users of hotspot comunicating while DefaultForwarding=OFF??

I have this kind of situation:

I have one Omni antenna and one prism wireless card with hotspot running on wireless interface…

Hotspot has many users ( > 70) so i switched interface>wireless>DEFAULT FORWARDING to OFF so users cannot communicate between each other.
They can only ‘talk’ to the router.

this works fine, but i have 2 users that want to be able to communicate !!!
and also they want that no other users could ‘see’ them !!!

How can i make this?

if i switch on default forwarding only for this 2 users, will other users be able to see them or no???

is it possible that i leave DEFAULT FORWARDING = OFF and add some custom rules to the firewall>forwarding so only this 2 users can ‘talk’ directly and that others cannot see them or ‘talk’ to them???

please help !!!

Well, i think you have 2 choices:

1. Make use of access-list under /interface wireless. Set default-forwarding=on for wireless interface and add wireless stations with needeed default-forwarding ON or OFF under /interface wireless access-list.

2. Think as salesman ;-). Configure VPN server and sell VPN service to customers who need to communicate each oder.

Regards

Nice advice

If you need job let me know

Cheers…

is there a way to make VPN server/network on mikrotik???
on same prism wireless interface where the hotspot is running???

Yes, pptp or l2tp for example.

I unchecker DEFAULT FORWARDING in wireless wLan1 but client still to communicate with each other… Why?
Is 2.9rc4 bug?

10x

Cause most probably you didn’t unchecked it for particular user. This is default, now you need to unchecked each user you don’t want to communicate!

I have default forwarding ON in wireless interface.
Each user in connect list have default forwarding OFF (unchecked)..

user’s can share!
I don’t understand the procedure?

I Have the same problem…
each users is added to ACCESS LIST and has default-forwarding set to NO
and still i can access their computers via pure microsoft file sharing…

i go to MY NETWORK PLACES and SEARCH NETWORK COMPUTERS and
i can find other users and then enter their shared folders…

any ideas how to stop this.. ?

here is the solution:

you must put a rule in IP>FIREWALL>FORWARD
to forbid all packets going from WLAN interface to WLAN interface
excluding the router ip…

for exmple if your hotspot wireless network is
10.5.50.*

then rule would be (if yor MT router is on 10.5.50.1):

src-address=!10.5.50.1/32 in-interface=wlan1 dst-address=!10.5.50.1/32
out-interface=wlan1 action=drop

this solves the problem and nobody can ‘see’ anybody except the router!!!

it logica, but why DEFAULT FORWARDING exists if it does not work???

oki, this solution work perfecly, many thanks…but default forwarding not work properly… solved in 2.9rc5?
OrCAD

Is there a simple way to do this…like a simple DEFAULT FORWARDING but for the ethernet interface? Default forwarding works fine only on the wireless card but sometimes i use external ap.

Hi guys!,

Ive been try to solve the same problem you have. I have an ethernet hotspot gateway connected to an external AP.

I have tried to do the router IP isolation as suggested above (!10.5.50.1/32) but the clients can still access each other.

I have tried the following solution, but still needs further testing and packet monitoring.

Ive placed additional rules in /ip firewall rule forward, drop all traffic from UDP port 137 - 138 and TCP port 139. Same rules in /ip firewall hotspot-temp.

If any of you guys has a better way of doing this please post your solution.

Thanks.

Use switches with port-based vlans. Connect customers/segments to isolated ports. Place Miktotik bridges with many ethernets at cross points of your network and manage.

Another damage of clients seeing clients is a virus attack. I have a ap with more than 100 clients that used to hang several times in a day frame. Took me almost 3 weeks to figure out that several clients were contaminaded with sasser style virus (trying to replicate by scanning ports). These type of scanning can destroy bandwidth and put a lot of stress on the mikrotik box. I have not yet found a easy solution to the problem. I think mikrot should have a single click solution for this (client seeing client).