I'd like MT to filter AP traffic between stations just like /interface bridge is able to use IP firewall to controll traffic between bridge ports.

How to do that?

I tried to disable default-forwarding and enable ARP-proxy as this seemed to be some reasonable idea but it didn't work, router didn't want to respond with own MAC if client asked about stations in the same network. In general I want PCs connected to AP under single network (with DHCP) to be able to talk only on some ports (22). So more or less just pass L2 traffic through some firewall. One option imo is to make router respond to all ARP requests with own MAC, another option would be to somehow force clients to push all the traffic through gw.

I heard about hacks with /32 network and gw set to client own IP but it doesn't seem to work for DHCP as I think I'd need like... 254 pools and 254 networks with correct gw.

Not tried so just an idea: Disable default forward on wlan. Force tag each client by his own vlan. Bridge all those vlans together with uplink and set up the firewall on that bridge.

Not tried so just an idea: Disable default forward on wlan. Force tag each client by his own vlan. Bridge all those vlans together with uplink and set up the firewall on that bridge.

I'm afraid that disabled forward sends packets to void. In fact making router capture those packets to local network in ANY way would give already good start but I think AP isolation make those packets silently dropped by AP itself and they never even get to router so I'm unable to process them on RoS level in any way.

As I said. It's just an idea to proove. Maybe it is not necessary to disable default forward as individual vlans should separate the clients effectively too. Maybe disabling the default forward will not have any impact at all in this case.

After all those years I finally solved this mystery.

Solution was as simple as disabling default-forward and giving all stations /32 netmask via dhcp or static config (and probably enable ip-firewall on bridge). Now all packets go to router MAC and then router filters them on firewall in forward chain. In the end it achieves expected result - stations can talk with each other only if firewall allows that. If some rouge station sets netmask manually to /24 then it can't communicate with others at all so it seems to be secure.

How does your /32 solution go with broadcasts like Bonjour and mDNS? A while back I was looking for a way to force all station traffic on a WLAN interface through a bridge interface so bridge level firewalling could be done. Unfortunately it can't with Mikrotik unless they implement a hairpin function in the bridge (the standard Linux bridge has hairpin) or somehow allow all stations to join the bridge dynamically as ports which may not fit the bridge model so well.

...

Well I actually just found even better solution - simply arp=local-proxy-arp. So just set default-forwarding=no on wireless interface and arp=local-proxy-arp on bridge where wlan interface is attached and where you have IP address and this way MikroTik will answer to all arp requests with own MAC even if mask is not /32 but something else (eg /24). At the same time wifi interface will drop direct communication between stations (including arp) so the only arp response station will get will be one from router. I think it might introduce some problems if wifi is bridged to conventional L2 broadcast domain because I think then mikrotik will also reply to every arp request from switch so without any filtering it's gonna be race condition but I don't think it's breaking kind of race condition. In worst case traffic will be pumped through router instead of switch. But from what I noticed Mikrotik takes a while before responding to such arp (few miliseconds) so I think real arp should be faster in most cases (unless some arp filtering is performed on switch)

Back when I was looking for solution to this problem I think local-proxy-arp was not a thing in MikroTik so back then it wasn't viable solution. But well things changed!

...few years later…

How does your /32 solution go with broadcasts like Bonjour and mDNS?

Perhaps nowadays one could run an mDNS repeater as a container. It may also be responsible for creating Wide Area DNS records.

...few years later…

How does your /32 solution go with broadcasts like Bonjour and mDNS?

Perhaps nowadays one could run an mDNS repeater as a container. It may also be responsible for creating Wide Area DNS records.

local-proxy-arp does not interfere with broadcasts etc and works just fine for years in my setup tho.

Hmm, I must be missing something obvious.

You have L2 isolated clients on the AP. Your RouterOS has arp=local-proxy-arp on the bridge, but that doesn't seem to be relevant as IP multicast uses pre-allocated L2 broadcast addresses as its destination. How that does not break IP multicast such as mDNS? I would expect the AP to forward such packet to other bridge ports, but not back to its clients.