Sorry I really new to this and having many problems with a Mikrotik RB2011UiAS which I can’t configure as I need.. anyway I’m trying to see a problem at a time.
Also my technician did most of the setup but still some problems remain. Please talk to me like I’m 12 (in RouterOS I might be even six years old..)
So the setup:
1 RB2011UiAS connected to an Archer D2 connected to a DSL line.
on the Mikrotik there are two Nanostations M2 working as AP to 2.4 devices (laptops, smartphones etc. AirMAX off, 20MHz)
Nanostations are in bridge mode
Mikrotik is 192.168.1.10 (ether1) to Archer D2 and 192.168.20.1 to Nanostations.
Nanostation 1 is 192.168.20.2 in ether3 and Nanostation 2 is 192.168.20.3 in ether4
on each Nanostation Client isolation is ON
What happens is that each client (of the Nanostation) can’t see the other clients in the same Nanostation (as it should)
BUT in a scan (for example with Fing for Android) it can see 192.168.20.1, 192.168.20.2, 192.168.20.3 AND all the clients on the other Nanostation…
Question: is there any way that each client in any Nanostation can see only himself and its gateway?
(a trick tried with add ARP for leases in the dhcp and something else that I don’t remember by someone who knows more than me resulted that the clients indeed could see only themselves - not the gateway- in scan BUT also some clients could not get internet connectivity at all -android devices-)
I understand that what I’m asking might be impossible since all I want is to replicate the client isolation of the Nanostation (only the client and the gateway can be seen). If so then I might have the wrong equipment.
err.. no.. the Nanostations are plugged in Eth3 and Eth4 of the RB2011UiAS
So it can’t be done on the Mikrotik then..
(previously I had them -the M2s- working as routers and doing all the work, even a big list of firewall rules to allow only basic surfing, OpenDNS etc. Never had a problem with client isolation for 3 years that I have them up. The only thing I was missing was some traffic shaping per client that’s why I turned to the Mikrotik after suggestions. But it can do a lot of stuff, unfortunately not what I wanted.. From a really basic users point of view and from what I read they are like a spaceship that can take you to the moon. Given to you in parts in a plastic bag. With assembly instructions from IKEA.
Guess I’ll have to return it..)
I tried this
add action=drop chain=forward in-interface=ether3 out-interface=ether4
add action=drop chain=forward in-interface=ether4 out-interface=ether3
but
sorry you mean that?
obviously there is more than one way to do it.. as I said in my first post I’m Mikrotik illiterate.
you do mean the following don’t you?
my Nanos are in ether3 and ether4
Yep. That’s what he means. It’s very simple to do and lets your lan bridge use fastpath, where bridge filters disable fastpath.
Essentially, what horizon does is say that if a packet is received on a horizon (you set horizon=1), then it may not leave the bridge on any port with that same horizon value.
So all horizon=1 are blocked from talking to each other, but they can talk to all other horizons (and ports without a horizon).
(in RouterOS I might be even six years old..)
it seems so! is there a thank you button? I think we have one problem solved..