I am testing a remote wireless link I intend to install, for the purpose of backhauling both camera video and WiFi clients. I want to 'isolate' anyone connected to the WiFi ESS from access to the video stream. I think I want to establish two separate VLANS, putting the camera on one, and the WiFi APs on the other, then bridge them to the appropriate physical interfaces. The WAN is connected to the root bridge ether1 port. No static routes assigned - only dynamic instances.

I must have a fundamental misunderstanding of how to accomplish this, as I can ping from any host attached to either bridge/VLAN to any other host - even though they are are on separate subnets/VLANS. In other words, I'm getting no isolation. For example, client host 10.10.30xxx can ping 10.10.20.30, and visa versa. Of course, I can also ping from client host 10.10.20.xxx to client host 10.10.20.xxz as well, as they are on the same subnet.

However, when I use the ping feature from either router, I can only ping either of the subnets when pinging from the appropriate bridge - i.e., on either router, pinging 10.10.20.xxx only works from bridge2, and pinging 10.10.30.xxx only works when pinging from the bridge3 interface.

I have installed many PtP video backhaul links and several PtmP BSS/ESS's but this is my first attempt to integrate and 'isolate' these applications.

Any help from the wizards out there will be much karma'ed....

I hope I've attached the screen captures properly.

The router will route between the vlans, if its set as the default gateway for the clients.

You'll need to also set up firewall rules to drop the inter trunk traffic - or if in the same bridge, i think you could use the horizon feature on the bridge.

TheWifiGuy is right. The board will route it for you, even if you don't want it to. Firewall rules is the only way I know.

You will set like src=wireless subnet dst=video subnet action=drop.

Thanks, TheWiFIGuy and Oldman.

I should have assumed so. I see I could use several methods here, from marking (with Mangle) packets from either bridge interface and using that in the Firewall Rule, or the source address, or source port, etc.

As I do want to enable 'secret' access to the video VLAN from the WiFi VLAN (for local maintenance), I think I'll try to use the source interface, and use the exception flag in 'source port' for a 'secret' port number (tcp), and drop all else.

Thanks for the reply, guys.