I need an explanation!
I'm opening a range in my mikrotik for each user, like:
192.168.1.1/30
192.168.2.1/30
...
192.168.250.1/30...
I use this to unable my users to see each other for the security reasons.
But i still want to run some servers (antivirus server, fileshare etc.).
So, HOW can I configure my mikrotik, so the users will be able to see the range where my servers are (example: 192.168.0.1/28), and still not see each other?
Well, let me explain:
Instead of opening a range in the router for all my users like
192.168.1.1/24
I open a range for each user, like:
192.168.1.1/30 (mikrotik) and 192.168.1.2 (user1)
192.168.2.1/30 (mikrotik) and 192.168.2.2 (user2)
192.168.3.1/30 (mikrotik) and 192.168.3.2 (user3)
...
192.168.100.1/30 (mikrotik) and 192.168.100.2 (user100)
If I create only one range and put all my users there, they can see each other.
So, the way I'm using, they can only ping their gateway wich is the IP I add in the router for every user.
So they can not ping any computer in other range (ex. 192.168.1.2 cannot ping 192.168.100.2),
but I still need to have some servers (file share...etc) and I want all my users to be able to see these servers (ex. all the users can ping 192.168.0.2-5)
I hope this helps...
Instead of opening a range in the router for all my users like
192.168.1.1/24
I open a range for each user, like:
192.168.1.1/30 (mikrotik) and 192.168.1.2 (user1)
192.168.2.1/30 (mikrotik) and 192.168.2.2 (user2)
192.168.3.1/30 (mikrotik) and 192.168.3.2 (user3)
...
192.168.100.1/30 (mikrotik) and 192.168.100.2 (user100)
If I create only one range and put all my users there, they can see each other.
So, the way I'm using, they can only ping their gateway wich is the IP I add in the router for every user.
So they can not ping any computer in other range (ex. 192.168.1.2 cannot ping 192.168.100.2),
but I still need to have some servers (file share...etc) and I want all my users to be able to see these servers (ex. all the users can ping 192.168.0.2-5)
I hope this helps...
I think one very simple way to do this is to add an additional range (more properly called a subnet, I believe) for your servers and then add a static routing table entry for each user subnet to the server subnet.
This would not be very practical if you have a large number of subnets though.
This is an interesting question, though, as I beleive that what you are trying to achieve is blocking inter-client traffic when they are all connected to one router interface. My clients are connected via an 802.11b access point which has this facility built-in. Maybe it would be better to use a switch (if you clients are hard wired) which has this facility? Then all clients could be on one subnet.
'Hope this helps.
Guy
This would not be very practical if you have a large number of subnets though.
This is an interesting question, though, as I beleive that what you are trying to achieve is blocking inter-client traffic when they are all connected to one router interface. My clients are connected via an 802.11b access point which has this facility built-in. Maybe it would be better to use a switch (if you clients are hard wired) which has this facility? Then all clients could be on one subnet.
'Hope this helps.
Guy