Either my understanding needs adjustment or the option doesn't work as expected...

Using wireless test 3.17 on ap and clients i check and uncheck the default forward option on the ap and it makes no difference. Either way broadcast and normal ip traffic pass to all clients of the ap. From my understanding unchecking the DEFAULT FORWARD option would prevent traffic from passing from one client to another.

The AP is normal AP mode with default set to add all clients to wds bridge1 as well as the ethernet and wlan1 interfaces added... Make the ap act like any other trango etc ap just passing traffic from wireless to ethernet interface.

The clients are all station wds setup same as ap - one bridge eith ap added ad wds dynamically and eth1 and wlan1 added as well... again just passing traffic though to router behind the radio.

Thanks,
Scott

Are you also using the access list? Default forward is enabled by default on ACL entries.

Due to the way WDS works it bypasses both of the forwarding options(ac and interface default). It all has to do with the virtual interfaces in the bridge that are created when the wds link is established.

-Gerard

Thanks for the clarification Gerard. This brings up more questions though...

Is it then safe to assume that there is no technical difference between selecting default forward on or off if using wds/bridge for interfaces? Not sure of one is slightly more efficient than the other depending on the internal path difference of the packets within MT. I've seen no difference from my tests but just would like your answer as well or perhaps the official MT answer.

Does MT act like a switch at this point? Broadcasts go out all interfaces, ip traffic only goes between interfaces and wireless clients that are required etc.... If I have one ethernet and 6 wireless clients - and one of them is downloading internet files vie ethernet port then only the one wireless client sees any of the ip traffic it is creating correct... I'm sure it works this way but I need to understand 100% ANy other ideas or thought you have on this would be appreciated.

Our network was mostly all Trango gear which actually inherently prevented traffic from one client to another on the same ap. I would say that for the most part this was beneficial although every once and a while it created a problem (you could add clients to a group to communicate but it was sort of ugly) I believe it made for a bit more efficient operation.

Having said that - I'm sure there is a way to make this behave the same but I'm not sure it would help performance unless the network had lots of broadcasts - which mine doesn't. Only routers are hooked to my network and the subnets are /24 max so really aside form some arp and dynamic routing traffic broadcasts are light.

Thanks,
Scott

if you are using WDS on the AP and you are bridging all together then the default-forwarding will not work. The blocking should be done in the bridge firewall section then.

Is it then safe to assume that there is no technical difference between selecting default forward on or off if using wds/bridge for interfaces? Not sure of one is slightly more efficient than the other depending on the internal path difference of the packets within MT. I've seen no difference from my tests but just would like your answer as well or perhaps the official MT answer.

Yes, you are right, default-forwarding option does not affect wds connections in any way, so as long as you have only WDS clients, there is no difference whether default-forwarding (or forwarding setting from ACL) is on or off.

It is best to think of WDS link as some virtual point-to-point tunnel that just happens to use underlying WLAN interface - everything sent to WDS interface will just come out the WDS interface on the other side and does not go through "regular" processing that happens inside wireless interface (and this "regular" processing is where forwarding option is taken into account).

Note that this special treatment of WDS links make some setups more tricky - e.g. to allow 2 "regular" clients to communicate (at layer 2) you must make sure that default-forwarding is on. To make 1 WDS client and 1 regular client to communicate (at layer 2) you must bridge wlan interface and WDS interface.

Does MT act like a switch at this point? Broadcasts go out all interfaces, ip traffic only goes between interfaces and wireless clients that are required etc.... If I have one ethernet and 6 wireless clients - and one of them is downloading internet files vie ethernet port then only the one wireless client sees any of the ip traffic it is creating correct... I'm sure it works this way but I need to understand 100% ANy other ideas or thought you have on this would be appreciated.

I'm not sure which setup you consider being a switch - either the WDS case or non-WDS case, but the general processing rules on AP are as follows:

When packet is sent out WDS interface (no matter if it is broadcast or unicast), it gets sent right to the other end of WDS link. Packet is sent as wireless unicast, therefore delivery is ensured (using retry mechanisms) and rate selection is used (this ensures optimal throughput). When packet is received from WDS peer, it is processed as received over WDS interface right away.

When packet is sent out regular WLAN interface, if it is broadcast - it gets sent as wireless broadcast (no retries, lowest basic rate) so that all registered clients can receive it. If it is unicast - it gets sent as wireless unicast to the client specified by destination MAC address, if there is no such client, packet is dropped. When packet is received from regular (non-WDS) peer, its processing depends on whether it is broadcast or unicast - broadcast is processed locally (as received from WLAN interface) and additionally (but only if forwarding is enabled) sent back into air so that other clients can see it. If packet is unicast, destination address is looked up in registration table - if there is no such, packet gets processed locally (as received from WLAN interface), if destination is in registration table - packet gets forwarded to it (if forwarding enabled, otherwise it gets dropped).

By knowing how bridge works you can figure out what will happen when WLAN&WDS interfaces are used as bridge ports in different combinations. But I guess in any case answer to your question is - yes, traffic only gets sent to client to which it is destined (provided that sender knows where that destination is - that is, in case of bridge has learned where is the destination).

Our network was mostly all Trango gear which actually inherently prevented traffic from one client to another on the same ap. I would say that for the most part this was beneficial although every once and a while it created a problem (you could add clients to a group to communicate but it was sort of ugly) I believe it made for a bit more efficient operation.

Having said that - I'm sure there is a way to make this behave the same but I'm not sure it would help performance unless the network had lots of broadcasts - which mine doesn't. Only routers are hooked to my network and the subnets are /24 max so really aside form some arp and dynamic routing traffic broadcasts are light.

You are right - performance-wise disabling forwarding will help by reducing amount of broadcasts in the air, but this can only be used if clients of the same AP do not have to communicate.