How to isolate users

Finito · July 31, 2011, 11:47am

Hello,
I have some users connected via WIFI. (192.168.0.0/24).
Is it possible to somehow isolate these users in the network? (MS sharing and printing protocol, ping etc)? Some of them has own router so there is no problem (just router is visible), but other are directly connected to the network and their PCs are visible.

Thanks

fewi · July 31, 2011, 1:40pm

First, turn off default forwarding in hardware:
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#General_interface_properties

default-forwarding (yes | no; Default: yes) This is the value of forwarding for clients that do not match any entry in the access-list

Now clients can’t send frames to each other anymore directly via the radio chipset. Make sure that your access lists, if you use them, also specify “forwarding=no” for clients that shouldn’t be able to talk to one another.

At this point all traffic would have to go through the IP firewall. A rule set blocking traffic would look like this, though you’d have to adjust interface names:

/ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=drop

Finito · August 2, 2011, 12:51pm

Hi,
thanks a lot this works as expected.

I have almost same question but a bit different configuration. But Iam not sure if will be possible to solve.

Mikrotik router 750 connected to the DSL line.
UBNT AP point (5Ghz) set as AP (bridge).
APpro (2,4Ghz) set as AP (bridge).

Both APs are connected via some Airlink switch to the Mikrotik (so just one LAN cable from MK to switch, 2x Lan cables from switch to each AP).
So Iam afraid that I will not be able to isolate the clients at this configuration, because of switch. (Also I see in the MK that drop rule is not used - no communication goes through.

Or is there some way/idea how to solve it?

Thanks.

fewi · August 2, 2011, 1:39pm

Buy a switch that has layer 2 security features that allow you to block the traffic between clients on the switch port.

Finito · August 2, 2011, 1:57pm

I was afraid of this, so do you have some tips for cheap configurable switch? What about (MIKROTIK: RB250GS)?

fewi · August 2, 2011, 2:24pm

According to the manual it can do L3 ACLs: http://wiki.mikrotik.com/wiki/SwOS#ACL_Tab

An access control list (ACL) rule table is very powerful tool allowing wire speed packet filtering, forwarding and VLAN tagging based on L2,L3 protocol header field conditions. SwOS allow you to implement limited number of access control list rules (32 simple rules (only L2 conditions are used); 16 rules where both L2 and L3 conditions are used; or 8 advanced rules where all L2,L3 and L4 conditions are used).

Each rule contains a conditions part and an action part.

But I don’t think 16 rules are sufficient to really secure things. You could kinda do something along the lines of “allow 192.168.1.1 to 192.168.1.0/24, allow 192.168.0.0/24 to 192.168.1.1, deny 192.168.0.0/24 to 192.168.0.0/24, allow everything else” if you just need to canonically drop subnet to subnet traffic, but that doesn’t account for a whole bunch of other potential issues that would just be permitted under the “allow everything else” rule.
If you’re looking for true layer 2 security you’d need a decent access layer switch from Juniper, Cisco, Brocade, Extreme, whatever.

Finito · August 2, 2011, 2:30pm

Thanks a lot.