MikroTik

Posted: **Mon Jun 06, 2011 8:30 pm**

I currently have an RB/433 setup as follows

eth1 - wan connection

eth2, eth3, wlan1 all bridged together and dhcp server is enabled on the bridge.
I also have a hotspot setup on bridge1.
wireless clients can access the wireless connection without a problem and
receive the hotspot login page.

I wanted to prevent the wireless clients from being able to access any clients on
eth2 and eth3. What would be the best way to do this. I was going to setup
VLAN on eth2 and eth3 and let these ports communicate to each other but, not put
wlan1 on this VLAN. Is their a better way.

Thanks for the help.

Posted: **Mon Jun 06, 2011 8:37 pm**

If you want none of the bridged ports to talk to one another you can very elegantly use bridge horizons to prevent ports from talking: http://wiki.mikrotik.com/wiki/MPLSVPLS# ... n_bridging

/interface bridge port
set [find interface=ether1] horizon=1
set [find interface=ether3] horizon=1
set [find interface=wlan1] horizon=1

Otherwise - some ports in the bridge do need to talk to one another - use bridge filters based on in-interface and out-interface: http://wiki.mikrotik.com/wiki/Manual:In ... e_Firewall
For example, if ether1 and ether3 can talk but wlan1 can't talk to either:

/interface bridge filter
add chain=forward in-interface=ether1 out-interface=ether3 action=accept
add chain=forward in-interface=ether3 out-interface=ether1 action=accept
add chain=forward action=drop

Posted: **Mon Jun 06, 2011 9:18 pm**

@fewi: I've always wondered if horizon is more efficient than filters. Or is it essentially the same just much easier to configure?

Posted: **Mon Jun 06, 2011 9:21 pm**

You know, I have no idea. I've never tried pushing a bunch of traffic through and seeing which one performs better. I'd think bridge horizons would perform better, but that's just a hunch. If you ever try do post some numbers.

It's certainly easier to configure, and in my opinion more foolproof. Not nearly as many conditions to cover when there's more ports involved.

Posted: **Tue Jun 07, 2011 11:31 am**

Hi man ,

You can use a bridge filter to prevent it

use this filter and tell me if it solve your problem

/interface bridge filter
add action=drop chain=forward comment="" disabled=no mac-protocol=ip
add action=drop chain=forward comment="" disabled=no mac-protocol=arp
add action=accept chain=forward comment="" disabled=no mac-protocol=pppoe-discovery
add action=accept chain=forward comment="" disabled=no mac-protocol=pppoe
add action=drop chain=forward comment="" disabled=no packet-type=broadcast
add action=drop chain=forward comment="" disabled=no packet-type=multicast

Posted: **Tue Jun 07, 2011 8:40 pm**

Thanks for the help alexandro. That did it.

Posted: **Wed Jun 08, 2011 1:40 pm**

You Wellcome

MikroTik

restricted hotspot access

restricted hotspot access

Re: restricted hotspot access

Re: restricted hotspot access

Re: restricted hotspot access

Re: restricted hotspot access

Re: restricted hotspot access

Re: restricted hotspot access