Question: How can we properlly inplement client isolation (prevent network shares on windows clients) on the ehternet LAN port.
I know that on the WLAN we can use default forwarding feature.
I have tried blocking src port 137-139 on the firewall rule forward but it can only block client to client (10.5.50.3:137 → 10.5.50.4:137) NetBios traffic but it lets the braodcast (10.5.50.255:137) pass through.
I guess to effectivelly block windows Netbios (network Neighborhood) traffic is to prevent the transmition of broadcast traffic on port 137-139, but the firewall rules cant even see them (traffic seen on packet sniffer - 10.5.50.3:137 → 10.5.50.255:137 but no entry on log for dropped traffic)
your question is a little bit wierd, before cliend reach your router , they may have already access to others by the switch so you need managed switch to isolate ports… you gotta show where is the entry? wireless port? how is your network diagram?
My problem is how to prevent windows clients on my Hotspot LAN from seeing each other and/or including their shared resources.
internet —>(ether port1) MT Hotspot (ether port2) → Hotspot LAN
Facts:
On a windows network neighborhood, a “Browser server” is elected and provides information about a domain/workgroup, which it gathers by listening to the registrations “broadcast” by machines at boot time.
example traffic detected by packet sniffer:
src-10.5.50.3:138 → dst- 10.5.50.255:138
The firewall rule above only drops packets that are directed to another client workstation:
ex. 10.5.50.3:137 → 10.5.50.4:137
assumption:
MT cannot drop broadcast traffic (ofcourse I maybe wrong!)
Question:
how can we drop the client registration broadcast on port 137-139 to prevent it from registering to any “broadcast server”. dropping the packets before it can even be registered would avoid the election of a broadcast server among the clients and prevent clients seeing one another inside the hotspot network.
I’m not where did I read about this but you rather better to
do so on lower layer with bridge facilities isolating all traffic
(not just in IP level)…
however one of the method most of ISP using is setting separate
gateway for each client so client will only be able to pass all traffic
through the gateway by subnetting…
actually we must see what is the purpose? if it is meant for security by
setting this user can only receive packets from their gateway and it is
not possible to connect that user specially if there is managed switch
blocking traffic to other mac address than gateway (isolate them) and
in this way clients will be all monitored by gateway because it must
pass through the server… however it maybe costly consider the price
of managed switch. but at least it gives a level of security.
is it possible for Mikrotik to add a feature to disable LAN clients to communicate, just like “default-forwarding” for WLAN.
It would be very helpfull for MT users who’s confguration doesnt have wireless NIC’s but use cheap commercial AP’s connected to the MTs’ ethernet port.
configuration:
internet->(ether1) MT (ether2)->unmanaged-switch->cheap AP (wireless)
|___ LAN (wired)
would replacing the unmanaged-switch with a “managed-switch” solve the issue?
you must use certain AP even cheap one may
have isolation feature and you must use managed switch
which you can get it abotu 300USD for 24 ports and
setup VLAN which is almost simple to do (even though
I havn’t set that up yet) but I want to do this exactly…
managed switch won’t isolate your AP’s clients on Wlan
side but will be able to isolate your lan and your wlan’s
clients…
I’m having senao and interepoch which they have isolation
and it is very simple to do so, so you may go ahead
and ask your vendor and they may even do that upon
request (as senao did) but one big advise, never buy
anything from senao, their Qos is deep in shit (sorry
for lang) but I wasted 2000USD on their wireless stuff
It’s not possible. Because AP acts like hub or even wire. Communication goes to AP and back to clients but not to switch behind AP! (if clients have same subnet address). Only if client is in different subnet, then traffic goes to router/gateway.
