Community discussions

MUM Europe 2020
 
ktw-matt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Fri Mar 03, 2006 8:32 pm
Location: USA

(How?) Drop packets between wireless clients

Tue Oct 03, 2006 2:44 am

I don't want to turn off default forwarding, but I do want to filter things like File and Printer sharing between the wireless clients.

Currently I'm dropping ports 137-139 tcp/udp on the forward chain with no src/dst address specified. But this does not catch stuff on the wireless ap-bridge.

Is this even possible?
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Tue Oct 03, 2006 1:22 pm

With default-forwarding set to yes all communications between clients won't reach the firewall. You have to turn off default-forwarding to be able to filter traffic between clients.

Eugene
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
ktw-matt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Fri Mar 03, 2006 8:32 pm
Location: USA

Tue Oct 03, 2006 9:09 pm

Yes, but doesn't that stop all communications between wireless clients? I only want to filter a few ports, in order to maintain some sanity while keeping things more or less 'open'. (In case I need to diagnose a customer's connection on the same AP as me, or if someone wants to run a small web server and have other customers (edit: on the same AP) be able to access it.)

Correct me if I'm wrong.
 
User avatar
Eugene
Forum Veteran
Forum Veteran
Posts: 993
Joined: Mon May 31, 2004 5:06 pm
Location: Cranfield, UK

Tue Oct 03, 2006 10:45 pm

All "direct" (bridge-like) communications. You should configure routing instead.
Tout individu a droit à la vie, à la liberté et à la sûreté de sa personne.
 
ktw-matt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Fri Mar 03, 2006 8:32 pm
Location: USA

Wed Oct 04, 2006 12:00 am

Ok, we're already doing routing. I just meant that the radio is in AP mode (ap-bridge).
 
ktw-matt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Fri Mar 03, 2006 8:32 pm
Location: USA

Fri Oct 06, 2006 8:19 pm

Anyone?

Our AP-2000s can do this (per port).. how is it done on MikroTik?
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Sun Oct 08, 2006 12:01 am

Ok, we're already doing routing. I just meant that the radio is in AP mode (ap-bridge).
Ok, so how do the clients connect to the AP, that is, what do your
clients do in addition to associating with the AP? Once associated,
do you require them to run an additional protocol on top of the
wireless connection, such as PPPoE?

If you do not have such an additional layer, then, I'm afraid, you
would not be doing what Eugene probably meant when he said you
need to use routing.

For example, lets assume that you hand out IP addresses to
associated clients using DHCP (or maybe even tell them to configure
static IP addresses and gateway per client manually) and your AP
has an IP address in the same subnet that you assign to clients and
acts as a gateway for them, then it could be said that you are of
course "routing". But that will not help you with your problem,
because all the clients will still be in the same layer 2 network
(because they are associated to the same AP) and therefore no
routing would be required for communication between any two
clients. You are routing between the group of clients as a whole
and the uplink, but you're not routing between the clients themselves
in such a setup!

If you need fine-grained control over the communication between
two clients that are associated to the same AP then you will need to
enforce routing between clients, with the AP acting as the router
(layer 3 gateway) required for one client to reach the other. This is
the only way to have communication between two clients go
through the forward chain on the AP and thus filter it.


One way to achieve this would be the abovementioned use of PPPoE,
because then you'll end up with a PPPoE Layer-3 interface per client
on the Mikrotik AP, therefore one client talking to the other would
mean traffic coming into the AP on one PPPoE interface, going
through the (possibly filtering) forward chain and leaving the AP
towards the other client on another PPPoE interface.


--Tom
 
ktw-matt
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 97
Joined: Fri Mar 03, 2006 8:32 pm
Location: USA

Wed Oct 11, 2006 11:30 pm

Hi Tom, thanks for replying.

We're not using anything on top of the wireless connection like PPPoE.
I thought about doing that at first, but my boss didn't want to do it that way.. which is all well and good.. I mean, we have RADIUS authentication setup in a decent manner.

I understand what you're saying.. I'll just have to figure out how the AP-2000's do it.

Unless the AP-2000 only filters from AP-client to the other side of the AP, and not actually between clients.. :oops:

Thanks for the insight.

Who is online

Users browsing this forum: No registered users and 28 guests