Wireless Forwarding vs Bridge Firewall and DHCP Snooping

RouterOS Wireless Networking
1

Apologies if that’s a too trivial question, mods please feel free to move it to Beginner Basic.

In a setup where I have two wireless interfaces (mode=ap-bride) added as ports of the same bridge (dhcp-snooping=yes), I’m confused how default-forwarding=no affects L2 broadcasts, Bridge Firewall and DHCP Snooping:


A_Client_1                       B_Client_1
           ))) A_AP === B_AP (((
A_Client_2                       B_Client_2
  1. If A_Client_1 broadcasts, is it true that that only B_Client_1 and B_Client_2 will see it?
  2. If only the B_AP bridge port is configured as trusted, is it true that a rogue DHCP server running on A_Client_1 will be able to spoof A_Client_2 but not B_Client_1 and B_Client_2?
  3. Is it true, that Bridge Firewall cannot be made to filter traffic between A_Client_1 and A_Client_2, but only between A_AP and B_AP?
  4. If CAPsMAN is used to bind A_AP and B_AP into a bridge, can the managed forwarding (datapath.local-forwarding=no) be used to Bridge Firewall traffic between wireless clients of the same AP?
2

It appears that it’s impossible to have an L2 firewall within AP with Mikrotik* and related features such as DHCP snooping are unavailable as well. Therefore:

  1. Yes
  2. Yes
  3. Yes

Still not sure about [4], seems like it should be possible with all client traffic being “extracted” from the AP, but I cannot find a solution yet.


*and with many other vendors for that matter; in fact I only found a single brochure that mentions something like this for a SonicWave