible.
Enough complexity without all the extra security crapola.
As suggested break up users into vlans. By that fact alone they are separated at layer 2.
Not sure what your clients are based on…
Age?
Floor they live on?
etc…
How do users access your network, WIFI? or Wired?
What is wireguard used for? ( is router server for initial handshake or the client ).
In terms of security a good basic firewall ruleset to start.
If you want to address bogons, then blackhole the ones you think are problems.
If you are afraid of people connecting to bad sites, on purpose or by accident, then your best bet is
a service provided here, for pennies…
https://itexpertoncall.com/promotional/moab.html
Thank you for your suggestion. Will consider learning VLAN
I live between office, store, rented room, and home and want to separate those users.
Office and store are wired
Others are wireless
I have multiple sites with no public IP (double NATed) and 1 public IP as relay with CHR on AWS
I was using IPsec IKEv2 and OpenVPN but now Wireguard to make it simple
Love the UDP hole punching on ZeroTier but most of my devices are MMIPS
Is there any other way than VLAN?