[/interface wireless find] Question

RouterOS Scripting
1

Good Day,

I am in the process of setting up firewalls on all of my sector antennas to prevent clients to communicate with common services over the network.

I know our CPE password got leaked some how and that the password can be extracted from a backup file.

I want to prevent @%*#ers from running a vb script from inside the network to reset other radio’s on the network.

This is what I use at the moment and it seems to be working fine.

/ip firewall filter
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=21 comment="Drop FTP From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=22 comment="Drop SSH From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=23 comment="Drop Telnet From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=80 comment="Drop HTTP From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=443 comment="Drop HTTPS From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8291 comment="Drop Winbox From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8728 comment="Drop API From Clients to Clients"
add chain=forward action=drop protocol=tcp dst-address=10.0.0.0/8 in-interface=[/interface wireless find] dst-port=8729 comment="Drop API-SSL From Clients to Clients"

Only problem is the [/interface wireless find]

On some sectors there is disabled virtual AP’s.

I do this for failover reasons, if one sector die all the clients can connect to a virtual ap then.

The [/interface wireless find] sometimes sets the interface to the disabled ap and not the enabled interface.

Any way to find only enabled wireless interfaces?

2

[/interface wireless find] returns an array of values (if multiple interfaces exist).

Either you get specific interface by name or you run :foreach to loop through all returned items.

3

why don’t you isolate clients? On APs disable “Default Forward”, on bridges use the same horizon.

4

Hi,

Clients is isolated at the moment, sorry but I don’t understand what you mean by " on bridges use the same horizon."

The network is fully routed.

If there is two sectors for example 10.100.1.0/24 and 10.100.2.0/24.

I don’t want clients from 10.100.1.0/24 to be able to ssh/telnet ect to clients on 10.100.2.0/24, but I still need to have that access from the office.

I could set the IP services on the CPE’s but problem is, there is over 2000 of them out in the field.

So I thought by blocking connections from the users will be the best solution.

If there is a better solution please share.

Thanks mrz for the explanation how [/interface wireless find] works.

I am going to do all the sectors by hand so I can check IP services and If they are sending their daily backups.

5

How do clients get their IP?

6

I assign each radio their own fixed IP address in the subnet.

Those who require a public ip address gets a eoip tunnel to the main gateway.

Its fixed wireless installations.

Then there is dhcp and nat set up on the CPE’s

7

Hi,

This should do the trick if all the sectors have one virtual-ap.

/interface wireless set [find interface-type=“virtual-AP”]

No I should just figure out how to make it not set to the vap or the ethernet.

I want to create a .vbs script that sets all the sectors when I run it.

Is it possible to to find wireless interfaces where there is registered stations ?