Is there a way on my headend MT box to block all client to client communication? They are all on the same subnet and I'm not using pppoe.

forget! No way to block communication between clients in the same broadcast domain.

No that's not true. You can do it by adding only one firewall rule.

for example if internal network is 192.168.0.0/24 :
chain=forward dst-address=192.168.0.0/24 action=reject
reject-with=icmp-network-unreachable

Didn't work for me!

post your firewall rules

Didn't work for everyone...
For example:
ISP --- MK ----PC1
|
|---PC2

Communication between PC1 and PC2 occurs when PC1 sends ARP request Who is AAAA.BBBB.CCCC and PC2 replays with I'm and I have 1.2.3.4 IP address... MK (Mikrotik) is not a part of this communication so your firewall rules won't work.
If nobody replays on PC1 request then all packets send to the default gateway (in example our MK) and he know about host with AAAA.BBBB.CCCC MAC address or know path to their default gateway

If the clients are on the same Ethernet segment, then they talk directly to each other and the Mikrotik is not involved. The clients determine who is on their local segment by network masks in the routing table. If, when you assign an IP address to your clients, you make the mask a /32 (255.255.255.255) then all packets are sent to the default gateway, your Mikrotik, and your firewall rule will work. Of course, someone could just change their mask and talk to other clients directly.

To really isolate everyone, you would need to put them all on virtually separate networks using VLAN's. Each client would be on a separate VLAN with seperate IP segments and that would force all clients to go through the router.

Of course, if physical security is not maintained, anyone can subvert the isolation.

Simple answer: Bridge firewall

A bridge firewall will not help if the clients are all on the same layer 2 network. If an IP stack determines that the destination host is on the same segment, it will do an ARP broadcast and get the Mac address of the host with that destination IP address on the segment. The packet can then be sent directly to the destination. The bridge firewall will not be involved.

So how can you dynamically assign a 32bit subnet to each client so that they can only talk to the router and themself?

Have your DHCP server put out a network mask of 255.255.255.255 or /32. The network mask the DHCP server sends is just a value which gets used by the client. The DHCP server itself doesn't care what the value is, e.g. it doesn't have to match the netmask used on the IP address of the router interface.

A bridge firewall will not help if the clients are all on the same layer 2 network. If an IP stack determines that the destination host is on the same segment, it will do an ARP broadcast and get the Mac address of the host with that destination IP address on the segment. The packet can then be sent directly to the destination. The bridge firewall will not be involved.

/interface bridge firewall - it is Layer-2 filter!!!!

If you have setup "client----bridge---client" you can filter and block anything you like

That's correct if the clients are not in the same broadcast domain and can only communicate through the Mikrotik ports. If the multiple clients are connected to one switch and multiple clients connected to a second switch, and further, both switches connect to the Mikrotik, then clients on the first switch can freely communicate with each other and the Mikrotik cannot stop it. Clients on the second switch can also freely communicate with each other; however clients on switch 1 must go through the Mikrotik to communicate with clients on switch 2 and then your "Layer-2 filter!!!!" can stop the communications.

This was the second post, "forget! No way to block communication between clients in the same broadcast domain" which was followed up with firewall rule suggestions which are ineffective when clients are in the same broadcast domain. This is the point we are dealing with here.

"forget! No way to block communication between clients in the same broadcast domain"

Yep.... the only way to block communication between clients in the same broadcast domain is... put clients into different domains e.g. VLANs or use some restrictions on local machines (for example: block traffic with local firewall settings and manage these rules with AD)

Hi all.
I am trying to achieve exactly what you are discussing here.
Isolate clients in wire network. As I undestand I need to setup different vlan for each port wich will be used by client and setup Mikrotik brige in front of them. Can somebody tell a bit more about this solution?
I wan't to use hotspot with universal client to not having to setup ip addresses on clients computers. So, should I setup brige in front of client and forward all traffic to second Mikrotik with Hotspot installed?
Will it be workable solution?

wired or wireless

jwcn

wired