On our fiber network I use port isolation and mac forced forwarding(not available in MikroTik) to accomplish layer2 isolation but still allow client to client unicast traffic.
Proxy arp is as close to MACFF as you can get in MikroTik. I think you should be able to use option 2 if you use a different vlan per customer site(use the default vlan setting in each canopy SM so each site has a unique vlan) then enable proxy arp for each vlan in your router. I don't remember if you have to have an ip on the vlan for it to work or not. If it doesn't work try adding an ip on each vlan. So you don't waste ips you can use point to point addressing. IE address=routerip/32 network=customerIpForThisVlan. You might be able to get by with some static arp entries instead of adding an ip to each vlan. I'm not sure how MikroTik handles that. I suck at explaining myself so I hope this makes sense. You can contact me offlist if you want to chat/talk about it. Gerard On Tuesday, May 24, 2016, Craig Schmaderer <cr...@skywaveconnect.com <javascript:_e(%7B%7D,'cvml','cr...@skywaveconnect.com');>> wrote: > Example: > > I have a 450 Access Point that has 3 sms belonging to one company with 3 > sites. > > This client wants to have vpns between all locations. They are all on the > same layer 2 network (same vlan) > > > > Options and expected outcomes > > · Disable SM Isolation (the default selection). This allows full > communication between SMs. > > - Works fine, all traffic can pass, Expected….. > > > > · Enable Option 1 - Block SM destined packets from being forwarded. This > prevents both multicast/broadcast and unicast SM-to-SM communication. > > - Doesn’t work, can establish connections between sms. > Expected…… > > > > · Enable Option 2 - Forward SM destined packets upstream. This not only > prevents multicast/broadcast and unicast SM-to-SM communication but also > sends the packets, which otherwise may have been handled SM to SM, through > the Ethernet port of the AP. > > - Doesn’t work, I thought this would work, I assumed all packets > would be sent upstream to the router than the router would send it back to > the clients, similar to how mac forced forwarding works on my fiber > network. > > > > So I guess my question is “Am I totally miss understanding what option 2 > does? Is the only possible way to allow vpn traffic between sms on the > same access points have to have “Disable SM Isolation set?” > > > > Thanks, Craig. > > > > *Craig R. Schmaderer* > > *CEO | Skywave Wireless, Inc.* > > *Ph: 402-372-1975 | Fax: 402-372-1058* > > *Direct: 402-372-1052* > > >
