MikroTik

I have a hex (RB750Gr3) setup as a CAPsMAN along with four WAP ac (RBwAPG-5HacD2Hnd) units as caps. Everything is working great except client to client forwarding. By default client to client forwarding is disabled and in my test environment as long as both devices are connected to the same cap it works correctly (clients cannot see each other). However, if one device connects to cap1 and one connects to cap3 they can see each other which shouldn't be the case since client to client forwarding is not turned on. Also local forwarding is not turned on. What am missing here? All devices are running 6.48.2 (stable). Any advice would be much appreciated.

if one device connects to cap1 and one connects to cap3 they can see each other which shouldn't be the case since client to client forwarding is not turned on.

Unfortunately not - this is expected behaviour. The client-to-client forwarding setting only governs the client-to-client forwarding per cap, not between different access points. For this you could use bridge horizon, as suggested here:

viewtopic.php?t=96918
viewtopic.php?t=141332

However, I have not tried this myself.

Wow, this works perfectly. Thank you. During my testing I noticed another peculiar issue. When two devices are connected to the same cap and both are on the same radio (say 2GHz) it blocks communications as it should. However, when one device connects to the 2GHz and one device connects to the 5GHz communication is allowed even though client to client forwarding is not enabled. If I set the bridge-horizon to a non-zero value this problem is also fixed, but shouldn't it work without the need to do that as both devices are connected to the same cap. I thought bridge-horizon only dealt with devices that were connected to different caps. Any revelations would be much appreciated.

During my testing I noticed another peculiar issue. When two devices are connected to the same cap and both are on the same radio (say 2GHz) it blocks communications as it should. However, when one device connects to the 2GHz and one device connects to the 5GHz communication is allowed even though client to client forwarding is not enabled.

Expected again. Client to client forwarding is about traffic between clients of same wireless interface. If device has support for two bands, that's two wireless interfaces completely independent of each other (might as well be in separate boxes). Same goes for virtual wireless interfaces (additional SSIDs) - independent wireless interfaces again. All of those interfaces land as separate cap interfaces on common bridge in capsman with capsman-forwarding.

Ok, that makes perfect sense and clears things up. Thanks for all the help.