Will the ‘protect lan’ setting in the webbox under firewall prevent clients from being able to see other registered client’s shared printers/files etc on a bridged network?
Traffic between hosts on a local network behind a firewall is between the hosts directly, and does not flow through the firewall. Therefore the firewall cannot block it. If the traffic flows through firewall because it’s bridged through the firewall (one segment is one port, a second segment is on another port, the two ports are bridged together) you can stop traffic between the segments, but traffic contained with a segment still talks directly and cannot be blocked.
hmmm, the goal is to have a bridged network with wireless clients connecting to an ap but we don’t want them to be able to discover another clients printers or open shares.
Our dsl equipment has this ability even though everyone is one the same ‘lan’ but I haven’t figured out how to make our wireless network more secure in this way.
How would you recommend I accomplish my goal?
In a wireless network users connect through the AP, so you can filter on the AP.
I have no idea how your DSL equipment gets involved in wired LAN traffic.
No prob. I don’t know much about it either just that it is a switch with a very similar title. 
I’ll read up on filtering at the ap and post back.
Many thanks.
So I haven’t figured out how to filter at the ap to keep client radios connected to the same ap from ‘seeing’ each other as if they were on a local area network. (finding printers, shared files, lan sorts of things) Isolation in a sense allowing clients to only look upstream vs seeing other clients.
At this point clients are added to an access list but the only thing I am doing there is rate control. Each client pulls down a public ip from our dhcp pool.
Confession: I have not tested radios to see if they can discover or not. I am just presuming that two clients on a straight bridge connected to the same ap can see each other. Can anyone else give me feedback as to if this is the case or not.
Scenario is: 900 ap with clients connected via bridge, nstreme and wds are being used. clients grab public ips from ip pool on gateway router.
thanks in advance
What kind of access points are you using?
If they are MikroTiks, you should be able to prevent that by disabling default forwarding under the wireless setting.
If it’s another manufacturer, it’s going to depend on what they do or don’t support. A lot of APs have a “Station Separation” mode available, usually under the SSID settings, but it’s up to the manufacturer to have something like that implemented. Also as a note, this only prevents the user from talking to another through the access point, it does not and cannot prevent someone from sniffing wireless traffic.
I am using mikrotik.
I will disable that setting and see how thing go. Many thanks. I suspect that is exactly what I’m looking for.
I disabled default forwarding.
I am using wds currently. It has been recommended here and there in the forum not to use wds unless needed for specific applications. (Micro isp setup where 10 people want service but only one can get a signal so create a mini client/ap back to back setup to serve the other nine)
Also I’ve read that wds uses more overhead.
The big thing I’ve read is that disable default forwarding doesn’t work on wds but does in pseudo.
Can anyone confirm the above?
What about setting the firewall on the client CPE to prevent access from the external wirless network? Input drop (excluding Admin IP) and forward filters?