awesome thanks! I didn't realize you could specify a != that simplifies a bunch of other filters I have setup before.
On 11/15/2010 04:06 PM, Butch Evans wrote: > On Mon, 2010-11-15 at 14:46 -0800, Matt Jenkins wrote: > >> I have 6 virtual wlan interfaces. I want to prevent traffic form any >> wlan interface to reach any other wlan interface. This includes the IP >> address of the wlan interface. Besides creating 42 (I think) filters to >> do this is there any way to group interfaces into a filter template or >> something? >> >> WLAN1 - 10.66.1.1/24 >> WLAN2 - 10.66.2.1/24 >> etc.... >> >> All are NATed to a different public IP on eth1. >> > assuming your "public" interface is ether1, you can do: > > /ip firewall filter > add chain=forward in-interface=!ether1 out-interface=ether1 \ > comment="permit traffic leaving on ether1" action=accept > add chain=forward in-interface=!ether1 action=drop \ > comment="don't allow traffic from wlans to talk to each other" > > > Again, this is not a complete firewall application, but it will do > exactly what you want. You could do the above in one rule as: > > add chain=forward in-interface=!ether1 out-interface=!ether1 action=drop > > FWIW, this is one of the things we cover in GREAT detail in my training > classes. Firewall/filter is one of the things we spend a LOT of time > covering. I dedicate a full day to this topic. Hit me offlist for more > information on the training opportunities coming up, or see my website > below. > > -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: wireless@wispa.org Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
