I'd like MT to filter AP traffic between stations just like /interface bridge is able to use IP firewall to controll traffic between bridge ports.
How to do that?
I tried to disable default-forwarding and enable ARP-proxy as this seemed to be some reasonable idea but it didn't work, router didn't want to respond with own MAC if client asked about stations in the same network. In general I want PCs connected to AP under single network (with DHCP) to be able to talk only on some ports (22). So more or less just pass L2 traffic through some firewall. One option imo is to make router respond to all ARP requests with own MAC, another option would be to somehow force clients to push all the traffic through gw.
I heard about hacks with /32 network and gw set to client own IP but it doesn't seem to work for DHCP as I think I'd need like... 254 pools and 254 networks with correct gw.