Hi
My english is bad and i am new to Mikrotik products so dont kill me =)

493g+r52Hn ,i get ip from isp via dhcp client, all interfaces in brige except one connected to isp :

If something is connected by wire as dhcp client than every new wireless connection makes gate unavailable for wired clients
if something is connected by wire using manual entering of ip mask and gate than all works fine - new wireless connections corrups only dhcp wired clients

/ip pool> print

[slowmouse@MikroTik] /ip pool> print
# NAME RANGES
0 dhcppool 192.168.88.50-192.168.88.250
1 vpnpool 192.168.88.40-192.168.88.49

/interface bridge> print

[slowmouse@MikroTik] /interface bridge> print
Flags: X - disabled, R - running
0 R name="bridgeall" mtu=1500 l2mtu=1520 arp=enabled
mac-address=00:0C:42:A9:B7:BC protocol-mode=none priority=0x8000
auto-mac=yes admin-mac=00:00:00:00:00:00 max-message-age=20s
forward-delay=15s transmit-hold-count=6 ageing-time=5m

/interface bridge port> print

[slowmouse@MikroTik] /interface bridge port> print
Flags: X - disabled, I - inactive, D - dynamic
# INTERFACE BRIDGE PRIORITY PATH-COST HORIZON
0 I ether2 bridgeall 0x80 10 none
1 ether3 bridgeall 0x80 10 none
2 ether4 bridgeall 0x80 10 none
3 ether5 bridgeall 0x80 10 none
4 ether6 bridgeall 0x80 10 none
5 I ether7 bridgeall 0x80 10 none
6 ether8 bridgeall 0x80 10 none
7 I ether9 bridgeall 0x80 10 none
8 I wlan2 bridgeall 0x80 10 none

/ip firewall nat> print

[slowmouse@MikroTik] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.88.0/24

/ip address> print

Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK INTERFACE
0 192.168.88.1/24 192.168.88.0 bridgeall
1 D 77.37.164.39/23 77.37.164.0 ether1

/ip dhcp-client> print

[slowmouse@MikroTik] /ip dhcp-client> print
Flags: X - disabled, I - invalid
# INTERFACE USE-PEER-DNS ADD-DEFAULT-ROUTE STATU
0 ether1 yes yes bound

/ip dhcp-server> print

[slowmouse@MikroTik] /ip dhcp-server> print
Flags: X - disabled, I - invalid
# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 dhcp1 bridgeall dhcppool 3d yes

/interface wireless> print

[slowmouse@MikroTik] /interface wireless> print
Flags: X - disabled, R - running
0 name="wlan2" mtu=1500 mac-address=00:0C:42:66:4A:5E arp=enabled interface-type=Atheros 11N mode=ap-bridg
ssid="lol" frequency=2412 band=2ghz-b/g/n channel-width=20mhz scan-list=default wireless-protocol=unspec
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no bridge-mode=enabled default-authentication=
default-forwarding=yes default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no security-profile=hom
compression=no

/ip route> print

B - blackhole, U - unreachable, P - prohibit
# DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 77.37.164.1 0
1 ADC 77.37.164.0/23 77.37.164.39 ether1 0
2 ADC 192.168.88.0/24 192.168.88.1 bridgeall 0

What kind of devices are connecting to the wireless? It sounds like a client problem more than anything, I'm not seeing anything weird in the configuration.

You can try setting the horizon option in the bridge port. This prevents traffic coming in on one port of the bridge from leaving another port, so in essence it isolates each port from other ports. Set the same horizon number on each "port" to do this, if that works, look at what devices are connecting to the wireless, or the settings on the machines that connect to the wired.

What kind of devices are connecting to the wireless? It sounds like a client problem more than anything, I'm not seeing anything weird in the configuration.

You can try setting the horizon option in the bridge port. This prevents traffic coming in on one port of the bridge from leaving another port, so in essence it isolates each port from other ports. Set the same horizon number on each "port" to do this, if that works, look at what devices are connecting to the wireless, or the settings on the machines that connect to the wired.

thank you for your advice
devices i tryed : notebooks , phones , usb wifi dongles.

i will try "horizon" soon. thank you

What kind of devices are connecting to the wireless? It sounds like a client problem more than anything, I'm not seeing anything weird in the configuration.

You can try setting the horizon option in the bridge port. This prevents traffic coming in on one port of the bridge from leaving another port, so in essence it isolates each port from other ports. Set the same horizon number on each "port" to do this, if that works, look at what devices are connecting to the wireless, or the settings on the machines that connect to the wired.

H again , strange thing but after reset to defaults and rebuilding configuration all is fine ,
but sometimes i have messages from eset firewalls "arp poisoning" and ip address of router . what it means ? =3

Do you have proxy-arp enabled on any interface? Are you running the hotspot service? Both of those would arp poison a network.

Do you have proxy-arp enabled on any interface? Are you running the hotspot service? Both of those would arp poison a network.

NO and NO =(

and i have my problem again with wifi clients connected

eset firewall log (attack detected)
20.11.2011 19:25:53 Обнаружена атака ARP cache poisoning 192.168.66.1 192.168.66.49 ARP
20.11.2011 19:24:39 Обнаружена атака ARP cache poisoning 192.168.66.1 192.168.66.93 ARP

i changed 88 to 66 (because of new routers with default 88 net)

[slowmouse@MikroTik] /ip arp> print
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic
# ADDRESS MAC-ADDRESS INTERFACE
0 D 77.37.164.1 00:00:5E:00:01:01 ether1
1 D 192.168.66.92 40:A6:D9:58:D6:D3 bridgeall
2 D 192.168.66.93 00:19:03:04:FC:F3 bridgeall
3 D 192.168.66.49 90:FB:A6:29:C5:0F bridgeall

bridgeall is dhcp server and 192.168.66.1

Chances are something else is arp poisoning the network then. See if you can find out the MAC address that is doing so in the machine that is generating those logs, and track it down that way. You might be able to check the arp-table of it for the information.

Chances are something else is arp poisoning the network then. See if you can find out the MAC address that is doing so in the machine that is generating those logs, and track it down that way. You might be able to check the arp-table of it for the information.

good evening , is it normal if brigde MAC = ether4 MAC (they are same) ?

changed bridge mac to another (not equal to any interface mac in router) and i get no "arp poison" for 3 days
added rule to firewall to reject tpc/udp input/forward 53 port and i get no "dns cache poison" for 3 days too =)

This topic made me smile... I had the EXACT SAME configuration, RB493G + R52 + Eset running on my wired computer; of course, the same problem and thanks to you, I finally found out a solution that seems to work. Thank you very much Slowmouse!

P.S. I guess it is the first time when "keep googleing it until you find it" really aplies 100% )