I currently have an RB/433 setup as follows
eth1 - wan connection
eth2, eth3, wlan1 all bridged together and dhcp server is enabled on the bridge.
I also have a hotspot setup on bridge1.
wireless clients can access the wireless connection without a problem and
receive the hotspot login page.
I wanted to prevent the wireless clients from being able to access any clients on
eth2 and eth3. What would be the best way to do this. I was going to setup
VLAN on eth2 and eth3 and let these ports communicate to each other but, not put
wlan1 on this VLAN. Is their a better way.
Thanks for the help.
Re: restricted hotspot access
If you want none of the bridged ports to talk to one another you can very elegantly use bridge horizons to prevent ports from talking: http://wiki.mikrotik.com/wiki/MPLSVPLS# ... n_bridging
Otherwise - some ports in the bridge do need to talk to one another - use bridge filters based on in-interface and out-interface: http://wiki.mikrotik.com/wiki/Manual:In ... e_Firewall
For example, if ether1 and ether3 can talk but wlan1 can't talk to either:
Code: Select all
/interface bridge port
set [find interface=ether1] horizon=1
set [find interface=ether3] horizon=1
set [find interface=wlan1] horizon=1
For example, if ether1 and ether3 can talk but wlan1 can't talk to either:
Code: Select all
/interface bridge filter
add chain=forward in-interface=ether1 out-interface=ether3 action=accept
add chain=forward in-interface=ether3 out-interface=ether1 action=accept
add chain=forward action=drop
Re: restricted hotspot access
@fewi: I've always wondered if horizon is more efficient than filters. Or is it essentially the same just much easier to configure?
Re: restricted hotspot access
You know, I have no idea. I've never tried pushing a bunch of traffic through and seeing which one performs better. I'd think bridge horizons would perform better, but that's just a hunch. If you ever try do post some numbers.
It's certainly easier to configure, and in my opinion more foolproof. Not nearly as many conditions to cover when there's more ports involved.
It's certainly easier to configure, and in my opinion more foolproof. Not nearly as many conditions to cover when there's more ports involved.
Re: restricted hotspot access
Hi man ,
You can use a bridge filter to prevent it
use this filter and tell me if it solve your problem
/interface bridge filter
add action=drop chain=forward comment="" disabled=no mac-protocol=ip
add action=drop chain=forward comment="" disabled=no mac-protocol=arp
add action=accept chain=forward comment="" disabled=no mac-protocol=pppoe-discovery
add action=accept chain=forward comment="" disabled=no mac-protocol=pppoe
add action=drop chain=forward comment="" disabled=no packet-type=broadcast
add action=drop chain=forward comment="" disabled=no packet-type=multicast
You can use a bridge filter to prevent it
use this filter and tell me if it solve your problem
/interface bridge filter
add action=drop chain=forward comment="" disabled=no mac-protocol=ip
add action=drop chain=forward comment="" disabled=no mac-protocol=arp
add action=accept chain=forward comment="" disabled=no mac-protocol=pppoe-discovery
add action=accept chain=forward comment="" disabled=no mac-protocol=pppoe
add action=drop chain=forward comment="" disabled=no packet-type=broadcast
add action=drop chain=forward comment="" disabled=no packet-type=multicast
-
-
walkbyfaith
Frequent Visitor
- Posts: 80
- Joined:
Re: restricted hotspot access
Thanks for the help alexandro. That did it.
Re: restricted hotspot access
You Wellcome