Ok, we're already doing routing. I just meant that the radio is in AP mode (ap-bridge).
Ok, so how do the clients connect to the AP, that is, what do your
clients do in addition to associating with the AP? Once associated,
do you require them to run an additional protocol on top of the
wireless connection, such as PPPoE?
If you do not have such an additional layer, then, I'm afraid, you
would not be doing what Eugene probably meant when he said you
need to use routing.
For example, lets assume that you hand out IP addresses to
associated clients using DHCP (or maybe even tell them to configure
static IP addresses and gateway per client manually) and your AP
has an IP address in the same subnet that you assign to clients and
acts as a gateway for them, then it could be said that you are of
course "routing". But that will not help you with your problem,
because all the clients will still be in the same layer 2 network
(because they are associated to the same AP) and therefore no
routing would be required for communication between any two
clients. You are routing between the group of clients as a whole
and the uplink, but you're not routing between the clients themselves
in such a setup!
If you need fine-grained control over the communication between
two clients that are associated to the same AP then you will need to
enforce routing between clients, with the AP acting as the router
(layer 3 gateway) required for one client to reach the other. This is
the only way to have communication between two clients go
through the forward chain on the AP and thus filter it.
One way to achieve this would be the abovementioned use of PPPoE,
because then you'll end up with a PPPoE Layer-3 interface per client
on the Mikrotik AP, therefore one client talking to the other would
mean traffic coming into the AP on one PPPoE interface, going
through the (possibly filtering) forward chain and leaving the AP
towards the other client on another PPPoE interface.