Problem CLient Isolation in Bridge Mode

adel28 · February 10, 2010, 9:05pm

We use RB433AH with a tree Radio cards R52H.
The Internet through ETH1 is connected to the router board.
Internet is Bridge in tree radio cards.

What to do to prevent users communication in the tree radio cards together???

Note:
I know that to prevent communication users in one radio card option should be disabled Forwarding.

JorgeAmaral · February 11, 2010, 2:18am

You need to use bridge split horizon.

Kindly regards,

Jorge

normis · February 11, 2010, 9:25am

you can also use firewall to block connections from one address range to other, and vice versa

adel28 · February 17, 2010, 9:59pm

how can used broute for client isolation in bridge mode?

/ interface bridge broute

please example.

roadracer96 · February 18, 2010, 3:40am

/interface bridge filter
add action=accept chain=forward comment=“” disabled=no dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF
add action=accept chain=forward comment=“” disabled=no dst-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF in-interface=wlan1 out-interface=vlan30
add action=accept chain=forward comment=“” disabled=no in-interface=vlan30 out-interface=wlan1 src-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF
add action=jump chain=forward comment=“” disabled=no dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 in-interface=wlan1 jump-target=logdrop
out-interface=vlan30
add action=jump chain=forward comment=“” disabled=no in-interface=vlan30 jump-target=logdrop out-interface=wlan1 src-mac-address=
00:00:00:00:00:00/00:00:00:00:00:00
add action=log chain=logdrop comment=“” disabled=no log-prefix=“”
add action=drop chain=logdrop comment=“” disabled=no

This seems to work for me so far. vlan30 is a vlan on ether1 of an RB411AR. There are 4 APs and each has a public wlan interface wlan1 (wlan2,3,4 are private SSIDs and do forward client-client) with default forward turned off. The 02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF is the MAC of the default gateway of a VLAN on an RB450G.

In basic testing, this works fine. YMMV

PS: All 4 APs on the public SSID share the same subnet so they can roam between APs after authenticating.

adel28 · February 18, 2010, 9:02pm

roadracer96:

/interface bridge filter
add action=accept chain=forward comment=“” disabled=no dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF
add action=accept chain=forward comment=“” disabled=no dst-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF in-interface=wlan1 out-interface=vlan30
add action=accept chain=forward comment=“” disabled=no in-interface=vlan30 out-interface=wlan1 src-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF
add action=jump chain=forward comment=“” disabled=no dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 in-interface=wlan1 jump-target=logdrop
out-interface=vlan30
add action=jump chain=forward comment=“” disabled=no in-interface=vlan30 jump-target=logdrop out-interface=wlan1 src-mac-address=
00:00:00:00:00:00/00:00:00:00:00:00
add action=log chain=logdrop comment=“” disabled=no log-prefix=“”
add action=drop chain=logdrop comment=“” disabled=no

thanks roadracer96.

i have 2 question:
1- top config for interface bridge is for 1 AP or 4 AP?
2- I did you mean the VLAN?

The 02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF is the MAC of the default gateway of a VLAN on an RB450G

i bridge ether1 with wlan1, wlan2, wlan3

roadracer96 · February 19, 2010, 12:14am

Here is a quick-o network diagram.

DSL Modem ↔ RB450G ↔ VLAN10,20,30,40,50 to managed switch over one port ↔ port 21,22,23,34 on Managed switch to 4 RB411ARs

VLAN10,20,40,50 are private, encrypted networks that forward client-client so of no concern.

vlan30 runs the hotspot network. vlan30 on AP1,AP2,AP3,AP4 are all on the same L2 network segment and same L3 subnet, 10.0.50.1.

On the RB450, the vlan30 interface on ether2 (the port running to the switch) is bridged to a “dummy” bridge called “WiFi” (It makes future changes easier IMHO). The MAC address of the bridge interface is 02:0C:42:59:13:36, which has an IP address of 10.0.50.1 (hotspot gateway).

So on the APs, the vlan30 interface on ether1 is bridged to the wlan1 interface, vlan10 to wlan2, vlan20 to wlan3, etc, etc.

I use the above bridge firewall rules on each of the 4 APs, so right at the AP, before the traffic even gets to the switch, it blocks any ethernet packets with a destination other than 02:0C:42:59:13:36.

Here is the APs config minus sensitive information. Should be enough to give you the jist…

/interface bridge
add admin-mac=00:0C:42:2D:6A:B5 ageing-time=5m arp=enabled auto-mac=no comment=“” disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500
name=AlohaLAN priority=0x8000 protocol-mode=stp transmit-hold-count=6
add admin-mac=00:0C:42:2D:6A:B6 ageing-time=5m arp=enabled auto-mac=no comment=“” disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500
name=Customer priority=0x8000 protocol-mode=stp transmit-hold-count=6
add admin-mac=00:0C:42:2D:6A:B8 ageing-time=5m arp=enabled auto-mac=no comment=“” disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500
name=WiFi priority=0x8000 protocol-mode=stp transmit-hold-count=6
add admin-mac=00:0C:42:2D:6A:B7 ageing-time=5m arp=enabled auto-mac=no comment=“” disabled=no forward-delay=15s l2mtu=1522 max-message-age=20s mtu=1500
name=Phones priority=0x8000 protocol-mode=stp transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment=“” disabled=no full-duplex=yes l2mtu=1526 mac-address=00:0C:42:2D:6A:B4 mtu=1500 name=ether1 speed=100Mbps
/interface vlan
add arp=enabled comment=“Aloha VLAN” disabled=no interface=ether1 l2mtu=1522 mtu=1500 name=vlan10 use-service-tag=no vlan-id=10
add arp=enabled comment=“Customer VLAN” disabled=no interface=ether1 l2mtu=1522 mtu=1500 name=vlan20 use-service-tag=no vlan-id=20
add arp=enabled comment=“WiFi VLAN” disabled=no interface=ether1 l2mtu=1522 mtu=1500 name=vlan30 use-service-tag=no vlan-id=30
add arp=enabled comment=“IP Phone VLAN” disabled=no interface=ether1 l2mtu=1522 mtu=1500 name=vlan40 use-service-tag=no vlan-id=40
/interface wireless
set 3 ack-timeout=dynamic adaptive-noise-immunity=ap-and-client-mode allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a area=“” arp=enabled band=
2.4ghz-b/g basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment=“Public” compression=no country=“united states”
default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=no dfs-mode=no-radar-detect disable-running-check=no
disabled=no disconnect-timeout=3s frame-lifetime=0 frequency=2412 frequency-mode=regulatory-domain hide-ssid=no hw-fragmentation-threshold=disabled
hw-protection-mode=none hw-protection-threshold=0 hw-retries=4 l2mtu=2290 mac-address=00:0C:42:2D:6A:B5 max-station-count=2007 mode=ap-bridge mtu=1500
name=wlan1 noise-floor-threshold=default on-fail-retry-time=100ms periodic-calibration=default periodic-calibration-interval=60 preamble-mode=both
proprietary-extensions=post-2.9.25 radio-name=000C422D6AB5 rate-set=default scan-list=default security-profile=default ssid=Public
station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=
1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100
wds-ignore-ssid=no wds-mode=disabled wmm-support=enabled
/interface wireless
add area=“” arp=enabled comment=“POS” default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes
disable-running-check=no disabled=yes hide-ssid=no mac-address=02:0C:42:2D:6A:B7 master-interface=wlan1 max-station-count=2007 mtu=1500 name=wlan3
proprietary-extensions=post-2.9.25 security-profile=POS ssid=POS update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=none
wds-default-cost=0 wds-ignore-ssid=no wds-mode=disabled wmm-support=enabled
add area=“” arp=enabled comment=" Office" default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes
disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 mac-address=02:0C:42:2D:6A:B6 master-interface=wlan1 max-station-count=2007 mtu=1500 name=
wlan2 proprietary-extensions=post-2.9.25 security-profile=Office ssid=Office update-stats-interval=disabled wds-cost-range=50-150
wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled wmm-support=enabled
add area=“” arp=enabled comment=" VOIP" default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes
disable-running-check=no disabled=no hide-ssid=no l2mtu=2290 mac-address=02:0C:42:2D:6A:B8 master-interface=wlan1 max-station-count=2007 mtu=1500 name=
wlan4 proprietary-extensions=post-2.9.25 security-profile=VOIP ssid=VOIP update-stats-interval=disabled wds-cost-range=0 wds-default-bridge=
none wds-default-cost=0 wds-ignore-ssid=no wds-mode=disabled wmm-support=enabled
/interface bridge filter
add action=accept chain=forward comment=“” disabled=no dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF
add action=accept chain=forward comment=“” disabled=no dst-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF in-interface=wlan1 out-interface=vlan30
add action=accept chain=forward comment=“” disabled=no in-interface=vlan30 out-interface=wlan1 src-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF
add action=jump chain=forward comment=“” disabled=no dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 in-interface=wlan1 jump-target=logdrop
out-interface=vlan30
add action=jump chain=forward comment=“” disabled=no in-interface=vlan30 jump-target=logdrop out-interface=wlan1 src-mac-address=
00:00:00:00:00:00/00:00:00:00:00:00
add action=log chain=logdrop comment=“” disabled=no log-prefix=“”
add action=drop chain=logdrop comment=“” disabled=no
/interface bridge port
add bridge=AlohaLAN comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=vlan10 path-cost=10 point-to-point=auto priority=0x80
add bridge=AlohaLAN comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=wlan3 path-cost=10 point-to-point=auto priority=0x80
add bridge=Customer comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=vlan20 path-cost=10 point-to-point=auto priority=0x80
add bridge=WiFi comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=vlan30 path-cost=10 point-to-point=auto priority=0x80
add bridge=WiFi comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
add bridge=Phones comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=vlan40 path-cost=10 point-to-point=auto priority=0x80
add bridge=Phones comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=wlan4 path-cost=10 point-to-point=auto priority=0x80
add bridge=Customer comment=“” disabled=no edge=auto external-fdb=auto horizon=none interface=wlan2 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=yes
/ip address
add address=10.16.0.4/28 broadcast=10.16.0.15 comment=“” disabled=no interface=ether1 network=10.16.0.0
add address=10.1.1.12/24 broadcast=10.1.1.255 comment=“” disabled=no interface=Phones network=10.1.1.0
/ip route
add comment=“” disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.16.0.1 scope=30 target-scope=10

IIRC, the reason I started with the FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF is so DHCP would work. And I was wrong. 4 SSID. The 5th VLAN is the native on the ports for the APs and it is used for management of the APs. The only reason there is a 2nd IP on the Phones bridge is so the AP can talk to the RADIUS server in the Cisco phone system for WEP-RADIUS.

In a nutshell,

/interface bridge filter
add action=accept chain=forward comment=“” disabled=no dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF
add action=accept chain=forward comment=“” disabled=no dst-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF in-interface=wlan1 out-interface=vlan30
add action=accept chain=forward comment=“” disabled=no in-interface=vlan30 out-interface=wlan1 src-mac-address=02:0C:42:59:13:36/FF:FF:FF:FF:FF:FF
add action=jump chain=forward comment=“” disabled=no dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 in-interface=wlan1 jump-target=logdrop
out-interface=vlan30
add action=jump chain=forward comment=“” disabled=no in-interface=vlan30 jump-target=logdrop out-interface=wlan1 src-mac-address=
00:00:00:00:00:00/00:00:00:00:00:00
add action=log chain=logdrop comment=“” disabled=no log-prefix=“”
add action=drop chain=logdrop comment=“” disabled=no
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=yes

is all you need on any AP replacing the MAC in lines 2 and 3 with your default gateways MAC, and adjusting the in/out interfaces to suit. In the logs, it blocks lots of weird traffic, but it all seems to be some kind of discovery traffic that MACs broadcast and SMB broadcast from PCs. Otherwise, for hotspot use, the internet is stable and quick.

adel28 · February 19, 2010, 2:06pm

i bridge ether1 with wlan1, wlan2, wlan3
we used pptp service for client.

Bridge mac: 00:11:3B:0E:E7:95 */this is Bridge interface.
ether1 mac: 00:18:3C:1F:F8:13 */this is internet interface.
wlan1 mac: 00:20:2E:1E:F4:7C */this is wlan1 interface.
wlan2 mac: 00:20:2E:1E:F4:8C */this is wlan2 interface.
wlan3 mac: 00:20:2E:1E:F4:9C */this is wlan3 interface.

/interface bridge filter
add action=accept chain=forward comment="" disabled=no dst-mac-address=FF:FF:FF:FF:FF:FF/FF:FF:FF:FF:FF:FF
add action=accept chain=forward comment="" disabled=no dst-mac-address=00:11:3B:0E:E7:95/FF:FF:FF:FF:FF:FF in-interface=wlan1 out-interface=ether1
add action=accept chain=forward comment="" disabled=no dst-mac-address=00:11:3B:0E:E7:95/FF:FF:FF:FF:FF:FF in-interface=wlan2 out-interface=ether1
add action=accept chain=forward comment="" disabled=no dst-mac-address=00:11:3B:0E:E7:95/FF:FF:FF:FF:FF:FF in-interface=wlan3 out-interface=ether1
add action=accept chain=forward comment="" disabled=no in-interface=ether1 out-interface=wlan1 src-mac-address=00:11:3B:0E:E7:95/FF:FF:FF:FF:FF:FF
add action=accept chain=forward comment="" disabled=no in-interface=ether1 out-interface=wlan2 src-mac-address=00:11:3B:0E:E7:95/FF:FF:FF:FF:FF:FF
add action=accept chain=forward comment="" disabled=no in-interface=ether1 out-interface=wlan3 src-mac-address=00:11:3B:0E:E7:95/FF:FF:FF:FF:FF:FF
add action=jump chain=forward comment="" disabled=no dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 in-interface=wlan1 jump-target=logdrop \
out-interface=ether1
add action=jump chain=forward comment="" disabled=no dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 in-interface=wlan2 jump-target=logdrop \
out-interface=ether1
add action=jump chain=forward comment="" disabled=no dst-mac-address=00:00:00:00:00:00/00:00:00:00:00:00 in-interface=wlan3 jump-target=logdrop \
out-interface=ether1
add action=jump chain=forward comment="" disabled=no in-interface=ether1 jump-target=logdrop out-interface=wlan1 src-mac-address=\
00:00:00:00:00:00/00:00:00:00:00:00
add action=jump chain=forward comment="" disabled=no in-interface=ether1 jump-target=logdrop out-interface=wlan2 src-mac-address=\
00:00:00:00:00:00/00:00:00:00:00:00
add action=jump chain=forward comment="" disabled=no in-interface=ether1 jump-target=logdrop out-interface=wlan3 src-mac-address=\
00:00:00:00:00:00/00:00:00:00:00:00
add action=log chain=logdrop comment="" disabled=no log-prefix=""
add action=drop chain=logdrop comment="" disabled=no

The following settings you have just done?

roadracer96 · February 19, 2010, 6:01pm

On your setup you would need rules for each bridge port. I only had to worry about in wlan1 out ether1 and in ether1 out wlan1. you also have to worry about in wlan1, out wlan2, etc, etc.

EDIT: Or a default deny after the accepts.

adel28 · February 19, 2010, 9:09pm

I was completely confused!

roadracer96 · February 19, 2010, 9:51pm

You are, or were…