"default forwarding" on wlan is something different:
- data from one wlan client to another (on the same wlan interface) are passing directly through wlan interface. It does not leave the interface (interface behaves almost like it had an internal bridge)
It looks like this:
client1 --- wlan1 --- client2
- data from one wlan client to another must go through master interface (typically bridge), where you can apply filter/nat rules.
It looks for example like this:
client1 --- wlan1 --- bridge1 --- wlan1 --- client2
If you want to prevent clients talking to each other, you must firstly disable default forwarding (so data can't go straight through wlan) and then you must disable this on bridge as well:
for example one of my configs:
/interface bridge filter
add action=drop chain=forward in-bridge=bridge-guest in-interface=!eoip-guest-uplink out-bridge=bridge-guest out-interface=!eoip-guest-uplink
It prevents any frames being forwarded within guest bridge, unless they go from/to uplink eoip.
I know this config is funny. Usually you would do a guest vlan, but thats impossible in my case - this company has some ancient switches which blocks vlans... no way to convince them to buy new ones. IP based tunnel is the only choice.