Sorry I really new to this and having many problems with a Mikrotik RB2011UiAS which I can't configure as I need.. anyway I'm trying to see a problem at a time.
Also my technician did most of the setup but still some problems remain. Please talk to me like I'm 12 (in RouterOS I might be even six years old..)

So the setup:
1 RB2011UiAS connected to an Archer D2 connected to a DSL line.

- on the Mikrotik there are two Nanostations M2 working as AP to 2.4 devices (laptops, smartphones etc. AirMAX off, 20MHz)
- Nanostations are in bridge mode
- Mikrotik is 192.168.1.10 (ether1) to Archer D2 and 192.168.20.1 to Nanostations.
- Nanostation 1 is 192.168.20.2 in ether3 and Nanostation 2 is 192.168.20.3 in ether4
- on each Nanostation Client isolation is ON

What happens is that each client (of the Nanostation) can't see the other clients in the same Nanostation (as it should)
BUT in a scan (for example with Fing for Android) it can see 192.168.20.1, 192.168.20.2, 192.168.20.3 AND all the clients on the other Nanostation... :/

Question: is there any way that each client in any Nanostation can see only himself and its gateway?
(a trick tried with add ARP for leases in the dhcp and something else that I don't remember by someone who knows more than me resulted that the clients indeed could see only themselves - not the gateway- in scan BUT also some clients could not get internet connectivity at all -android devices-)

I understand that what I'm asking might be impossible since all I want is to replicate the client isolation of the Nanostation (only the client and the gateway can be seen). If so then I might have the wrong equipment.

Ubnt client isolation never worked for me. To many timed out's. Also you can't isolate clients if they all are in layer 2.

I assume both your AP are plugged in a switch ?

What you need is the switch needs to filter packets so it only allows traffic from the APs to the GW and nothing else.

I assume both your AP are plugged in a switch ?

What you need is the switch needs to filter packets so it only allows traffic from the APs to the GW and nothing else.

err.. no.. the Nanostations are plugged in Eth3 and Eth4 of the RB2011UiAS
So it can't be done on the Mikrotik then..
(previously I had them -the M2s- working as routers and doing all the work, even a big list of firewall rules to allow only basic surfing, OpenDNS etc. Never had a problem with client isolation for 3 years that I have them up. The only thing I was missing was some traffic shaping per client that's why I turned to the Mikrotik after suggestions. But it can do a lot of stuff, unfortunately not what I wanted.. :/ From a really basic users point of view and from what I read they are like a spaceship that can take you to the moon. Given to you in parts in a plastic bag. With assembly instructions from IKEA.
Guess I'll have to return it..)

I don't know the RB2011UiAS in details, but if it supports placing bridging firewall rules between eth3 and eth4, it should work just fine.

I don't know the RB2011UiAS in details, but if it supports placing bridging firewall rules between eth3 and eth4, it should work just fine.

you mean like this here: http://forum.mikrotik.com/viewtopic.php?t=50190#p255295

I don't know the RB2011UiAS in details, but if it supports placing bridging firewall rules between eth3 and eth4, it should work just fine.

I tried this
add action=drop chain=forward in-interface=ether3 out-interface=ether4
add action=drop chain=forward in-interface=ether4 out-interface=ether3
but
sorry you mean that?

And you tried adding this to "  /interface bridge filter " ?  (and _NOT_ /ip firewall )

And you tried adding this to "  /interface bridge filter " ?  (and _NOT_ /ip firewall )

was writing the edit above.. with a new screenshot..

Yes and ?  Does it not work ?

Rules get matched, so I expect the packets to be dropped as requested ...

Yes and ?  Does it not work ?

Rules get matched, so I expect the packets to be dropped as requested ...

it seems so! is there a thank you button? I think we have one problem solved..

next up my firewall

These rules seem too complicated to me.

Just use horizon bridging instead. It will do what other vendors call Port Isolation or Private VLAN Edge.

These rules seem too complicated to me.

Just use horizon bridging instead. It will do what other vendors call Port Isolation or Private VLAN Edge.

obviously there is more than one way to do it.. as I said in my first post I'm Mikrotik illiterate.
you do mean the following don't you? my Nanos are in ether3 and ether4

These rules seem too complicated to me.

Just use horizon bridging instead. It will do what other vendors call Port Isolation or Private VLAN Edge.

obviously there is more than one way to do it.. as I said in my first post I'm Mikrotik illiterate.
you do mean the following don't you?

Yep. That's what he means. It's very simple to do and lets your lan bridge use fastpath, where bridge filters disable fastpath.
Essentially, what horizon does is say that if a packet is received on a horizon (you set horizon=1), then it may not leave the bridge on any port with that same horizon value.
So all horizon=1 are blocked from talking to each other, but they can talk to all other horizons (and ports without a horizon).