Isolate Wi-Fi

mikis · April 18, 2015, 12:25pm

How do isolate Wi-Fi from the local network, so as not to have access to Wi-FI to the LAN. Lan it is 192.168.22.0, and Wi-FI is 172.40.34.0

hgonzale · April 28, 2015, 7:50pm

1.- dont use the same bridge for both network

You need to create a new network for the Wireless, setup a DHCP server, and NAT
Add a rule for just allowing to see the gateway and forbidden the others IP on the LAN

cmanciu · May 16, 2015, 12:35pm

I have the same problem… can someone show us how to go about making the rule up…need it really bad

vortex · May 16, 2015, 4:17pm

I will want the same when there’s a dual-band RB2011 upgrade, but with mDNS able to get through.

pukkita · May 16, 2015, 4:53pm

Guess your wireless and ethernet interface are on a bridge, go to Bridge > ports and edit the ports you don’t want to be able to see each other, setting Horizon value to the same number, 50 for example.

No need to modify anything else.

Otherwise please give more detailed information regarding your actual setup.

cmanciu · May 16, 2015, 11:50pm

mr. pukkita…I have some hardlines that are bridge…but the ap’s are not bridge…wlan’s have there own subnet/24…how do you do the horizon property’s on a bridge also?

BartoszP · May 17, 2015, 12:25am

A. Connect to router via cable
B. If you have any BRIDGE where WIFI and LAN are active ports then remove WIFI from that bridges
C. Disable WiFI just for convinience
D. Configure your LAN for DNS, DHCP, Firewall etc
E. Make sure that LAN works as expected.
F. Enable WiFi
G. Repeat steps D, E for WiFi

H. Apply this code to your configuration in proper places…you need to check it yourself.

/ip firewall filter
add chain=forward comment="UNBLOCK: WIFI -> WAN " in-interface=WIFI out-interface=WAN-ISP
add action=drop chain=forward comment="BLOCK: WIFI -> ANY INTERFACE " in-interface=WIFI

I. You can allow for eg. RDP from WIFI to LAN in step H if you replace rule with

add action=drop chain=forward comment="BLOCK: WIFI -> ANY INTERFACE  EXCEPT RDP TO....." dst-address=172.40.34.0/24 dst-port=!3389 protocol=tcp src-address=192.168.22.0/24

pukkita · May 17, 2015, 8:53am

The (same) horizon value should be set on those bridge ports you don’t want to be able to communicate with each other.

BartoszP · May 17, 2015, 10:34am

This way you are totally isolating interfaces and there will be no way to enable particular trafic but I admit that it is quick and easy solution.

cmanciu · May 17, 2015, 11:47am

So on every ap…I should put a bridge on them…on 1 can have 50 for the horizon…and the other 1 I should put 40…and the 3rd 1 I should put 30…is that what your saying. …

BartoszP · May 17, 2015, 12:08pm

http://wiki.mikrotik.com/wiki/Manual:MPLSVPLS#Split_horizon_bridging

The basic idea of split horizon bridging is to make traffic arriving over some port never be sent out some set of ports…Bridge horizon feature allows to configure bridge ports with horizon setting so that packet received over port with horizon value X is not forwarded or flooded to any port with the same horizon value X. …Note that horizon value has meaning only locally - it does not get transmitted over network, therefore it does not matter if the same value is configured in all routers participating in bridged network.

I have not tested it.
Note that you can also use firewall at bridge level: http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Firewall to make traffic more local.