check DHCP-server>>>Network,netmask set up to 32. Your user connection can internet but your client can't shared everithing.be carefull, if you have ip camera/cctv you must set destination to ip camera/cctv don't set queue (or in mangle mark ! ip cctvH2,64/ipcamera). sory my englesh
That does squat to prevent clients from being able to "see" each other on the network. That just requires an extra step on their part to get around it at best, giving themselves a static IP with a large enough subnet and they can scan the network again and see the other hosts there. The host can also change their IP address to that of the gateway and mess up the entire network. What you are suggesting offers no real security at all.
If you want to isolate your security system from the guest network, it requires a bit more of a complicated setup. The best way to do this is as was suggested put the security system on a different subnet and routed interface. If they have to all go into the same interface of the router, VLANs are designed specifically for that kind of situation. It allows you to set up logical divisions within the same hardware so they act like separate layer2 networks.
If you want to isolate end users from each other as well, set up client isolation on the access points and port isolation on the switch ports the access points connect to. Then no matter what settings someone places on their machine, they will not be able to scan and find other hosts on the network over it or affect anyone else on the network. It doesn't prevent them from sniffing wireless traffic, but it does prevent them from being able to directly access other peoples computers. This requires an investment in hardware that is capable of these functions, an unmanaged switch will not help you, and you need to specifically check if your access points support client isolation, but it is well worth it for management and control.
have you tried scan ip with netmask 32?I'm sure all client hotpot with DHCP server-Network_Netmask 32 can't scaning ip/mac address (program ip scanner or netcut).
My mikrotik configurasi
ether 1-4 bridge name bridge=hotspot
/ip address 184.108.40.206/24 interface=hotspot
dhcp server interface hotspot>>>network>>netmask 32
pppoe-client name=speedy interface=5
/ip firewall nat chain:srcnat src-address=220.127.116.11-18.104.22.168 out-interface=speedy action=masquerade
my access point (3 Pcs) ip 22.214.171.124,126.96.36.199,188.8.131.52 (without any encryption or setting anything just mode AP)
I've been setting since 1.5 years & it works fine.
if some people set manual ip,gateway&dns ...if they don't have username-password can't access internet. but in the hotspot host show ip manual setting to addresess (will get ip firewall nat my configuration). If you don't believe just try