isolating users over a bridge

RouterOS General
1

Hi all.
in my access points I have a bridge between: wlan+some dynamic wds and one eoip tunnel.
the users use station-pseudobridge or station wds.
I need to isolate each user from each other.
I cannot use horizon because wds users cannot have an horizon.
I know I must use bridge firewall.
Then the questions:

  1. how heavy is for a 411AH cpu to enable bridge firewall in AP having 80 users and delivering 10Mbits ?
  2. could someone share a simple bridge firewall rule to do this ?

thanks

Rodolfo

2

RB433AH should be fine. Blocking broadcast from GW to clients is impossible. Blocking broadcast from clients it’s certainly doable by dropping all traffic except from client to your server(s). How many ethernet interfaces are your user computers communicating with (for DHCP, NTP, default GW etc)?

3

thanks.
I need to block broadcast from one user to another (i.e. dhcp).
broadcast must forward through eoip (pppoe)
users are connected to wlan, someone using wds

4

First you need to determine hardware MAC addresses of interfaces your clients are allowed to send and receive frames from.

Once you have the mac address(es) setup following rules at the ingress to your network (AP), in the forwarding chain:

  1. allow any source MAC to your MAC

  2. allow all traffic from your MAC to any destination MAC

  3. drop everything else

5

thanks rmichael.
supposing all forward traffic goes in/out eoip tunnel, and eoip tunnel have mac-address=A,
I need three rules:

  1. all traffic dst-mac-address=A > accept
  2. all traffic src-mac-address=A > accept
  3. all traffic > drop

seems it works

thank you!

6

Glad it’s working. I cannot tell from your reply, so make sure that you filter at the AP (closest to the client), if you filter at the other end you’ll see traffic dropped but clients will still be able to communicate.

7

yes, I filter over the bridge that sum eopi+wlan+wds