Hello,

This past week we installed a 450 board on a network that had around 130 VLANs, one for each room, and once for each wireless access point with a hotspot. All of these VLANs were placed on a birdge, and the hotspot was then placed on the bridge. The bridge had RSTP enabled, and we had a filter rule to drop packets with an in and out bridge as the guest bridge.

We managed to get it working for most of the hotel, but several people still had issues getting online. In order to access the access points remotely, we had to try and ping them over the VLAN that they were on, so that they would show up in the hotspot, once they did we could access them normally through port forwarding. A couple of the access points that I checked on, had people associated to them, but they did not show up in the host list of the hotspot, so not everyone was getting to the Mirotik properly. There were also a few log messages about how it was not able to hand out a DHCP lease to certain users, and always the same users. The version that we were running was 4.5. Also when running torch on the Ethernet interface, when we tried to send traffic to the access points remotely, it would show that traffic bring broadcast down almost every single VLAN

I know the config on the switches is good, since everything was working with the Nomadix that we had in place when we were swapping it out. So my question is, does anyone have an idea as to what went wrong? Is there a limit to how many VLANs that a 450 can handle at once over a bridge? Is there something else that I missed in the configuration that would explain these issues?

If anyone can provide any help or hints, it would be appreciated. Thanks.

It usually isn't a good idea to bridge together multiple VLANs that reside on the same physical interface. Configurations like that can work, but you must be extremely careful.

I would start by ensuring that a frame received on one VLAN will not be forwarded to any other VLAN at layer 2, which is most efficiently accomplished by setting the bridge horizon. Assuming you don't actually need any L2 forwarding on the router, this will do the job:
Since a consistent horizon on all bridge ports will eliminate any possibility of loops, you should then get rid of the filter rules and disable RSTP on the router. RSTP probably isn't working correctly anyway, as most switches won't interpret BPDUs received with VLAN tags.

If your situation is more complex than it appears, your configuration may likewise need to be more complex. Stick to the principle of _NEVER_ allowing a L2 frame to be forwarded with MACs intact out the same physical interface it arrived on, even with a new VLAN tag, and you should be fine.

YMMV,
--Eric

The reason why we do that is because we need the hotspot functionality, and our more modern networks require each room/access point to be on a separate VLAN for security reasons. So the most efficient way to do this is create all of the VLANs and place them all on the bridge, and then have the hotspot on the bridge. Having separate IP address/hotspots/pools for each VLAN is just madness.

I'll have to give that a try next time that I can. We wound having to put the Nomadix back in place for the time being to handle this, so we won't be able to give it a go there again at least for awhile.

The reason why we had RSTP going, is that I noticed that without it the Mikrotik won't keep track what "bridge port" the guest is coming off of, and that's very useful information for us to have when troubleshooting issues.

How about just investing into an edge switching platform that has the concept of protected edge ports and doesn't let them talk to one another?
On Cisco you would easily solve this with port ACLs that inbound into the switch only allow same subnet traffic to the gateway, and outbound from the switch only allow same subnet traffic from the gateway, paired with private VLANs. I'm sure other platforms have similar concepts.

I know, not an answer to the exact question, but bridging 130 VLANs is just madness.

Even with (R)STP turned off, "/interface bridge host print" should show the correct bridge port (VLAN) a MAC was learned on. If not, something else is going on.

Did you perhaps set "external-fdb=yes" on the VLANs? If so, be sure to set them back to "external-fdb=no".

Also, Fewi is absolutely right. Edge port isolation is a far better design choice, if your switches support it.

--Eric

The Mikrotik is installed in a hotel. The reason we use VLANs is that putting each room on it's own VLAN allows us to keep track of what user is in what room. This helps us both with security and with guest troubleshooting.

Additionally, the Franchise Specs for many US hotel chains require that VLANs be used, not port isolation.

We also have a similar problem.

We have several customer connections coming in to our router (RB450G) to one ethernet interface each in their own VLAN, from where they are routed to the Internet. The VLAN's need to be in the same subnet, because each customer generally needs just 1 fixed IP and assigning separate subnets to each VLAN would be a waste of ip addresses (and madness).

We currently have the VLAN's bridged and the subnet assigned to this bridge (filters in place to drop traffic coming in and going out the same bridge). While this works now with ~10 VLAN's, we would like to move all the rest of our customers to Mikrotik as well and then the number of VLAN's would increase to ~100.

Any suggestions/solutions to this what is the best way to make it work? We do not want a separate switch and a separate port for each customer in front of the RB450G, there has to be another way. Cisco routers can do this with 'ip unnumbered lo0', but what about Mikrotik?

Try using the horizon feature in the bridge:
http://wiki.mikrotik.com/wiki/Manual:MP ... n_bridging

I haven't had a chance to try it on a network with a high number of VLANs yet, but it does appear to do the job.

I tried the horizon=1 on all 120 ports. It cuts down the amount of packets the bridge filter drops, however the filter still has activity on my one rule.