Should one configure firewall filter input rules in LAN access points (WLANs and eth bridged) ?
I would say yes, to protect the ap itself, even from unintentional attacks (client box infected).
Hmm interesting question.
On my two capacs I have winbox access only from the LAN side but no firewall rules added.
Access to configure the capac is limited to either subnet or specific pc IPs.
The firewall rules are applied to all traffic by the main router.
Are you saying there is more to do??
The question is same as: “should I enable firewall on my desktop/server (on inner network)?”
That depends on a lot of factors..
Well since its in AP mode how and thus not routing at layer 3, how is it going to apply filter rules?
Not saying it cant but usually not possible.
I do know there is a default rule that allows all traffic to pass so there is some sort of ACL structure or filtering.
The question was about input rules, i.e. if someone would want to access something on AP (WinBox, …). And as was already said, it depends. If you think that the network is completely safe, you can probably live without it. Or you can just limit access in “/ip services”. But if you add real firewall and only allow seleted port(s), it can’t hurt.
Okay so the capac acting as a wisp bridge an invoke input chain rules???
Yes, it will, if anyone on the network try to reach capac’s IP address. (unless you dst-nat everything)
The rule won’t be obviously applied to bridged traffic.
Similarly, it won’t be applied to non-IP traffic (mac-winbox for example can’t be blocked this way)
I would create a management VLAN for them.
Then just disable the mac server on the client side facing interfaces and disable forwarding on the ap’s/