Page 1 of 1

Stopping Broadcast Packets

Posted: Thu Apr 15, 2010 9:28 pm
by krakenant
Specifically DHCP, but windows broadcasts, etc.

Belair has a feature that stops all broadcasts from going out the wireless interface, unless from a specified list of MAC addresses. I am looking to duplicate that feature. Any idea what to select in the firewall to target broadcast packets? I can figure out the rest I am fairly certain.

Re: Stopping Broadcast Packets

Posted: Thu Apr 15, 2010 9:47 pm
by martini
router setup ?? WDS with bridge or routing ?

Re: Stopping Broadcast Packets

Posted: Thu Apr 15, 2010 10:27 pm
by krakenant
These would be on Mikrotiks converted to APs, either wired or bridged. They wouldn't do any routing.

Re: Stopping Broadcast Packets

Posted: Thu Apr 15, 2010 11:22 pm
by martini
in bridge firewall drop dst-mac ff:ff:ff:ff:ff:ff, but add static arp for hosts

Re: Stopping Broadcast Packets

Posted: Fri Apr 16, 2010 12:40 am
by krakenant
Not exactly what I am looking for.
Here is the description from the Belair Manual
"When configured in secure port mode, the AP forwards to the associated wireless clients only those Layer 2 (Ethernet) frames for which the source MAC address and VLAN matches an entry its white list. The white list can contain up to 32 entries. If a VLAN is not specified, it is assumed to have a value of zero. In effect, while in this mode the AP acts as a firewall for all Layer 2 frames arriving from inside the network for the wireless clients. The secure MAC white list should only contain the MAC addresses of the gateway interfaces. Thus, wireless clients associated to other APs in the network are prevented from communicating with locally associated clients.
Note 1: The secure MAC white list is different from the list described in “Wireless Client Access Control List” on page 90. In a client ACL, only the listed MAC addresses are allowed to associate with an AP. The secure MAC white list controls data forwarding to the wireless clients from remote entities in the network. The content of the secure MAC white list takes effect only when the AP secure port mode is enabled."

Re: Stopping Broadcast Packets

Posted: Thu Apr 22, 2010 3:20 am
by Chupaka
the AP forwards to the associated wireless clients only those Layer 2 (Ethernet) frames for which the source MAC address and VLAN matches an entry its white list.
maybe something like
/interface bridge filter add vlan-id=? src-mac-address=?
?

accept whitelisted entries, then drop all the rest...