Community discussions

MikroTik App
 
5009Owner
newbie
Topic Author
Posts: 33
Joined: Sun Jan 09, 2022 9:09 am

Intra-bss traffic blocking

Sat Sep 10, 2022 9:37 am

Scenario:
One port from 5009 is connected to Zyxel NWA55AXE access point.
There is possibility in Zyxel to block intra-bss traffic.
So far I understand, that blocks clients in same SSID to see each others.
I wonder, how secure is intra-bss traffic blocking? Any experience?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Intra-bss traffic blocking

Sun Sep 11, 2022 2:56 pm

By the sounds of it, it's more or less the same as setting default-forwarding=no on mikrotik wireless interface. Doesn't cover communication between clients connected to different frequency band (=another wireless interface) in same AP with same SSID though.

How secure is it? This setting is a pebble in security mosaic, nothing less and nothing more.
 
5009Owner
newbie
Topic Author
Posts: 33
Joined: Sun Jan 09, 2022 9:09 am

Re: Intra-bss traffic blocking

Mon Sep 12, 2022 8:59 am

So, because NWA55AXE is VLAN-capable, I should create VLANs in 5009 and configure them to the port where NWA55AXE is connected?
I suppose then wireless clients are totally separated?
Wireless connections are not perfectly familiar to me. So, if I have two SSIDs and they have different WPA2 passwords, are they isolated without VLANs?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Intra-bss traffic blocking

Mon Sep 12, 2022 9:34 pm

I can't say about Zyxel, but it's customary that different SSIDs are "connected" to different VLANs ... which makes AP and ethernet setup as separated as multiple independent APs are. If switches and router are configured properly, SSIDs are separated from each other.

Be aware that SSID separation can not be taken for granted. In ROS it's possible to connect different SSIDs to same bridge (switch) and then SSIDs are not separated at all.
 
5009Owner
newbie
Topic Author
Posts: 33
Joined: Sun Jan 09, 2022 9:09 am

Re: Intra-bss traffic blocking

Tue Sep 13, 2022 9:10 am

So, to be in the safe side, I should configure VLANs in the 5009 router and use those VLANs in Zyxel. One VLAN per SSID.
My idea is to have one SSID for myself. The other(s) for example for TV and quests.
Then I can change only quest password when necessary, without having to touch my laptop, TV and all other SSID passwords.
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: Intra-bss traffic blocking

Tue Sep 13, 2022 9:16 am

Don't forget to adjust firewall rules on RB5009 so that different SSIDs/VLANs are not allowed to talk to each other.
 
User avatar
jbl42
Member Candidate
Member Candidate
Posts: 214
Joined: Sun Jun 21, 2020 12:58 pm

Re: Intra-bss traffic blocking

Wed Sep 14, 2022 9:47 pm

At least for the Zyxel APs I used so far, intra-bss blocking blocks communication between clients (STAs) on the same AP using the same SSID, independent of 2.4/5GHz band.
Other brands calls the same feature client isolation. This is often used for public APs in Hotels, Bars, Shops etc. for security reasons.
As long as there is no FW bug, this is safe. Because of how WiFi works, clients (STAs) cannot talk to each other without going through the AP. So it is easy to block on the AP.

For different SSIDs on the same AP, as others suggested it is recommended to configure a different VLAN for each SSID on the Zyxel AP. This allows you full flexibility on the RB5009: Bridge SSIDs to same L2 domain, run different IP subnets with routing and FW forwarding rules between SSIDs, or complete isolation.

Who is online

Users browsing this forum: ansky, spookymulder84 and 31 guests