I have some updates for you all ... As you're aware, I have several thousand IPoE clients into a single bridge group per CCR. Client to internet, internet to client -- works very well. Firstly, the bridge group is the best solution and works under these circumstances: [1] all arp from the CCR is "reply-only", as set on the bridge interface, and a DHCP server is set up on this interface, adds ARP when granting a lease; [2] every single port is set for horizon "1" so that no BC from any of the clients makes it to any other client, this has proved very important, many cheap CPE routers respond badly to DHCP and other broadcasts on the WAN port; [3] 'Agent Circuit ID' checks are being done via RADIUS, so all clients have a "sticky" address, and "authenticated" IPoE allocations. Now, after some feedback from the list, I know that I can use a Bridge Filter rule to block "client" to "client" traffic, given how detrimental it can be. Sadly, I still don't have a working for solution for the "Layer2 NAT", the rule appears to be ignored under 6.27 and 6.28 /interface bridge nat add action=arp-reply chain=dstnat comment="Re-write MAC in ARP responses" in-bridge=bridgeXXX mac-protocol=arp to-arp-reply-mac-address=XX:XX:XX:XX:XX:XX So, any more suggestions? -- about.me/terry.sweetser