I am using split horizon to isolate traffic on my ports to isolate all my customers. It works well but wouldn’t you know I have one customer who needs to communicate with their office which is also in my system over a vpn but the split horizon is stopping it. Is there anyway to get a connection around it so this customer can talk from 1 port to another and still isolate the rest of the traffic.
As long as you have a full mesh the clients should be able to communicate with each other. Split horizon is just used to prevent bridging loops. If you do not have a full mesh then you will need to disable split horizon and use STP or RSTP. Are you using VPLS or BGP signaled VPLS?
I am using split horizon to isolate clients connected to AP’s on each port. It works well so you don’t have to worry about any type of broadcast, dhcp or any other traffic traveling between each port. I don’t want to disable it as I want to keep the network isolated, I just want to get around it for 1 customer.
Why don’t you just put them on seperate networks? Then you don’t have to worry about broadcast traffic and you can use firewalling to (dis)allow clients to talk to one another. I don’t believe you should be bridging in this situation.
Bridging works best for us and customers as it allows us easily to get to any piece of equipment and a consistent gateway for all customers so its easy to troubleshoot and provision.
Use EoIP/VPLS
(I assume you have MikroTik at each customer site)
No we do not. Each client connects to an AP with a wireless unit at their location, there is no need to install a separate mikrotik unit at each house as that adds more to overhead and more headaches. We hand out non-routable IP’s via a centralized DHCP server and everything is bridged which makes for ease of maintenance as its easy to communicate with every part of the network.
So is there any way to tunnel around a bridge that is isolated with split-horizon?
I still do not see the need for bridging if you’re using DHCP. Separate the networks, get rid of the bridging, and start a DHCP server instance on each network. There is no easy way to “tunnel” through a bridge that is separated with split horizon. If you want to control how clients talk to each other then the safest/easiest way is using an IP firewall. You can disable the split horizon and enable use-ip-firewall under /interface bridge settings. Then segregate clients with /ip firewall filter.
I just told you how…
You’ve created a layer 2 barrier between these 2 subscribers, so you either need to disable the horizon bridging or encapsulate customer traffic in some form of IP based tunnel (ie EoIP/VPLS) in order to get around it.
So either the customer needs to figure this out for themselves, or you need to work out the commercial details of installing a managed RB at each site.