Page 1 of 1

users of hotspot comunicating while DefaultForwarding=OFF??

Posted: Wed May 25, 2005 3:03 pm
by spavkov
I have this kind of situation:

I have one Omni antenna and one prism wireless card with hotspot running on wireless interface...

Hotspot has many users ( > 70) so i switched interface>wireless>DEFAULT FORWARDING to OFF so users cannot communicate between each other.
They can only 'talk' to the router.

this works fine, but i have 2 users that want to be able to communicate !!!
and also they want that no other users could 'see' them !!!

How can i make this?

if i switch on default forwarding only for this 2 users, will other users be able to see them or no????

is it possible that i leave DEFAULT FORWARDING = OFF and add some custom rules to the firewall>forwarding so only this 2 users can 'talk' directly and that others cannot see them or 'talk' to them???

please help !!!

Posted: Wed May 25, 2005 6:41 pm
by nhalachev
Well, i think you have 2 choices:

1. Make use of access-list under /interface wireless. Set default-forwarding=on for wireless interface and add wireless stations with needeed default-forwarding ON or OFF under /interface wireless access-list.

2. Think as salesman ;-). Configure VPN server and sell VPN service to customers who need to communicate each oder.

Regards

Posted: Wed May 25, 2005 8:07 pm
by djape
Think as salesman ;-). Configure VPN server and sell VPN service to customers who need to communicate each oder.Regards
Nice advice :)

If you need job let me know ;)

Cheers...

Posted: Thu May 26, 2005 3:11 pm
by spavkov
is there a way to make VPN server/network on mikrotik???
on same prism wireless interface where the hotspot is running???

Posted: Thu May 26, 2005 3:46 pm
by nhalachev
is there a way to make VPN server/network on mikrotik???
on same prism wireless interface where the hotspot is running???
Yes, pptp or l2tp for example.

Posted: Thu May 26, 2005 5:02 pm
by OrCAD
I unchecker DEFAULT FORWARDING in wireless wLan1 but client still to communicate with each other... Why?
Is 2.9rc4 bug?

10x

Posted: Thu May 26, 2005 5:45 pm
by djape
Cause most probably you didn't unchecked it for particular user. This is default, now you need to unchecked each user you don't want to communicate!

Posted: Thu May 26, 2005 6:26 pm
by OrCAD
I have default forwarding ON in wireless interface.
Each user in connect list have default forwarding OFF (unchecked)..

user's can share!
I don't understand the procedure?

Posted: Thu May 26, 2005 7:04 pm
by spavkov
I Have the same problem...
each users is added to ACCESS LIST and has default-forwarding set to NO
and still i can access their computers via pure microsoft file sharing...

i go to MY NETWORK PLACES and SEARCH NETWORK COMPUTERS and
i can find other users and then enter their shared folders...

any ideas how to stop this.. ?

Posted: Thu May 26, 2005 7:38 pm
by spavkov
here is the solution:

you must put a rule in IP>FIREWALL>FORWARD
to forbid all packets going from WLAN interface to WLAN interface
excluding the router ip...

for exmple if your hotspot wireless network is
10.5.50.*

then rule would be (if yor MT router is on 10.5.50.1):

src-address=!10.5.50.1/32 in-interface=wlan1 dst-address=!10.5.50.1/32
out-interface=wlan1 action=drop

this solves the problem and nobody can 'see' anybody except the router!!!

it logica, but why DEFAULT FORWARDING exists if it does not work???

Posted: Thu May 26, 2005 7:59 pm
by OrCAD
oki, this solution work perfecly, many thanks.....but default forwarding not work properly.... solved in 2.9rc5?
OrCAD

How do i do this using a external ap?

Posted: Mon Jun 06, 2005 3:25 am
by mykrosoftz
Is there a simple way to do this....like a simple DEFAULT FORWARDING but for the ethernet interface? Default forwarding works fine only on the wireless card but sometimes i use external ap.

Posted: Mon Jun 06, 2005 4:15 am
by infomate
Hi guys!,

Ive been try to solve the same problem you have. I have an ethernet hotspot gateway connected to an external AP.

I have tried to do the router IP isolation as suggested above (!10.5.50.1/32) but the clients can still access each other.

I have tried the following solution, but still needs further testing and packet monitoring.

Ive placed additional rules in /ip firewall rule forward, drop all traffic from UDP port 137 - 138 and TCP port 139. Same rules in /ip firewall hotspot-temp.

If any of you guys has a better way of doing this please post your solution.

Thanks.

Posted: Mon Jun 06, 2005 9:03 am
by nhalachev
If any of you guys has a better way of doing this please post your solution.
Use switches with port-based vlans. Connect customers/segments to isolated ports. Place Miktotik bridges with many ethernets at cross points of your network and manage.

another damage

Posted: Fri Jun 10, 2005 12:52 am
by mykrosoftz
Another damage of clients seeing clients is a virus attack. I have a ap with more than 100 clients that used to hang several times in a day frame. Took me almost 3 weeks to figure out that several clients were contaminaded with sasser style virus (trying to replicate by scanning ports). These type of scanning can destroy bandwidth and put a lot of stress on the mikrotik box. I have not yet found a easy solution to the problem. I think mikrot should have a single click solution for this (client seeing client).