Hi Guys, i think this topic may have been covered before, but I can't find any satisfactory solution.

I am using capsman, and a hotspot on a VLAN

I don't want wireless clients to be able to see each other.

The clients on each radio have isolation (using client to client forwarding on the capsman data path set to no), but clients logged into different radios can see one and other.

I have tried switching on "Use IP Firewall" on the bridge, and creating a policy that rejects these connections, and that works ok, except it breaks the captive portal (hotspot).

Is there a simple solution to this problem? Surly this is a very common configuration.

Many Thanks in advance!

Paul

You were on the right track.

You have to add a rule that allows clients to reach the captive portal. Put that above the drop rules for client to client.

The rule to reject client to client is address list based, it doesn't include the hotspot.

looks like this 10.0.12.2-10.0.12.255 the hot spot vlan is 10.0.12.1

Strange thing is that when I type in the ip address of the hot spot, it brings up the mikrotik login not the captive portal.

Even before I put any blocking firewall rules, as soon as I switch on Use Ip Firewall on the bridge, it breaks the hotspot.

Appreciate your help

Paul

Dont think you need IP Firewall??

(1) Did you try unchecking Default Forward for the WIFI that guests are using??
(Found in wireless settings directly underneath "Default Authenticate"

There may be more work required in the standard firewall rules but would rather see the current config to comment.
/export hide-sensitive file=anynameyouwish

Sorry should have said, i'm using capsman.

ill post config in the next few days.

Many Thanks for your help.

I should also mention, that when I switched on "Use Ip Firewall" in bridge, it broke capsman. I didn't realise when I posted the first message.

I'm guessing its a firewall rule again.