Aw bugger. Looks like I need bridge hairpin which Mikrotik doesn't allow to be enabled or it's hidden somehow.
I am not the only one with this problem. Mikrotik please add this option in! Client to client filtering on a bridge is needed!
viewtopic.php?t=79006#p575595
So I guess enabling Client-to-Client or Default Forward allows some kind of hairpin in a private bridge in the WLAN interface and this data never makes it to the actual bridge interface.
The desired model for my case would be:
- Disable client to client/default forward.
- Enable hairpin in bridge.
- Be able to bridge filter client to client traffic. Happy days!
I think this is a desirable case, especially in a CAPSMAN system. Given more and more devices are going Wifi the need to block or filter data for a particular IP or MAC at the bridge level is important. Not all CAPSMAN uses are for just linking clients to a hotspot.
For example, if I have an inkjet printer connected only on Wifi I might want to stop the kids wasting ink and block the MAC or IP address if their devices from talking to the printer using a bridge filter. At the moment I'd have to put the printer on it's own WLAN interface by using a special printer SSID thereby forcing the client packets through the common bridge as data went from WLAN1 interface to WLAN2 interface.