This is my first post to the boards. I run a large Alvarion wireless network that is currently a single flat bridged network. With several hundred end users this network is getting large. ARP traffic generated by worm infections are killing the performance.
One solution to reduce the broadcast domain is, obviously, a VLAN solution. But that requires setting all customer radios with VLAN id’s. This is something I need to avoid.
SO, I came up with the idea of achieving “network isolation” by using RouterOS in bridge mode and then dropping all outbound ARP broadcast requests asking for the default gateway. This would, in effect, make each user blind to his neighbors unless he knew the hardware MAC address of another node. I have achieved the same effect on our DSL network using Cisco’s RBE (route bridge encapsulation) but that is a proprietary and ATM related solution.
I am currently testing 2.9.8 using this configuration and I am seeing some strangeness that may be a bug. One particular MAC address becomes unreachable at layer 3 after a few minutes even though it’s MAC address is still in my ARP table. If anyone is interested in the export file for my bridge filter configuration, let me know and I’ll shoot it to you.
My question for all of you: Has this ever been achieved before with RouterOS? And am I nuts in thinking I can control ARP traffic this way?
am currently testing 2.9.8 using this configuration and I am seeing some strangeness that may be a bug.
There has been a ton of updates since 2.9.8. I suggest for testing you upgrade to 2.9.20 and if still a problem then report back… support would tell you the same thing, they don’t want to troubleshoot things that have already been fixed.
Well, actually, I started this test using 2.9.20 and downgraded to 2.9.8 to see if I was seeing the same problem. It is the same with both releases.
My main question was if I should be able to achieve network isolation by controlling ARP traffic. This technique isn’t something I have seen anyone else discuss in these forums (that I could find anyway).
Since the default gateway is not needed at all for communication between your clients (all inside the same layer 2 network) or for flooding of ARP requests (flooded as layer 2 ethernet broadcasts to destination MAC FF:FF:FF:FF:FF:FF), exactly how is prohibiting all the clients from successfully ARP-resolving the address of the default gateway going to help?
I can imagine the need for ARP-resolving the default gateway if and only if you have aliased many IP networks (one per client?) on top of the single layer 2 network that you’re running. In that situation communication between clients would have to pass the gateway even though technically all clients are part of the same layer 2 network. But even then all the ARP requests will be seen by every client no matter what you do (short of placing a MikrotTik device in front of every Alvarion client unit - but that would be silly).
Maybe I just do not fully grasp your network design. Could you describe your architecture in more detail?
Sorry. I just realized I mis-typed. I meant to say:
SO, I came up with the idea of achieving “network isolation” by using RouterOS in bridge mode and then dropping all outbound ARP broadcast requests asking for anything other than the default gateway.
My plan would be to place RouterOS devices in front of all of my Alvarion Access Points. The AP’s support disabling broadcast and/or unicast relaying. I figure if all of my AP’s had this bridge filtering in front of them, I would have achieved layer 2 isolation (except for directed ARP requests, which I am not concerned about right now).[/b]