Hello,
I am the admin of a SOHO network.
I have created a bridge with Ethernet 2 and Ethernet 3 ports on my Mikrotik CRS112-8G-4S (RouterOS 6.44.2 ; Routerboard firmware 6.44.2). Ethernet 1 is my WAN port and uses a static IP. Ethernet 7 has a server with a static IP address on it. The bridge is called hotspot_bridge and has a cloud RADIUS server and a DHCP server with an IP pool of 192.168.1.2-192.168.1.254. DNS and interface IP address is 192.168.1.1. There are no VLANs or trunks. UPNP is turned off.
Ethernet 2 connects to a Cisco Catalyst 2960. The switches Ethernet ports are wired throughout the building with UTP cables. Users walk around and sit down with their own laptops and cables to connect to the nearest Ethernet port, wherever they want.
Ethernet 3 connects to a UniFi AP AC LR. It has the reserved DHCP address of 192.168.1.2. It basically has the default config except that the WiFi hotspot is open. I just fiddled with the radio/antenna settings. Users connect their WiFi enabled devices here.
IP firewall filter rules between hotspot users and the server on Ethernet 7 work fine. The server is on a different Ethernet port and subnet.
There are other devices connected to the bridge over the Cisco switch with reserved IP addresses in the range of 192.168.1.249-192.168.254 (printers, etc.)
I have turned off “Use IP Firewall” for the bridge because of crippling bandwidth performance issues when accessing the internet from inside the hotspot. The routers CPU hits 100% during normal use. I think this is because it invalidates Bridge Fast Path.
In fact, I have tested this with the Mikrotik router firewall mangle facility and it seems no packets get market (at least according to the counters) when two hotspot client devices communicate on the hotspot bridge, even if I force the “Use IP Firewall”.
How can I create full client isolation without losing the Bridge Fast Path, for IP address 192.168.1.3-192.168.1.248.?
I know the MAC address of all devices with DHCP reserved addresses on the bridge. The users MAC addresses are constantly changing as they bring in their personal devices.
Since the switch and AP must be under one DHCP server and hotspot server and use the same captive portal, should I just use some dedicated hardware solution?