Hi guys,
Question: How can we properlly inplement client isolation (prevent network shares on windows clients) on the ehternet LAN port.
I know that on the WLAN we can use default forwarding feature.
I have tried blocking src port 137-139 on the firewall rule forward but it can only block client to client (10.5.50.3:137 -> 10.5.50.4:137) NetBios traffic but it lets the braodcast (10.5.50.255:137) pass through.
I guess to effectivelly block windows Netbios (network Neighborhood) traffic is to prevent the transmition of broadcast traffic on port 137-139, but the firewall rules cant even see them (traffic seen on packet sniffer - 10.5.50.3:137 -> 10.5.50.255:137 but no entry on log for dropped traffic)
firewall rule forward:
src=0.0.0.0/0:137-139 dst=0.0.0.0/0 prot=udp action=drop log
Help needed before I get any more ocmplaints from my customers!
Robert S.
My problem is how to prevent windows clients on my Hotspot LAN from seeing each other and/or including their shared resources.
internet --->(ether port1) MT Hotspot (ether port2) --> Hotspot LAN
Facts:
On a windows network neighborhood, a "Browser server" is elected and provides information about a domain/workgroup, which it gathers by listening to the registrations "broadcast" by machines at boot time.
example traffic detected by packet sniffer:
src-10.5.50.3:138 --> dst- 10.5.50.255:138
firewall rule forward:
src=0.0.0.0/0:137-139 dst=0.0.0.0/0 prot=udp action=drop log
LOG:
no logged dropped traffic
The firewall rule above only drops packets that are directed to another client workstation:
ex. 10.5.50.3:137 -> 10.5.50.4:137
assumption:
1. MT cannot drop broadcast traffic (ofcourse I maybe wrong!)
Question:
how can we drop the client registration broadcast on port 137-139 to prevent it from registering to any "broadcast server". dropping the packets before it can even be registered would avoid the election of a broadcast server among the clients and prevent clients seeing one another inside the hotspot network.
1. is it possible to drop a broadcast traffic?
2. is there a better way to do client isolation?
Robert S.
internet --->(ether port1) MT Hotspot (ether port2) --> Hotspot LAN
Facts:
On a windows network neighborhood, a "Browser server" is elected and provides information about a domain/workgroup, which it gathers by listening to the registrations "broadcast" by machines at boot time.
example traffic detected by packet sniffer:
src-10.5.50.3:138 --> dst- 10.5.50.255:138
firewall rule forward:
src=0.0.0.0/0:137-139 dst=0.0.0.0/0 prot=udp action=drop log
LOG:
no logged dropped traffic
The firewall rule above only drops packets that are directed to another client workstation:
ex. 10.5.50.3:137 -> 10.5.50.4:137
assumption:
1. MT cannot drop broadcast traffic (ofcourse I maybe wrong!)
Question:
how can we drop the client registration broadcast on port 137-139 to prevent it from registering to any "broadcast server". dropping the packets before it can even be registered would avoid the election of a broadcast server among the clients and prevent clients seeing one another inside the hotspot network.
1. is it possible to drop a broadcast traffic?
2. is there a better way to do client isolation?
Robert S.
I'm not where did I read about this but you rather better to
do so on lower layer with bridge facilities isolating all traffic
(not just in IP level)...
however one of the method most of ISP using is setting separate
gateway for each client so client will only be able to pass all traffic
through the gateway by subnetting...
like for example:
and from the you can drop all IP route for all clients no matter whats the port
do so on lower layer with bridge facilities isolating all traffic
(not just in IP level)...
however one of the method most of ISP using is setting separate
gateway for each client so client will only be able to pass all traffic
through the gateway by subnetting...
like for example:
Code: Select all
IP: 10.1.100.2
mask: 255.255.255.252
gw: 10.1.100.1
actually we must see what is the purpose? if it is meant for security byimpossible. the users connect to each other through the hub. they do not go through the mikrotik router.
setting this user can only receive packets from their gateway and it is
not possible to connect that user specially if there is managed switch
blocking traffic to other mac address than gateway (isolate them) and
in this way clients will be all monitored by gateway because it must
pass through the server... however it maybe costly consider the price
of managed switch. but at least it gives a level of security.
I'm not completely familiar with wireless but i assume that:internet --->(ether port1) MT Hotspot (ether port2) --> Hotspot LAN
1. Hotspot means more than one users connect to the internet via the wireless ("Hotspot LAN") device.2. The hotspot allows trafiic between the wireless users like a hub/switch.3. You want to disable SMB announce broadcasts and such traffic to save bandwidth of wireless device.If this is the case you need to make the MT act as the switch instead of the Hotspot wireless device itself.
Or replace the hotspot wieless device with one with configurable filtering capabilities
is it possible for Mikrotik to add a feature to disable LAN clients to communicate, just like "default-forwarding" for WLAN.
It would be very helpfull for MT users who's confguration doesnt have wireless NIC's but use cheap commercial AP's connected to the MTs' ethernet port.
configuration:
internet->(ether1) MT (ether2)->unmanaged-switch->cheap AP (wireless)
|___ LAN (wired)
would replacing the unmanaged-switch with a "managed-switch" solve the issue?
Robert S.
It would be very helpfull for MT users who's confguration doesnt have wireless NIC's but use cheap commercial AP's connected to the MTs' ethernet port.
configuration:
internet->(ether1) MT (ether2)->unmanaged-switch->cheap AP (wireless)
|___ LAN (wired)
would replacing the unmanaged-switch with a "managed-switch" solve the issue?
Robert S.
Good, this is the diagram i've asked before...internet->(ether1) MT (ether2)->unmanaged-switch->cheap AP (wireless)
you must use certain AP even cheap one may
have isolation feature and you must use managed switch
which you can get it abotu 300USD for 24 ports and
setup VLAN which is almost simple to do (even though
I havn't set that up yet) but I want to do this exactly...
managed switch won't isolate your AP's clients on Wlan
side but will be able to isolate your lan and your wlan's
clients...
I'm having senao and interepoch which they have isolation
and it is very simple to do so, so you may go ahead
and ask your vendor and they may even do that upon
request (as senao did) but one big advise, never buy
anything from senao, their Qos is deep in shit (sorry
for lang) but I wasted 2000USD on their wireless stuff
hope it helps
AP can isolate itself before it even reach the Hub,It's not possible. Because AP acts like hub or even wire. Communication goes to AP and back to clients but not to switch behind AP! (if clients have same subnet address). Only if client is in different subnet, then traffic goes to router/gateway.
thats what I assumedsorry guys,
Text formating error!
in the configuration, the LAN (wired) should be under the AP (wireless). Both of them connected to a port on the unmanaged switch.
Any input to shed light on the matter will be very much appreciated.
Thank you.
Robert S.
and the only question I cannot answer is how to do AP isolation in MT?
because I also need to know this one
Wow that was a fast reply!
I have just finnished to type my previous post and viewed it long enough to notice my formating error.
Thanks for the information Hellbound and Yancho. So much for using a cheap wireless alternative.
Has anybody done/implemented this with a managed switch? I'd like to hear some success stories from our gurus.
Thanks again guys. Now im back to the drawing boards, poking my piggy bank with a pencil hoping to sqeeze more pennies out of it
Robert S.
I have just finnished to type my previous post and viewed it long enough to notice my formating error.
Thanks for the information Hellbound and Yancho. So much for using a cheap wireless alternative.
Has anybody done/implemented this with a managed switch? I'd like to hear some success stories from our gurus.
Thanks again guys. Now im back to the drawing boards, poking my piggy bank with a pencil hoping to sqeeze more pennies out of it
Robert S.