HI. I have a network with three AP (Hops). If you disable default forward on the AP then user connected to that AP can see each other but they can see users on the other two AP. Each AP user it’s own IP range.
AP1 = 10.10.11.1
AP2 = 10.10.12.1
AP3 = 10.10.13.1
Any help here will be greatly appreciated.
Drop the traffic on a layer 2 hop inbetween. To do that you either need to use bridge filters on the AP, or enable the IP firewall for the bridge and write IP filters, or run everything through a switch that has layer 2 security concepts that let you specific traffic filtes. Most higher end managed switches can do this.
If you decide to filter on the AP you would turn on the IP firewall like this:
/interface bridge settings set use-ip-firewall=yes
http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Settings
Then write filter rules. For example, assuming the users are on 192.168.0.0/24 and .1 is the gateway:
/ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.1 action=accept
add chain=forward src-address=192.168.0.1 dst-address=192.168.0.0/24 action=accept
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=drop
add chain=forward action=accept
That doesn’t account for a whole bunch of other stuff (broadcasts, packets destined to quad zero), and is just a simple approach. Switches with proper layer 2 security measures can do a whole lot more here, like ARP inspection, source guards, and DHCP snooping.
Thank you for the reply.
I do not use a bridge on AP
Wlan1 = station receiving from AP1
Wlan2 = AP2
Wlan3 = AP sending to receiver on AP3, each with it’s own ip range. Can I still use the same principle as discribed aboth?
Thank you
If you’re not bridging you just use IP firewall filters.
Thank you, I’ll try that
Hi,
I have hotspot on bridge interface
-
Is this rules is suitable for Hotspot also or may be changed?
-
I understand these rules except last one.
add chain=forward action=accept
what is exactly doing?
Thank you