Thanks for the reply. None of these wlan interfaces are in a bridge. Each is NATed separately....
On 11/15/2010 02:51 PM, Faisal Imtiaz wrote: > A while back I had asked a similar question .. Butch was kind enough to > provide a great answer.. see below:- > > Faisal Imtiaz > Snappy Internet& Telecom > > ------------------------------------------------------------------------- > On 9/17/2010 10:50 AM, Butch Evans wrote: > > On Fri, 2010-09-17 at 00:11 -0400, Faisal Imtiaz wrote: > >> I would like to provide/distribute (WIRED) Internet Access in a MDU/MTU > >> environment. I am going to connect each unit to one of the Ethernet > >> Ports on the MT. > >> > >> I would like to have 'client isolation' on all of the users who are > >> connected to the Ethernet ports. i.e. I don't want the users to be able > >> to talk to each other or see each others traffic. (I don't wish to use > >> /30 to assign to each Vlan, need to conserve IP's) > > > > Are you creating a vlan per customer or supplying a physical interface > > for each customer? It seems that you say both above. Either way, it > > appears that you are (or will be) bridging either the vlans or ports. > > So just do something like: > > > > /interface bridge settings set use-ip-firewall=yes > > > > /ip firewall filter > > add chain=forward in-interface=!public \ > > out-interface=public \ > > action=accept > > add chain=forward in-interface=!public \ > > action=drop > > > > > > These rules are NOT a complete firewall. They do, however, illustrate > > how to accomplish what you are looking for. The rules: > > > > 1. Permit traffic entering the router on all interfaces that are not the > > "public" interface when that traffic will leave on the "public" > > interface (i.e. "internet traffic"). > > 2. Drop all other traffic that enters the router from any interface that > > is not "public" (i.e. enter on "lan" and leave on "otherlan"). > > > > > --------------------------------------------------------------------------------- > On 11/15/2010 5:46 PM, Matt Jenkins wrote: > >> I have 6 virtual wlan interfaces. I want to prevent traffic form any >> wlan interface to reach any other wlan interface. This includes the IP >> address of the wlan interface. Besides creating 42 (I think) filters to >> do this is there any way to group interfaces into a filter template or >> something? >> >> WLAN1 - 10.66.1.1/24 >> WLAN2 - 10.66.2.1/24 >> etc.... >> >> All are NATed to a different public IP on eth1. >> >> Thanks, >> >> - Matt >> >> >> -------------------------------------------------------------------------------- >> WISPA Wants You! Join today! >> http://signup.wispa.org/ >> -------------------------------------------------------------------------------- >> >> WISPA Wireless List: [email protected] >> >> Subscribe/Unsubscribe: >> http://lists.wispa.org/mailman/listinfo/wireless >> >> Archives: http://lists.wispa.org/pipermail/wireless/ >> >> > > > -------------------------------------------------------------------------------- > WISPA Wants You! Join today! > http://signup.wispa.org/ > -------------------------------------------------------------------------------- > > WISPA Wireless List: [email protected] > > Subscribe/Unsubscribe: > http://lists.wispa.org/mailman/listinfo/wireless > > Archives: http://lists.wispa.org/pipermail/wireless/ > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
