Firewall rules for interfaces in bridge

RouterOS General
1

Hi guys, I really need your help and wisdom :slight_smile:

Let’s say that I have RB751U with 2 virtual APs created. Both VAPs and ethernet ports are bridged in one local-bridge. Is there any chance to separate clients connected to first VAP and clients connected to second VAP?? Or is there any chance to set different firewall rules for each VAP? (There is another MT with DHCP server and all clients are in same subnet and i can’t use two different subnets.)

I’ve tried to add rules in firewall to forbid communication between VAPs but all communication goes logically through bridge-local so my rules are “inactive”.

Thank you for your advices :slight_smile:

2

set use-ip-firewall=yes in /bridge level.

3

You can add a bridge filter rules to block traffic forwarding between interfaces, or only to/from one.

For example:

/interface bridge filter

chain=forward action=drop in-interface=!eth1-WAN out-interface=vAP1

chain=forward action=drop in-interface=vAP1 out-interface=!eth1-WAN

chain=forward action=drop in-interface=vAP1 out-interface=vAP2

chain=forward action=drop in-interface=AP2 out-interface=vAP1

It works fine for me.

4

Thanks for replays… :slight_smile:

I’ve already set use-ip-firewall=yes in /bridge level but it doesn’t change the fact that rules are applied for whole bridge and not for specific interfaces in the bridge…
I will try RafGan’s asap :slight_smile: and let you know how it works for me.

And let me extend this question. What if I need to block traffic between interfaces and also block specific tcp ports on one vAP? (Let’s say, allow only port 80 on vAP2) ?

Thanks :slight_smile:

5

In bridge filter are options to set IP, protocol and port. Make a modifications of rules and it should works fo you great too. :smiley:

6

Works like a charm, thank you very much :slight_smile: