I have been thinking of a way to setup the routeros to block all local ip's that on the system from seeing each other on the local network.
Why I ask I thought it would be helpful in security etc on a guest wireless network if the devices connected to the network couldn't see each other maybe a simple line of defense etc.
Or am I crazy for thinking that?
Re: Block Local network computer from seeing eachother
You're not crazy at all. This is called client isolation and works very well.
There are several ways to implement it, but we'd need to see a network diagram to do more than help you understand the concepts.
ROS, at it's core, is a pretty flexible and robust platform. However, there are some limits, primarily due to hardware design (some are because MT is short-sighted, some are simply because of the cost involved to use better components).
Routers such as the 450/751/493 are suitable. Bigger switches, such as the CRS may work, but may also have some performance issues. A true ASIC switch, such as Cisco will work wonderfully well (but is beyond the scope of this forum).
Now... how to do it?
1) Bridge all devices (do not use the switch chip in MT devices)
2) Set your uplink bridge port horizon=1
3) Set your isolated bridge ports to horizon=2
4) Set your printers and other shared resources to a completely different horizon
5) APs should have default forwarding turned off
Your network can be as large or as small as you want. I have one wireless network with a half dozen sites and 100's of clients. No client can see any other client on the network, but they can all get to the gateway router. It works wonderfully well.
Good luck!
There are several ways to implement it, but we'd need to see a network diagram to do more than help you understand the concepts.
ROS, at it's core, is a pretty flexible and robust platform. However, there are some limits, primarily due to hardware design (some are because MT is short-sighted, some are simply because of the cost involved to use better components).
Routers such as the 450/751/493 are suitable. Bigger switches, such as the CRS may work, but may also have some performance issues. A true ASIC switch, such as Cisco will work wonderfully well (but is beyond the scope of this forum).
Now... how to do it?
1) Bridge all devices (do not use the switch chip in MT devices)
2) Set your uplink bridge port horizon=1
3) Set your isolated bridge ports to horizon=2
4) Set your printers and other shared resources to a completely different horizon
5) APs should have default forwarding turned off
Your network can be as large or as small as you want. I have one wireless network with a half dozen sites and 100's of clients. No client can see any other client on the network, but they can all get to the gateway router. It works wonderfully well.
Good luck!