Community discussions

MikroTik App
 
User avatar
wifiwales
just joined
Topic Author
Posts: 4
Joined: Tue Sep 06, 2016 10:59 am

Client Isolation

Fri Dec 11, 2020 7:32 pm

Hi Guys, i think this topic may have been covered before, but I can't find any satisfactory solution.

I am using capsman, and a hotspot on a VLAN

I don't want wireless clients to be able to see each other.

The clients on each radio have isolation (using client to client forwarding on the capsman data path set to no), but clients logged into different radios can see one and other.

I have tried switching on "Use IP Firewall" on the bridge, and creating a policy that rejects these connections, and that works ok, except it breaks the captive portal (hotspot).

Is there a simple solution to this problem? Surly this is a very common configuration.

Many Thanks in advance!

Paul
 
gotsprings
Forum Guru
Forum Guru
Posts: 1039
Joined: Mon May 14, 2012 9:30 pm

Re: Client Isolation

Mon Dec 14, 2020 12:24 am

You were on the right track.

You have to add a rule that allows clients to reach the captive portal. Put that above the drop rules for client to client.
"It ain't what you don't know that gets you into trouble. It's what you know for sure that just ain't so."
Mark Twain
 
User avatar
wifiwales
just joined
Topic Author
Posts: 4
Joined: Tue Sep 06, 2016 10:59 am

Re: Client Isolation

Mon Dec 14, 2020 11:11 am

The rule to reject client to client is address list based, it doesn't include the hotspot.

looks like this 10.0.12.2-10.0.12.255 the hot spot vlan is 10.0.12.1

Strange thing is that when I type in the ip address of the hot spot, it brings up the mikrotik login not the captive portal.

Even before I put any blocking firewall rules, as soon as I switch on Use Ip Firewall on the bridge, it breaks the hotspot.

Appreciate your help

Paul
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5926
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Client Isolation

Mon Dec 14, 2020 11:08 pm

Dont think you need IP Firewall??

(1) Did you try unchecking Default Forward for the WIFI that guests are using??
(Found in wireless settings directly underneath "Default Authenticate"

There may be more work required in the standard firewall rules but would rather see the current config to comment.
/export hide-sensitive file=anynameyouwish
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
wifiwales
just joined
Topic Author
Posts: 4
Joined: Tue Sep 06, 2016 10:59 am

Re: Client Isolation

Mon Dec 14, 2020 11:11 pm

Sorry should have said, i'm using capsman.

ill post config in the next few days.

Many Thanks for your help.

I should also mention, that when I switched on "Use Ip Firewall" in bridge, it broke capsman. I didn't realise when I posted the first message.

I'm guessing its a firewall rule again.

Who is online

Users browsing this forum: No registered users and 43 guests