Hi Terry, Have you consulted the packet flow diagram to make sure that packets can get to the right point for mac-Nat processing? http://wiki.mikrotik.com/wiki/Manual:Packet_Flow Depending on how the firewall and bridge rules are set up, packets might be changed already by the time you expect to process them, so can miss your match rules. If you are sure that the feature is not working in some revision (e.g. same configuration works in version x, doesn't work in version y) then please try to records steps to reproduce the problem, and submit to support@mikrotik, or via your distributor support if you'd like some additional assistance. Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Terry Sweetser Sent: Saturday, 2 May 2015 10:19 AM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] L3 over QinQ and a Bridge -- too far?
I have some updates for you all ...
As you're aware, I have several thousand IPoE clients into a single bridge group per CCR.
Client to internet, internet to client -- works very well.
Firstly, the bridge group is the best solution and works under these circumstances:
[1] all arp from the CCR is "reply-only", as set on the bridge interface, and a DHCP server is set up on this interface, adds ARP when granting a lease;
[2] every single port is set for horizon "1" so that no BC from any of the clients makes it to any other client, this has proved very important, many cheap CPE routers respond badly to DHCP and other broadcasts on the WAN port;
[3] 'Agent Circuit ID' checks are being done via RADIUS, so all clients have a "sticky" address, and "authenticated" IPoE allocations.
Now, after some feedback from the list, I know that I can use a Bridge Filter rule to block "client" to "client" traffic, given how detrimental it can be.
Sadly, I still don't have a working for solution for the "Layer2 NAT", the rule appears to be ignored under 6.27 and 6.28
/interface bridge nat add action=arp-reply chain=dstnat comment="Re-write MAC in ARP responses" in-bridge=bridgeXXX mac-protocol=arp to-arp-reply- mac-address=XX:XX:XX:XX:XX:XX
So, any more suggestions?
-- about.me/terry.sweetser
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au