Page 1 of 1

Disabling Client-to-Client Communication

Posted: Sat Sep 04, 2004 6:40 pm
by ilero
I currently use the Hotspot feature on the MikroTik to authenticate my fixed wireless customers. The DHCP server hands out private IPs. I need to limit users from accessing one another's computers. I have been using the "Disable Client-to-Client Communications" in my SmartBridges equipment, but this does not stop users from seeing someone on one of my other radios. Also, I need to have this feature for a strictly wired solution.
I would like to know the best way to accomplish this...Thanks

Posted: Sat Sep 04, 2004 10:05 pm
by ofasa
I think you'll be needing something like this (assuming the clients are connected to ether1):

/ ip firewall rule input add in-interface=ether1 out-interface=ether1 action=reject

Posted: Sat Sep 04, 2004 10:39 pm
by nhalachev
You can use following command to disable Layer 2 communication between wireless clients connected to same Access point:

/interface wireless set wlan1 default-forwarding=no

Posted: Fri Sep 10, 2004 5:49 am
by ilero
I have been told that since my hotspot users are getting Private IPs from the DHCP server, they all have the same subnet mask. As a result, there is no way to keep users isolated from one another. Of course, if I use an AP that has the "disable client-to-client communications" then it will work. But I am trying to provide an extra security to the end users if I use a wired solution. Any thoughts??

Posted: Fri Sep 10, 2004 10:03 am
by nhalachev
I have been told that since my hotspot users are getting Private IPs from the DHCP server, they all have the same subnet mask. As a result, there is no way to keep users isolated from one another. Of course, if I use an AP that has the "disable client-to-client communications" then it will work. But I am trying to provide an extra security to the end users if I use a wired solution. Any thoughts??
Yes, you can disable communication between ports on some switches.
For example : HP call this SPF ( source port filttering ) or port isolation, Cisco - private VLAN's, Allied Telesyn - Multiplie VLAN's.
There are some cheap unmanaged/managed swithes also , like Compex PS2216 , CNET, etc.

Posted: Fri Sep 10, 2004 10:12 am
by mag
the discussion is confusing network layers a bit.

with "default forwarding=no" direct layer 2 communication within that particular wlan is stopped. another way to control this is the bridge firewall, working with hardware-addresses (MACs)

to stop ip-devices from communicating to each other firewall rules (on layer 3/4) are needed. these control communication on an ip-address or protocol port base.

so it depends on what is wanted...

Posted: Wed Sep 15, 2004 5:13 am
by advantz
how to disable client-client communication using layer3/4?
I mean firewall rules to set to disable the communication, e.g I want to disable client using network neighborhood/windows file sharing...

Is this mean I must disable port 137-139?

thanks

Posted: Wed Sep 15, 2004 9:02 am
by mag
Is this mean I must disable port 137-139?
thanks
139/TCP
137-138/UDP

yes, for example, this will deny SMB/CIFS connections. perhaps with action reject, not drop.

Posted: Wed Sep 15, 2004 4:07 pm
by nhalachev
Is this mean I must disable port 137-139?
thanks
139/TCP
137-138/UDP

yes, for example, this will deny SMB/CIFS connections. perhaps with action reject, not drop.
I think there is some missunderstanding !!!
Mag, please tell/write us exactly firewall rule , wich will disable communications between HOTSPOT clients at same ethernet/wireless interface.

Posted: Wed Sep 15, 2004 8:44 pm
by mag
I think there is some missunderstanding !!!
Mag, please tell/write us exactly firewall rule , wich will disable communications between HOTSPOT clients at same ethernet/wireless interface.
sorry if dont understand the problem. but IMHO something like
add dst-address=:139 in-interface=hotspot protocol=tcp action=reject
add dst-address=:137-138 in-interface=hotspot protocol=udp action=reject 
should do it ?! (there are a few rules mentioned in the hotspot examples)

did you disable layer 2 communication too?

if not, perhaps quoting your hotspot configuration will be helpful...

Posted: Wed Sep 15, 2004 9:52 pm
by nhalachev
Traffic between hosts in one ip network generally will not pass trough gateway, in our case hotspot interface of MAT router. Hosts will communicate directly to each other.
And this is why your rules will never count a single byte.

Posted: Thu Sep 16, 2004 9:05 am
by mag
Traffic between hosts in one ip network generally will not pass trough gateway, in our case hotspot interface of MAT router. Hosts will communicate directly to each other.
And this is why your rules will never count a single byte.
sorry, but AFAIK if direct layer 2 communication is disabled, every connection would go through the AP. considering the packet flow diagram, it should be working.

provided l2 communication has been disabled by
/interface wireless set hotspot default-forwarding=no
but i will do some testing to clearify this.