Filtering traffic between wireless clients

skynets · November 18, 2013, 7:41am

Hello.
Sorry for my pure English.
I have 1 AP RB912. Eth1 and wlan1 add to bridge. How filter icmp traffic between wireless clients?

add action=drop chain=forward mac-protocol=ip ip-protocol=icmp src-address=10.30.0.0/26 – does not work

/interface bridge
add l2mtu=1600 name=br1
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode \
    band=2ghz-b/g basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b="" \
    bridge-mode=disabled country=russia default-forwarding=no disabled=no \
    ht-rxchains=0,1 ht-txchains=0,1 hw-protection-mode=rts-cts l2mtu=2290 \
    mode=ap-bridge periodic-calibration=enabled rate-set=configured ssid=\
    WL1 supported-rates-b="" tx-power=27 tx-power-mode=card-rates \
    wireless-protocol=802.11
/interface bridge filter
add action=drop chain=forward mac-protocol=ip ip-protocol=icmp src-address=10.30.0.0/26
/interface bridge port
add bridge=br1 interface=ether1
add bridge=br1 interface=wlan1
/interface bridge settings
set allow-fast-path=no use-ip-firewall=yes
/interface wireless access-list
add interface=wlan1
/ip address
add address=10.30.0.2/26 interface=ether1 network=10.30.0.0
/ip dns
set servers=192.168.193.10
/ip route
add distance=1 gateway=10.30.0.1
/system leds
set 0 interface=wlan1
/system routerboard settings
set cpu-frequency=600MHz

rickfrey · November 20, 2013, 5:27am

Instead of trying to limit in the bridge firewall, try to limit in the IP firewall. That setting is already set to yes on the bridge anyway.

skynets · August 14, 2014, 4:02am

Problem is not closed.
If disable default forwarding then all traffic not forward between wireless user.
If enable default forwarding then it is impossible to control traffic and filter.
Conneсt each users to individual virtual ap its not good. AP should be open
Help me please.

DanielJB · January 3, 2017, 3:34am

I was trying to achieve the same.

Packets coming in on a bridge port are prevented going out on the same port. On linux (which RouterOS is based upon), bridges support ‘hairpin’ mode [1] (don’t confuse with hairpin NAT), which would allow filtering between devices on the same AP/interface, but RouterOS doesn’t support it.

[1] http://man7.org/linux/man-pages/man8/bridge.8.html

pe1chl · January 3, 2017, 9:48am

I would suggest making a feature request to the support mail address.

keirstitt · November 15, 2023, 9:43am

Did you find a solution here?

I posted a new post yesterday quoting yours - it’s an old one so I didn’t think it appropriate to continue your thread but here’s my post http://forum.mikrotik.com/t/bridge-filtering-client-to-client-traffic/171162/1

We can do L2 NAT so I think it might be possible to pull some kind of trick. It’s important because IOT devices often use unsecure UPnP discovery methods and we need to be able to satisfy their functional needs whilst preventing them from doing anything else.