I don’t want to turn off default forwarding, but I do want to filter things like File and Printer sharing between the wireless clients.
Currently I’m dropping ports 137-139 tcp/udp on the forward chain with no src/dst address specified. But this does not catch stuff on the wireless ap-bridge.
Is this even possible?
With default-forwarding set to yes all communications between clients won’t reach the firewall. You have to turn off default-forwarding to be able to filter traffic between clients.
Eugene
Yes, but doesn’t that stop all communications between wireless clients? I only want to filter a few ports, in order to maintain some sanity while keeping things more or less ‘open’. (In case I need to diagnose a customer’s connection on the same AP as me, or if someone wants to run a small web server and have other customers (edit: on the same AP) be able to access it.)
Correct me if I’m wrong.
All “direct” (bridge-like) communications. You should configure routing instead.
Ok, we’re already doing routing. I just meant that the radio is in AP mode (ap-bridge).
Anyone?
Our AP-2000s can do this (per port).. how is it done on MikroTik?
Ok, so how do the clients connect to the AP, that is, what do your
clients do in addition to associating with the AP? Once associated,
do you require them to run an additional protocol on top of the
wireless connection, such as PPPoE?
If you do not have such an additional layer, then, I’m afraid, you
would not be doing what Eugene probably meant when he said you
need to use routing.
For example, lets assume that you hand out IP addresses to
associated clients using DHCP (or maybe even tell them to configure
static IP addresses and gateway per client manually) and your AP
has an IP address in the same subnet that you assign to clients and
acts as a gateway for them, then it could be said that you are of
course “routing”. But that will not help you with your problem,
because all the clients will still be in the same layer 2 network
(because they are associated to the same AP) and therefore no
routing would be required for communication between any two
clients. You are routing between the group of clients as a whole
and the uplink, but you’re not routing between the clients themselves
in such a setup!
If you need fine-grained control over the communication between
two clients that are associated to the same AP then you will need to
enforce routing between clients, with the AP acting as the router
(layer 3 gateway) required for one client to reach the other. This is
the only way to have communication between two clients go
through the forward chain on the AP and thus filter it.
One way to achieve this would be the abovementioned use of PPPoE,
because then you’ll end up with a PPPoE Layer-3 interface per client
on the Mikrotik AP, therefore one client talking to the other would
mean traffic coming into the AP on one PPPoE interface, going
through the (possibly filtering) forward chain and leaving the AP
towards the other client on another PPPoE interface.
–Tom
Hi Tom, thanks for replying.
We’re not using anything on top of the wireless connection like PPPoE.
I thought about doing that at first, but my boss didn’t want to do it that way.. which is all well and good.. I mean, we have RADIUS authentication setup in a decent manner.
I understand what you’re saying.. I’ll just have to figure out how the AP-2000’s do it.
Unless the AP-2000 only filters from AP-client to the other side of the AP, and not actually between clients.. 
Thanks for the insight.