Community discussions

MUM Europe 2020
 
ilero
newbie
Topic Author
Posts: 49
Joined: Fri Jun 04, 2004 3:51 pm

Disabling Client-to-Client Communication

Sat Sep 04, 2004 6:40 pm

I currently use the Hotspot feature on the MikroTik to authenticate my fixed wireless customers. The DHCP server hands out private IPs. I need to limit users from accessing one another's computers. I have been using the "Disable Client-to-Client Communications" in my SmartBridges equipment, but this does not stop users from seeing someone on one of my other radios. Also, I need to have this feature for a strictly wired solution.
I would like to know the best way to accomplish this...Thanks
 
ofasa
Member Candidate
Member Candidate
Posts: 104
Joined: Tue Jul 20, 2004 11:42 pm

Sat Sep 04, 2004 10:05 pm

I think you'll be needing something like this (assuming the clients are connected to ether1):

/ ip firewall rule input add in-interface=ether1 out-interface=ether1 action=reject
 
nhalachev
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Fri May 28, 2004 4:41 pm
Location: Bulgaria

Sat Sep 04, 2004 10:39 pm

You can use following command to disable Layer 2 communication between wireless clients connected to same Access point:

/interface wireless set wlan1 default-forwarding=no
 
ilero
newbie
Topic Author
Posts: 49
Joined: Fri Jun 04, 2004 3:51 pm

Fri Sep 10, 2004 5:49 am

I have been told that since my hotspot users are getting Private IPs from the DHCP server, they all have the same subnet mask. As a result, there is no way to keep users isolated from one another. Of course, if I use an AP that has the "disable client-to-client communications" then it will work. But I am trying to provide an extra security to the end users if I use a wired solution. Any thoughts??
 
nhalachev
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Fri May 28, 2004 4:41 pm
Location: Bulgaria

Fri Sep 10, 2004 10:03 am

I have been told that since my hotspot users are getting Private IPs from the DHCP server, they all have the same subnet mask. As a result, there is no way to keep users isolated from one another. Of course, if I use an AP that has the "disable client-to-client communications" then it will work. But I am trying to provide an extra security to the end users if I use a wired solution. Any thoughts??
Yes, you can disable communication between ports on some switches.
For example : HP call this SPF ( source port filttering ) or port isolation, Cisco - private VLAN's, Allied Telesyn - Multiplie VLAN's.
There are some cheap unmanaged/managed swithes also , like Compex PS2216 , CNET, etc.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Fri Sep 10, 2004 10:12 am

the discussion is confusing network layers a bit.

with "default forwarding=no" direct layer 2 communication within that particular wlan is stopped. another way to control this is the bridge firewall, working with hardware-addresses (MACs)

to stop ip-devices from communicating to each other firewall rules (on layer 3/4) are needed. these control communication on an ip-address or protocol port base.

so it depends on what is wanted...
see also RFC 1925

My posts are written out of personal concern and reflect only personal opinion. Please do not qoute them outside without my permission.
 
advantz
Member Candidate
Member Candidate
Posts: 187
Joined: Thu Jul 08, 2004 4:11 am

Wed Sep 15, 2004 5:13 am

how to disable client-client communication using layer3/4?
I mean firewall rules to set to disable the communication, e.g I want to disable client using network neighborhood/windows file sharing...

Is this mean I must disable port 137-139?

thanks
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Wed Sep 15, 2004 9:02 am

Is this mean I must disable port 137-139?
thanks
139/TCP
137-138/UDP

yes, for example, this will deny SMB/CIFS connections. perhaps with action reject, not drop.
see also RFC 1925

My posts are written out of personal concern and reflect only personal opinion. Please do not qoute them outside without my permission.
 
nhalachev
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Fri May 28, 2004 4:41 pm
Location: Bulgaria

Wed Sep 15, 2004 4:07 pm

Is this mean I must disable port 137-139?
thanks
139/TCP
137-138/UDP

yes, for example, this will deny SMB/CIFS connections. perhaps with action reject, not drop.
I think there is some missunderstanding !!!
Mag, please tell/write us exactly firewall rule , wich will disable communications between HOTSPOT clients at same ethernet/wireless interface.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Wed Sep 15, 2004 8:44 pm

I think there is some missunderstanding !!!
Mag, please tell/write us exactly firewall rule , wich will disable communications between HOTSPOT clients at same ethernet/wireless interface.
sorry if dont understand the problem. but IMHO something like
add dst-address=:139 in-interface=hotspot protocol=tcp action=reject
add dst-address=:137-138 in-interface=hotspot protocol=udp action=reject 
should do it ?! (there are a few rules mentioned in the hotspot examples)

did you disable layer 2 communication too?

if not, perhaps quoting your hotspot configuration will be helpful...
see also RFC 1925

My posts are written out of personal concern and reflect only personal opinion. Please do not qoute them outside without my permission.
 
nhalachev
Frequent Visitor
Frequent Visitor
Posts: 99
Joined: Fri May 28, 2004 4:41 pm
Location: Bulgaria

Wed Sep 15, 2004 9:52 pm

Traffic between hosts in one ip network generally will not pass trough gateway, in our case hotspot interface of MAT router. Hosts will communicate directly to each other.
And this is why your rules will never count a single byte.
 
User avatar
mag
Member
Member
Posts: 378
Joined: Thu Jul 01, 2004 12:32 pm
Location: Cologne, NRW, Germany
Contact:

Thu Sep 16, 2004 9:05 am

Traffic between hosts in one ip network generally will not pass trough gateway, in our case hotspot interface of MAT router. Hosts will communicate directly to each other.
And this is why your rules will never count a single byte.
sorry, but AFAIK if direct layer 2 communication is disabled, every connection would go through the AP. considering the packet flow diagram, it should be working.

provided l2 communication has been disabled by
/interface wireless set hotspot default-forwarding=no
but i will do some testing to clearify this.
see also RFC 1925

My posts are written out of personal concern and reflect only personal opinion. Please do not qoute them outside without my permission.

Who is online

Users browsing this forum: No registered users and 71 guests