On Mon, 2010-11-15 at 14:46 -0800, Matt Jenkins wrote:
> I have 6 virtual wlan interfaces. I want to prevent traffic form any
> wlan interface to reach any other wlan interface. This includes the IP
> address of the wlan interface. Besides creating 42 (I think) filters to
> do this is there any way to group interfaces into a filter template or
> something?
>
> WLAN1 - 10.66.1.1/24
> WLAN2 - 10.66.2.1/24
> etc....
>
> All are NATed to a different public IP on eth1.
assuming your "public" interface is ether1, you can do:
/ip firewall filter
add chain=forward in-interface=!ether1 out-interface=ether1 \
comment="permit traffic leaving on ether1" action=accept
add chain=forward in-interface=!ether1 action=drop \
comment="don't allow traffic from wlans to talk to each other"
Again, this is not a complete firewall application, but it will do
exactly what you want. You could do the above in one rule as:
add chain=forward in-interface=!ether1 out-interface=!ether1 action=drop
FWIW, this is one of the things we cover in GREAT detail in my training
classes. Firewall/filter is one of the things we spend a LOT of time
covering. I dedicate a full day to this topic. Hit me offlist for more
information on the training opportunities coming up, or see my website
below.
--
********************************************************************
* Butch Evans * Professional Network Consultation*
* http://www.butchevans.com/ * Network Engineering *
* http://store.wispgear.net/ * Wired or Wireless Networks *
* http://blog.butchevans.com/ * ImageStream, Mikrotik and MORE! *
********************************************************************
--------------------------------------------------------------------------------
WISPA Wants You! Join today!
http://signup.wispa.org/
--------------------------------------------------------------------------------
WISPA Wireless List: wireless@wispa.org
Subscribe/Unsubscribe:
http://lists.wispa.org/mailman/listinfo/wireless
Archives: http://lists.wispa.org/pipermail/wireless/
