Hello,

I work for the local WISP, and we have about 1500 users in our radius. Due to the terrain configuration, we have a backbone link and 5 pppoe servers, one for each area. Each pppoe server is either a PC, or RB1000. Connected to the pppoe, we have a network, or rather, a tree of mikrotik access points, most of which are used both to connect to other APs and to clients, all connected into a bridged network. For some areas that tree is becoming very big, going 4-5 links in depth and composed of up to 40 APs total. To connect APs at a single location, we often use switchs of the non-smart breed.

As we increased the complexity of the AP trees, we, expectantly, noticed that quality of service declined. I suspect such complex bridge-type networks are not quite efficient, especially combined with non-smart, basically soho switches thrown in the mix. And since we have to increase the number of APs for certain areas, I was wondering if there are other ways to setup the network? Perhaps by using tunnels (EoIP, or some other kind)? Also, while we have basic firewall rules on APs to prevent tcp/udp/icmp traffic forward through wireless cards, it's not a really.. elegant solution, to say the least. What kind of firewall rules would you suggest?

Thank you in advance,

ET

Reading your post you already know the answer: don't have a large, bridged network. Route between segments. Keep segments and broadcast domains small. Buy managed switches as that assists in troubleshooting and allows you for redundant paths kept clean by spanning tree. VLANs are great for separating management from user traffic.
Run firewall filters on the CPE as well as the WAN router - there is no point letting traffic into your network that you're going to drop later within your network. Same goes for QoS. Rate limit on the borders for the same reason. You can enforce an AS wide QoS policy by also marking for DSCP on the edges and using those marks on the backbone between WAN and CPE. What exact firewall rules and QoS schemes you apply of course depends on the services you offer.

It isn't really possible to advise in more detail without knowing a whole lot more about your network, at which point you're getting into consultant territory. It isn't reasonable to expect people to invest dozens of hours learning your business goals and implementations to come up with the technical changes to go along with them for free on a forum, in my opinion. Technical change should be driven by business requirements. On the other hand, if you have specific questions on how to implement something after you've figured out what exactly you're trying to implement and you hit a wall, by all means go ahead and ask.

Reading your post you already know the answer: don't have a large, bridged network. Route between segments. Keep segments and broadcast domains small. Buy managed switches as that assists in troubleshooting and allows you for redundant paths kept clean by spanning tree. VLANs are great for separating management from user traffic.
Run firewall filters on the CPE as well as the WAN router - there is no point letting traffic into your network that you're going to drop later within your network. Same goes for QoS. Rate limit on the borders for the same reason. You can enforce an AS wide QoS policy by also marking for DSCP on the edges and using those marks on the backbone between WAN and CPE. What exact firewall rules and QoS schemes you apply of course depends on the services you offer.

It isn't really possible to advise in more detail without knowing a whole lot more about your network, at which point you're getting into consultant territory. It isn't reasonable to expect people to invest dozens of hours learning your business goals and implementations to come up with the technical changes to go along with them for free on a forum, in my opinion. Technical change should be driven by business requirements. On the other hand, if you have specific questions on how to implement something after you've figured out what exactly you're trying to implement and you hit a wall, by all means go ahead and ask.

Thank you very much for the clear answer and for pointing me in the right direction. I believe I'll try segmenting the networks and using either EoIP or VPLS to connect those. I really don't expect anyone to solve problems like this for free, and that is why I didn't give more details about the network, or drawn diagrams and such. As you say, it would be unreasonable. Your answer is actually much more than I expected.

Off topic, in case we do seek consulting, is there anyone you would recommend?

Thank you very much,

ET

What city are you in?

If your CPEs can do it, consider making them PPPoE servers and just doing central authentication via RADIUS. At that point nearly everything can be routed.

I have never used consulting services for RouterOS. I've seen Greg Sowell and Butch Evans present at this year's MUM and they both have excellent sites where they share general advice regarding Mikrotik. I have also taken a training class with Steve Discher that was excellent. I believe he also does consulting services, and owns/runs a WISP.

Not a slight towards anyone else, those are just the people in the US I am aware of. Just ask whoever you contact whether they have WISP experience.

It wasn't efficient to put PPPoE on CPEs. However, i broke segments into 3-4 APs each, routed network in between, and used 9 EoIP tunnels to connect to 9 "PPPoE Servers" (services), on a single Mikrotik. Seems to be working much better, but I'll know more after I check graphs, and customer experience feed-backs, for the following few days.
Still trying to figure out how to use VLANs for management, and I might try VPLS instead of EoIP too, in a week or two. Could be more efficient. If this shows OK, QoS is the next big step.

roadracer96:
I live in Bosnia and Herzegovina.

Thank you for all the help,

ET

I am in a very similar situation, I finally have the network routed, and looking to have a central location to control all users. CPE is made up of all different brands. I am thinking User Manager to control client access such as turning service on/off for billing. Using a Netequalizer for bandwidth control. I am trying to decide on a standard solution that will allow me to conserve as many Live IP's as possible. I would like to have one DHCP server that will hand out Live IP addresses to only customer routers or PCs. Can anyone tell me what the standard solution for providing Live IPs to to clients off of multiple Access Points is ?