On Mon, 2010-11-15 at 14:46 -0800, Matt Jenkins wrote: > I have 6 virtual wlan interfaces. I want to prevent traffic form any > wlan interface to reach any other wlan interface. This includes the IP > address of the wlan interface. Besides creating 42 (I think) filters to > do this is there any way to group interfaces into a filter template or > something? > > WLAN1 - 10.66.1.1/24 > WLAN2 - 10.66.2.1/24 > etc.... > > All are NATed to a different public IP on eth1.
assuming your "public" interface is ether1, you can do: /ip firewall filter add chain=forward in-interface=!ether1 out-interface=ether1 \ comment="permit traffic leaving on ether1" action=accept add chain=forward in-interface=!ether1 action=drop \ comment="don't allow traffic from wlans to talk to each other" Again, this is not a complete firewall application, but it will do exactly what you want. You could do the above in one rule as: add chain=forward in-interface=!ether1 out-interface=!ether1 action=drop FWIW, this is one of the things we cover in GREAT detail in my training classes. Firewall/filter is one of the things we spend a LOT of time covering. I dedicate a full day to this topic. Hit me offlist for more information on the training opportunities coming up, or see my website below. -- ******************************************************************** * Butch Evans * Professional Network Consultation* * http://www.butchevans.com/ * Network Engineering * * http://store.wispgear.net/ * Wired or Wireless Networks * * http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! * ******************************************************************** -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/