Hello,

Since 1 year I have a MT configured and working perfectly as a Hotspot. I have 3 APs connected to it with no password (like hotels), because some people had problems if I put a password for the WIFI and after they have to login at hotspot.
The problem is that everyone that connects to the WIFI can view all devices that are connected to the WIFI (logged and no logged devices), and I want to change that for security reasons.

DHCP pool: 192.168.10.X/24
Logged pool: 192.168.11.X/24

I tryed changing the pool (Hotspot -> user profiles -> address pool) but it changes internally (if I check on my device after login I have a 192.168.10.X IP but in the hotspot page I see a 192.168.11.X IP).

There is something to do to change that? I don't want that other devices not logged can view all logged devices or hack them.

Thanks,

An interesting topic.
I don't think, that you can get this kind of security by changing the Subnet only on IP-base,
I think you search for client isolation (there are some article here like "Wireless Client Isolation" viewtopic.php?t=173693).

An interesting topic.
I don't think, that you can get this kind of security by changing the Subnet only on IP-base,
I think you search for client isolation (there are some article here like "Wireless Client Isolation" viewtopic.php?t=173693).

If I could change subnet from logged users I could isolate them from the rest. Actually not logged devices can't access to internet, but they can do ping or something else to a logged device. That's what I want to prevent.
I thought isolating everyone, but that will kill sharing between logged devices. I'm right?

Is possible to isolate only unlogged users?

Yes, that is controlled by the "default forward" setting in the Wireless interface. When this is not set, clients do not see eachother. They can still access the internet via the router.
Of course that can cause issues for some users. E.g. you would not be able to access a Chromecast that is on the WiFi from your device which is also on the WiFi.
You can then add trusted users in the MAC address list and allow forwarding for them.

Yes, that is controlled by the "default forward" setting in the Wireless interface. When this is not set, clients do not see eachother. They can still access the internet via the router.
Of course that can cause issues for some users. E.g. you would not be able to access a Chromecast that is on the WiFi from your device which is also on the WiFi.
You can then add trusted users in the MAC address list and allow forwarding for them.

Thanks, but my MT doesn't have wireless interface. I need another solution.

the way the hotspot works is by adding a heap of firewall rules in the filter and nat table, this enabled you to get the behaviour of not being able to browse without being logged in or being redirected to the hotspot login page etc.

Same subnet communication is below layer 3 and sits with layer to as the devices will use ARP to figure out where everything is, this will bypass the firewall etc as it will stay in the bridge section of the packet flow: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow

To fix this you could go to the bridge and enable IP firewall, doing so will disable HW offloading so all the bridge forwarding will now be done by the CPU rather than the switch chip if your device has one.
the other option is to filter this traffic through the bridge filters section, I am not 100% sure if there are any devices that can hardware offload this but most of them will also do this in the cpu, the benefit of filtering the traffic here is that it will all stay in the bridge section so you wont have to worry about this traffic being processed through the IP firewall as well.

The best way of doing this is through port isolation down the road on the switches connecting to the devices, for instance if you look at https://wiki.mikrotik.com/wiki/Manual:S ... _isolation it will give you an example on how to set up port isolation so ports can talk to and from your uplink but not to each other for the CSS/switch OS devices and here https://wiki.mikrotik.com/wiki/Manual:S ... _isolation will show you were to configure this on router os, just have to use your imagination on how to set up the same sort of thing