MikroTik

hello all.

i have got three PTP link in the following manner:-

LNK1: RB411AH -----RB411AH--SWITCH---OMNI(A)[SENAO 2611+]---10 wireless internet clinets
LNK2: RB411AH -----RB411AH--SWITCH---OMNI(B)[RB433]---16 wireless internet clinets
LNK3: RB411AH -----RB411AH--SWITCH---OMNI(C)[RB433]---20 wireless internet clinets

NOTE:
all three links are interconnected with each other via switch and this switch is connected to broadband server.

QUESTION

1.There are lot of virus tarvel from one link to another
2. If there is ARP poisoning in any link then the whole network will be influenced
3. It sometime results in heavy letancy or breakage in pings.

Solutions required:

is there any method , scripts, filrewall in mikrotik ROS whick can make the other links uneffected by such kind of threats or in other words is it possible to stop traffic in the same link itself.

For Example; in the following diagram
there are three links, suppose there is ARP posioning frm the users connected to OMNI (A)...but the coustomers connected to OMNI (B) and OMNI (C) also feel effectd. what and where is the solution ?

Turn default forwarding off, set the interfaces to arp reply-only, and set add-arp=yes for the dhcp server.

Replace the netgear with a RB450 too for more control

dear @bushy @ netrat

sorry but i dont think that this will solve my problem

actaully i want that the traffic of one link should not clash with the traffic of any other link.
Secondly i m not usling any DHCP server or PPOE server. i m using a gateway server by which i issue fix local IP to my cleints to access ineternt. and bind this IP address with the mac Address of the client Access point.

For example: -

i hav got a coustomer on the link connected to omni (A).
i issue IP address 172.17.2.14, subnet= 255.255.255.252, gateway= 172.17.2.13
preffred DNS server= 172.17.2.13 to him.

the coustomer then feed the TCP/IP issued by the server in his NIC.Now he is connected to my server and can browse the internet. now if this computer in future is infected then this infection can infect any other computer in the entire network..

what i want is that, let this computer infect other computers which are runniing on the same link i hav no prob till this point....but cant it be possible that this infection will not move to other links which are already meshed with the infected link through the netgear switch...

CAUTION:-
only one single server is feeding all these three links...means that i can use an IP address issued by the server at any client computer at any of the three OMNI..

set up firewall rule that will disallow communication with other subnets, if you do not want to do that, you cannot tell the difference between infection and normal traffic, so you can disable communication or allow.

We have found an inexpensive Cisco 2950 switch will do what you want. You can setup ports to be "port-protected" so they can't talk to other ports on the switch that are also port-protected.

So, you put port 1 of the switch to your internet server.
Then all the other links go on ports 2, 3 and 4. Then you configure ports 2, 3, and 4 to be "port-protected" and they will only talk to port #1.

We have used this at many of our tower locations where we have 20+ AP's and this keeps the traffic and virus traffic from infecting other people as easy.

These switches can be found on ebay for $150 or so.