A while back I had asked a similar question .. Butch was kind enough to provide a great answer.. see below:-
Faisal Imtiaz Snappy Internet & Telecom ------------------------------------------------------------------------- On 9/17/2010 10:50 AM, Butch Evans wrote: > On Fri, 2010-09-17 at 00:11 -0400, Faisal Imtiaz wrote: >> I would like to provide/distribute (WIRED) Internet Access in a MDU/MTU >> environment. I am going to connect each unit to one of the Ethernet >> Ports on the MT. >> >> I would like to have 'client isolation' on all of the users who are >> connected to the Ethernet ports. i.e. I don't want the users to be able >> to talk to each other or see each others traffic. (I don't wish to use >> /30 to assign to each Vlan, need to conserve IP's) > > Are you creating a vlan per customer or supplying a physical interface > for each customer? It seems that you say both above. Either way, it > appears that you are (or will be) bridging either the vlans or ports. > So just do something like: > > /interface bridge settings set use-ip-firewall=yes > > /ip firewall filter > add chain=forward in-interface=!public \ > out-interface=public \ > action=accept > add chain=forward in-interface=!public \ > action=drop > > > These rules are NOT a complete firewall. They do, however, illustrate > how to accomplish what you are looking for. The rules: > > 1. Permit traffic entering the router on all interfaces that are not the > "public" interface when that traffic will leave on the "public" > interface (i.e. "internet traffic"). > 2. Drop all other traffic that enters the router from any interface that > is not "public" (i.e. enter on "lan" and leave on "otherlan"). > > --------------------------------------------------------------------------------- On 11/15/2010 5:46 PM, Matt Jenkins wrote: > I have 6 virtual wlan interfaces. I want to prevent traffic form any > wlan interface to reach any other wlan interface. This includes the IP > address of the wlan interface. Besides creating 42 (I think) filters to > do this is there any way to group interfaces into a filter template or > something? > > WLAN1 - 10.66.1.1/24 > WLAN2 - 10.66.2.1/24 > etc.... > > All are NATed to a different public IP on eth1. > > Thanks, > > - Matt > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
