Page 1 of 1
users of hotspot comunicating while DefaultForwarding=OFF??
Posted: Wed May 25, 2005 3:03 pm
by spavkov
I have this kind of situation:
I have one Omni antenna and one prism wireless card with hotspot running on wireless interface...
Hotspot has many users ( > 70) so i switched interface>wireless>DEFAULT FORWARDING to OFF so users cannot communicate between each other.
They can only 'talk' to the router.
this works fine, but i have 2 users that want to be able to communicate !!!
and also they want that no other users could 'see' them !!!
How can i make this?
if i switch on default forwarding only for this 2 users, will other users be able to see them or no????
is it possible that i leave DEFAULT FORWARDING = OFF and add some custom rules to the firewall>forwarding so only this 2 users can 'talk' directly and that others cannot see them or 'talk' to them???
please help !!!
Posted: Wed May 25, 2005 6:41 pm
by nhalachev
Well, i think you have 2 choices:
1. Make use of access-list under /interface wireless. Set default-forwarding=on for wireless interface and add wireless stations with needeed default-forwarding ON or OFF under /interface wireless access-list.
2. Think as salesman ;-). Configure VPN server and sell VPN service to customers who need to communicate each oder.
Regards
Posted: Wed May 25, 2005 8:07 pm
by djape
Think as salesman
. Configure VPN server and sell VPN service to customers who need to communicate each oder.Regards
Nice advice
If you need job let me know
Cheers...
Posted: Thu May 26, 2005 3:11 pm
by spavkov
is there a way to make VPN server/network on mikrotik???
on same prism wireless interface where the hotspot is running???
Posted: Thu May 26, 2005 3:46 pm
by nhalachev
is there a way to make VPN server/network on mikrotik???
on same prism wireless interface where the hotspot is running???
Yes, pptp or l2tp for example.
Posted: Thu May 26, 2005 5:02 pm
by OrCAD
I unchecker DEFAULT FORWARDING in wireless wLan1 but client still to communicate with each other... Why?
Is 2.9rc4 bug?
10x
Posted: Thu May 26, 2005 5:45 pm
by djape
Cause most probably you didn't unchecked it for particular user. This is default, now you need to unchecked each user you don't want to communicate!
Posted: Thu May 26, 2005 6:26 pm
by OrCAD
I have default forwarding ON in wireless interface.
Each user in connect list have default forwarding OFF (unchecked)..
user's can share!
I don't understand the procedure?
Posted: Thu May 26, 2005 7:04 pm
by spavkov
I Have the same problem...
each users is added to ACCESS LIST and has default-forwarding set to NO
and still i can access their computers via pure microsoft file sharing...
i go to MY NETWORK PLACES and SEARCH NETWORK COMPUTERS and
i can find other users and then enter their shared folders...
any ideas how to stop this.. ?
Posted: Thu May 26, 2005 7:38 pm
by spavkov
here is the solution:
you must put a rule in IP>FIREWALL>FORWARD
to forbid all packets going from WLAN interface to WLAN interface
excluding the router ip...
for exmple if your hotspot wireless network is
10.5.50.*
then rule would be (if yor MT router is on 10.5.50.1):
src-address=!10.5.50.1/32 in-interface=wlan1 dst-address=!10.5.50.1/32
out-interface=wlan1 action=drop
this solves the problem and nobody can 'see' anybody except the router!!!
it logica, but why DEFAULT FORWARDING exists if it does not work???
Posted: Thu May 26, 2005 7:59 pm
by OrCAD
oki, this solution work perfecly, many thanks.....but default forwarding not work properly.... solved in 2.9rc5?
OrCAD
How do i do this using a external ap?
Posted: Mon Jun 06, 2005 3:25 am
by mykrosoftz
Is there a simple way to do this....like a simple DEFAULT FORWARDING but for the ethernet interface? Default forwarding works fine only on the wireless card but sometimes i use external ap.
Posted: Mon Jun 06, 2005 4:15 am
by infomate
Hi guys!,
Ive been try to solve the same problem you have. I have an ethernet hotspot gateway connected to an external AP.
I have tried to do the router IP isolation as suggested above (!10.5.50.1/32) but the clients can still access each other.
I have tried the following solution, but still needs further testing and packet monitoring.
Ive placed additional rules in /ip firewall rule forward, drop all traffic from UDP port 137 - 138 and TCP port 139. Same rules in /ip firewall hotspot-temp.
If any of you guys has a better way of doing this please post your solution.
Thanks.
Posted: Mon Jun 06, 2005 9:03 am
by nhalachev
If any of you guys has a better way of doing this please post your solution.
Use switches with port-based vlans. Connect customers/segments to isolated ports. Place Miktotik bridges with many ethernets at cross points of your network and manage.
another damage
Posted: Fri Jun 10, 2005 12:52 am
by mykrosoftz
Another damage of clients seeing clients is a virus attack. I have a ap with more than 100 clients that used to hang several times in a day frame. Took me almost 3 weeks to figure out that several clients were contaminaded with sasser style virus (trying to replicate by scanning ports). These type of scanning can destroy bandwidth and put a lot of stress on the mikrotik box. I have not yet found a easy solution to the problem. I think mikrot should have a single click solution for this (client seeing client).