I have this kind of situation:
I have one Omni antenna and one prism wireless card with hotspot running on wireless interface...
Hotspot has many users ( > 70) so i switched interface>wireless>DEFAULT FORWARDING to OFF so users cannot communicate between each other.
They can only 'talk' to the router.
this works fine, but i have 2 users that want to be able to communicate !!!
and also they want that no other users could 'see' them !!!
How can i make this?
if i switch on default forwarding only for this 2 users, will other users be able to see them or no????
is it possible that i leave DEFAULT FORWARDING = OFF and add some custom rules to the firewall>forwarding so only this 2 users can 'talk' directly and that others cannot see them or 'talk' to them???
please help !!!
Well, i think you have 2 choices:
1. Make use of access-list under /interface wireless. Set default-forwarding=on for wireless interface and add wireless stations with needeed default-forwarding ON or OFF under /interface wireless access-list.
2. Think as salesman ;-). Configure VPN server and sell VPN service to customers who need to communicate each oder.
Regards
1. Make use of access-list under /interface wireless. Set default-forwarding=on for wireless interface and add wireless stations with needeed default-forwarding ON or OFF under /interface wireless access-list.
2. Think as salesman ;-). Configure VPN server and sell VPN service to customers who need to communicate each oder.
Regards
. Configure VPN server and sell VPN service to customers who need to communicate each oder.Regards
I Have the same problem...
each users is added to ACCESS LIST and has default-forwarding set to NO
and still i can access their computers via pure microsoft file sharing...
i go to MY NETWORK PLACES and SEARCH NETWORK COMPUTERS and
i can find other users and then enter their shared folders...
any ideas how to stop this.. ?
each users is added to ACCESS LIST and has default-forwarding set to NO
and still i can access their computers via pure microsoft file sharing...
i go to MY NETWORK PLACES and SEARCH NETWORK COMPUTERS and
i can find other users and then enter their shared folders...
any ideas how to stop this.. ?
here is the solution:
you must put a rule in IP>FIREWALL>FORWARD
to forbid all packets going from WLAN interface to WLAN interface
excluding the router ip...
for exmple if your hotspot wireless network is
10.5.50.*
then rule would be (if yor MT router is on 10.5.50.1):
src-address=!10.5.50.1/32 in-interface=wlan1 dst-address=!10.5.50.1/32
out-interface=wlan1 action=drop
this solves the problem and nobody can 'see' anybody except the router!!!
it logica, but why DEFAULT FORWARDING exists if it does not work???
you must put a rule in IP>FIREWALL>FORWARD
to forbid all packets going from WLAN interface to WLAN interface
excluding the router ip...
for exmple if your hotspot wireless network is
10.5.50.*
then rule would be (if yor MT router is on 10.5.50.1):
src-address=!10.5.50.1/32 in-interface=wlan1 dst-address=!10.5.50.1/32
out-interface=wlan1 action=drop
this solves the problem and nobody can 'see' anybody except the router!!!
it logica, but why DEFAULT FORWARDING exists if it does not work???
-
-
mykrosoftz
just joined
- Posts: 24
- Joined:
How do i do this using a external ap?
Is there a simple way to do this....like a simple DEFAULT FORWARDING but for the ethernet interface? Default forwarding works fine only on the wireless card but sometimes i use external ap.
Hi guys!,
Ive been try to solve the same problem you have. I have an ethernet hotspot gateway connected to an external AP.
I have tried to do the router IP isolation as suggested above (!10.5.50.1/32) but the clients can still access each other.
I have tried the following solution, but still needs further testing and packet monitoring.
Ive placed additional rules in /ip firewall rule forward, drop all traffic from UDP port 137 - 138 and TCP port 139. Same rules in /ip firewall hotspot-temp.
If any of you guys has a better way of doing this please post your solution.
Thanks.
Ive been try to solve the same problem you have. I have an ethernet hotspot gateway connected to an external AP.
I have tried to do the router IP isolation as suggested above (!10.5.50.1/32) but the clients can still access each other.
I have tried the following solution, but still needs further testing and packet monitoring.
Ive placed additional rules in /ip firewall rule forward, drop all traffic from UDP port 137 - 138 and TCP port 139. Same rules in /ip firewall hotspot-temp.
If any of you guys has a better way of doing this please post your solution.
Thanks.
-
-
mykrosoftz
just joined
- Posts: 24
- Joined:
another damage
Another damage of clients seeing clients is a virus attack. I have a ap with more than 100 clients that used to hang several times in a day frame. Took me almost 3 weeks to figure out that several clients were contaminaded with sasser style virus (trying to replicate by scanning ports). These type of scanning can destroy bandwidth and put a lot of stress on the mikrotik box. I have not yet found a easy solution to the problem. I think mikrot should have a single click solution for this (client seeing client).