Community discussions

 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

How to filter wifi traffic between AP stations on firewall?

Tue May 10, 2016 7:53 pm

I'd like MT to filter AP traffic between stations just like /interface bridge is able to use IP firewall to controll traffic between bridge ports.

How to do that?

I tried to disable default-forwarding and enable ARP-proxy as this seemed to be some reasonable idea but it didn't work, router didn't want to respond with own MAC if client asked about stations in the same network. In general I want PCs connected to AP under single network (with DHCP) to be able to talk only on some ports (22). So more or less just pass L2 traffic through some firewall. One option imo is to make router respond to all ARP requests with own MAC, another option would be to somehow force clients to push all the traffic through gw.

I heard about hacks with /32 network and gw set to client own IP but it doesn't seem to work for DHCP as I think I'd need like... 254 pools and 254 networks with correct gw.
Last edited by lapsio on Sun Aug 26, 2018 1:27 am, edited 1 time in total.
MTCNA, MTCRE, MTCINE
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Fri May 13, 2016 7:09 am

Not tried so just an idea: Disable default forward on wlan. Force tag each client by his own vlan. Bridge all those vlans together with uplink and set up the firewall on that bridge.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re:

Fri May 13, 2016 1:27 pm

Not tried so just an idea: Disable default forward on wlan. Force tag each client by his own vlan. Bridge all those vlans together with uplink and set up the firewall on that bridge.
I'm afraid that disabled forward sends packets to void. In fact making router capture those packets to local network in ANY way would give already good start but I think AP isolation make those packets silently dropped by AP itself and they never even get to router so I'm unable to process them on RoS level in any way.
MTCNA, MTCRE, MTCINE
 
jarda
Forum Guru
Forum Guru
Posts: 7602
Joined: Mon Oct 22, 2012 4:46 pm

Fri May 13, 2016 3:07 pm

As I said. It's just an idea to proove. Maybe it is not necessary to disable default forward as individual vlans should separate the clients effectively too. Maybe disabling the default forward will not have any impact at all in this case.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: How to pass traffic between AP stations through firewall?

Sun Aug 26, 2018 1:27 am

After all those years I finally solved this mystery.

Solution was as simple as disabling default-forward and giving all stations /32 netmask via dhcp or static config (and probably enable ip-firewall on bridge). Now all packets go to router MAC and then router filters them on firewall in forward chain. In the end it achieves expected result - stations can talk with each other only if firewall allows that. If some rouge station sets netmask manually to /24 then it can't communicate with others at all so it seems to be secure.
MTCNA, MTCRE, MTCINE
 
UpRunTech
Frequent Visitor
Frequent Visitor
Posts: 81
Joined: Fri Jul 27, 2012 12:11 pm

Re: How to filter wifi traffic between AP stations on firewall?

Mon Aug 27, 2018 6:47 am

How does your /32 solution go with broadcasts like Bonjour and mDNS? A while back I was looking for a way to force all station traffic on a WLAN interface through a bridge interface so bridge level firewalling could be done. Unfortunately it can't with Mikrotik unless they implement a hairpin function in the bridge (the standard Linux bridge has hairpin) or somehow allow all stations to join the bridge dynamically as ports which may not fit the bridge model so well.
 
User avatar
lapsio
Member
Member
Topic Author
Posts: 472
Joined: Wed Feb 24, 2016 5:19 pm

Re: How to filter wifi traffic between AP stations on firewall?  [SOLVED]

Mon Aug 27, 2018 8:06 pm

...
Well I actually just found even better solution - simply arp=local-proxy-arp. So just set default-forwarding=no on wireless interface and arp=local-proxy-arp on bridge where wlan interface is attached and where you have IP address and this way MikroTik will answer to all arp requests with own MAC even if mask is not /32 but something else (eg /24). At the same time wifi interface will drop direct communication between stations (including arp) so the only arp response station will get will be one from router. I think it might introduce some problems if wifi is bridged to conventional L2 broadcast domain because I think then mikrotik will also reply to every arp request from switch so without any filtering it's gonna be race condition but I don't think it's breaking kind of race condition. In worst case traffic will be pumped through router instead of switch. But from what I noticed Mikrotik takes a while before responding to such arp (few miliseconds) so I think real arp should be faster in most cases (unless some arp filtering is performed on switch)

Back when I was looking for solution to this problem I think local-proxy-arp was not a thing in MikroTik so back then it wasn't viable solution. But well things changed! :D
MTCNA, MTCRE, MTCINE

Who is online

Users browsing this forum: No registered users and 17 guests