Layer 2 Isolation for Hotspot users ??

freebird · March 24, 2005, 11:08am

Hi,

is there a way to seperate the hotspot clients from each other.

Other vendors call ist “Layer 2 Isolation” which means no ping, scan, hack from one hotspot client to the other is possible.

Is there such a feature in MT ?

Thanks

seandsl

djape · March 24, 2005, 3:15pm

Yes there is. Turn off default forwarding on AP-bridge…

freebird · March 24, 2005, 10:06pm

Thanks djape …

AP sounds like WLAN. Router has no WLAN Interface … where in manual du I found any hints regarding “default forwarding” and “bridge mode”??

seandsl

djape · March 25, 2005, 6:05am

Well, Houston we got a problem

Unfortunatelly, you can’t do that on ethernet interfaces, just wireless

On wireless interface you have option to disable default-authentication and default-forwarding and it is visible from wireless interface configuration menu…

wildbill442 · March 25, 2005, 5:56pm

just setup your firewall rules so that all that traffic gets dropped..

Make a new firewall chain, and put a jump rule in the forward chain..

EDIT

Sorry, firewalling wont entirely do what you’re trying to achieve, you’d need to use one of the solutions provided below.

lastguru · March 25, 2005, 7:57pm

I do not know, what other vendors say, I will just tell, what can be done theoretically on the Ethernet network, and what can not. Ethernet is a big mess when it comes to traffic control. Using regular equipment there is no way you can separate those users, as most hubs/switches are designed to connect networks, not just two preconfigured hosts (i think most of us would not like to have a switch which is only letting traffic to pass between two hardwired ports). Usually it is solved using one of the following paths (and both are supported by RouterOS):

Make individual virtual connections (tunnels) for every user to connect to the router. That way, no IP traffic is broadcasting to the network, and usually this means that users are considered separate. An example of this is PPPoE, which is supported by Routeros
If there is any unit of equipment which has the users physically separated (for example, a switch has each of the users connected with a separate wire), it may have an option to preserve this separation further, This is usually called VLAN technology, and although it was supposed to be used to separate networks, it can also be used to form an individual tunnel for each of the users. VLAN support is also present in RouterOS

ilero · April 2, 2005, 6:35pm

I am using hotspot to authenticate all of my users. I have the following setup:

MT – 5 port switch – (3) Smartbridge APs

I have disabled the client-to-client communications directly in the APs, but this does not prohibit a client of the one AP to communicate with a user of another.

How can I isolate all of the users? Can I use VLANs? How would that be implemented? VLAN switch? As long as I can isolate communications from AP to AP, then all of the users would be isolated.

Thoughts??? Thanks

freebird · April 2, 2005, 10:11pm

Hi ilero,

VLAN on the switch is your friend. Put each of the three airpoints in one VLAN and the MT on the uplink port (all three VLANs).
So every airpoint can communicate with the MT but not with other airpoints

seandsl

ArtKZ · April 4, 2005, 12:26pm

For isolate one client from another on ethernet and wireless interfaces (with running Hotspot), i’m using Universal client with “Respond to all ARP queries” turned on. MT respond to all ARP queries and doing impossible client to client traffic.