Page 1 of 1

How to Block UnknownUsers Using Free PtP Links via MyDevices

Posted: Thu Aug 18, 2011 5:37 pm
by ViREnG
Hello My Friends

Anyone Can Easily Create a Virtual Network With He's Friend via My Wireless Devices :?
Example : Connect to One of My AP , Set an a Static IP (like 192.168.20.1) and Set 2nd Comouter IP 192.168.20.2 (on 5KM Away)
Please See The Attached Image

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Fri Aug 19, 2011 12:55 am
by ManUtd
Turn off default forward on APs.

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Sun Aug 21, 2011 9:53 am
by ViREnG
i Disable the "Default Forward" on Each Wireless Interface , but Still Problem .
i was Test it after Disabling the Default Forward , if i Set IP Addresses on Their Eth's Like 192.168.50.30 & 192.168.50.65
192.168.50.30 Can Ping 192.168.50.65 :?
What do i Do ?

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Sun Aug 21, 2011 10:21 am
by mahnet
try copying a file from one location to another location.
Does it work???
Coz even i thought default forwards should stop this. Although i never tried actually.
I also have forwarding tick removed from the access list for each client

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Sun Aug 21, 2011 11:19 am
by ViREnG
try copying a file from one location to another location.
Does it work???
Coz even i thought default forwards should stop this. Although i never tried actually.
I also have forwarding tick removed from the access list for each client
Default Forward Disabling Just Disable The File Sharing ?
Anyone Can Use FTP , Remote , Gaming or Other ... !!
Any Idea how to Block communication Between Clients and Client Isolation ?

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Sun Aug 21, 2011 9:30 pm
by fewi
When in doubt consult the publicly available manual:
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless
forwarding (yes | no; Default: yes) .
no - Client cannot send frames to other station that are connected to same access point.
yes - Client can send frames to other stations on the same access point.
Turning off default forwarding means clients cannot send frames to other stations connected to the same access point via the radio interface of the AP.
They may potentially still send frames to stations on OTHER access points as that traffic doesn't hairpin out the same radio interfaces, but is bridged or routed as all other traffic. You'd block that via the normal firewall.

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Tue Aug 23, 2011 10:18 pm
by ViREnG
They may potentially still send frames to stations on OTHER access points as that traffic doesn't hairpin out the same radio interfaces, but is bridged or routed as all other traffic. You'd block that via the normal firewall.
How can i Block it ? Can Write Firewall rule Here ? :?

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Tue Aug 23, 2011 11:06 pm
by skillful
After disabling default forwarding, add a firewall rule to stop a packets from exiting on the same interface it came from.
/ip firewall filter
add action=drop chain=forward disabled=no in-interface=wlan1 out-interface=wlan1
If your are bridging, you also need to enable firewall for bridged interfaces
/interface bridge settings
set use-ip-firewall=yes

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Wed Aug 24, 2011 12:17 pm
by ViREnG
If your are bridging, you also need to enable firewall for bridged interfaces
/interface bridge settings
set use-ip-firewall=yes
i Set The "use-ip-Firewall to YES" on RouterBoard Bridge , but Still the Problem .
i Test it , 192.168.20.63 can Ping or Connect to 192.168.20.70 (<-- This is an Example IP Address)

Re: How to Block UnknownUsers Using Free PtP Links via MyDev

Posted: Wed Aug 24, 2011 12:31 pm
by fewi
Are those two IP addresses connected to DIFFERENT APs? If yes, write firewall filters in the 'forward' chain to drop traffic between customer IP addresses after permitting traffic between customer IPs and their gateway. If no, you've been making mistakes implementing what you've been told in this thread, and should post your configuration.

"It doesn't work" is NOT a sufficient answer. Show WHAT doesn't work, how you're testing, what you're expecting, and what you're getting instead. People can't just randomly guess at what you're doing, not giving enough details wastes everyone's time, including yours.