Hi,
I have installed a hotspot using CCR1036 as router and UBNT devices for hotspots. I use DHCP server for my hotspot clients with subnet 192.168.96.0/19. I have enabled Client Isolation service in all UBNT devices (like PicoStationM2, BulletM2, etc).

Recently I have found that if a user connects on my hotspots using his smartphone and execute Fing App (network devices scan tool - https://play.google.com/store/apps/deta ... droid.fing), he is able to scan my whole subnet and discover all connected devices, which is a big trouble for me and my network. The strange thing is that he is able to do that even if he is not connected as an authorized hostspot user, just by beeing connected on my network.

How could I prevent it?

PS:
I use this filter rule:

chain=input action=drop src-address=192.168.96.0/19 dst-address=192.168.96.0/19 log=no log-prefix=""

but nothing change.

Hi,

Have you enabled IP firewall on bridge ?

Seems like there is forward leak on the access points to other devices so the client isolation does not work. Unfortunately I am not familiar with ubnt. I would use wireshark and see what fing uses to detect the other devices. Then you will know what protocol to catch by firewall filters on the Ap bridges.
Having any rules outside the Ap has no influence on how Ap works internally.

Client or Wireless isolation only prevents stations (clients) on the same AP from communicating with each other, it does nothing to protect devices downstream of the AP, i.e. wireless clients/stations connected to other AP's or the rest of your network infrastructure. In wisp deployments PPPoE is employed to provide the kind of isolation you were expecting, however you're most likely dealing with nomadic/transient clients hence the hotspot.

Fing and other tools available in the play store often only use basic tools (ARP, ping, port scanning etc) but that is all thats needed on a simple hotspot setup to see what's 'out there'.

I've not played with it yet but I've seen others mention the use of split bridge horizon to isolate traffic flowing across ports on a bridge, this may provide an increase in security that you're looking for, used in conjunction with wireless isolation.

Markpap - if it's just recon... There's no harm in it. Perhaps you should focus more on protecting yourself from stage two of an attack?

How could I prevent it?

PS:
I use this filter rule:

chain=input action=drop src-address=192.168.96.0/19 dst-address=192.168.96.0/19 log=no log-prefix=""

but nothing change.

Two things - chain=input means to look at traffic to/from the CPU of the Mikrotik itself. This will not stop traffic that goes THROUGH the mikrotik - that is the forward chain.

Others have replied that client isolation only works on local ap - so if you have 2 aps (a1, a2) and 4 clients, with two using a1, and two using a2: (c1a1, c2a1, c3a2, c4a2) - then c1 and c2 cannot see each other, and c3 and c4 cannot see each other, but c1 can see c3+c4, and c2 can see c3+c4, etc.

If your APs all connect directly to your mikrotik (no workgroup switches in the middle) then you can stop this traffic in a couple of ways:

If you have a bridge configured, and etherX, etherY, and etherZ connect to the APs then in the bridge port configurations, set horizon=1 on all 3 interfaces. (or any value that's the same for all 3)

You could use a forward chain filter rule = block all forwarding traffic.

If you're using master/slave switch ports, then you'll need to set up a filter under switch. (sorry, I've never used that feature, but check the docs)