I have been having an issue with one particular rb1100 v6.7 randomly pulling my full networks bandwidth for about 30 seconds at a time. Bandwidth from my upstream provided maxes out for about 30 seconds to the WAN port on this router but I don't see it leaving the router. I have the btest server disabled, only services running are winbox and api which are locked to an address list. The password has been changed multiple times and I log any attempted access to an address list. The logs never show any access attempt.This previously happened with a 493G at this location as well. I'm at loss as to how this might be happening as I can always trace the spike back to this same tower. Any thoughts or suggestions would be greatly appreciated.

Is your WAN part of a bridge?
if you torch WAN interface when this happens can you see what type of traffic it is and what device is generating it?
It can be broadcast...

Yes it is a on a bridge. I've never been able to get to it to it while its happening since it happens so quick and at random times sometimes may be months in between events.Also since the all the upstream bandwidth is being used it wouldn't be possible to get in unless I was at a location on the private side of the network when it happens.Is there someway to setup a syslog server onsite and torch the interface and have it stored on the server?

Yes it is a on a bridge. I've never been able to get to it to it while its happening since it happens so quick and at random times sometimes may be months in between events.Also since the all the upstream bandwidth is being used it wouldn't be possible to get in unless I was at a location on the private side of the network when it happens.Is there someway to setup a syslog server onsite and torch the interface and have it stored on the server?

I'm positive that's a broadcast storm. What subnet do you have on that bridge?
Try removing it from the bridge. You shouldn't have WAN interfaces on a bridge.

The wan bridge is on a private 10.x subnet that has the backhaul links.All the public ip's are on the LAN bridge with all the AP's. Is there someway to confirm that it is a broadcast storm or firewall rules that should be in place to block illegal broadcast messages? Every time it occurs I can always track the bandwidth to the one interface for this towers licensed link. I'm not familiar with broadcast storms so any help is greatly appreciated.

Well something or someone is creating a loop in your bridge and if that is the case I bet the whole bridge suffers, meaning all equipment in the bridge.
Bridges.... dangerous

cheers

Its definitely not ideal and I'm not sure why the bridged network was setup in the first place as the original network architect is long gone. With 27 towers its quite a project to undertake in the redesign. How would one go about creating a loop to bring in all the bandwidth from the upstream provider. It seems to me that its almost like a speedtest is being initiated from the router itself as nothing else would be capable of pulling 300 mb/s. Any suggestions on how to stop this other than a complete network redesign?

personally I'm not a big fan of bridges, especially on backbone... for that I use OSPF.
I believe it will be an idea to enable RSTP on all bridges, enable the layer 2 firewall in bridge settings and start firewalling on layer 2.
Also be careful with the MAC addresses of all bridges, they are dynamically assigned...
Other then that.... I believe you'll find more answers here: http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge
OSI Layer 2 is a different world all together... a very dangerous one if used in backbone

cheers

We are seeing the same issue with spikes on our bridge traffic. When we do a tcpdump we find that the main router is just dumping random traffic out on all ports of the bridge and for some reason ignoring where it should go based on the entries in the bridge host table. Ours is pretty regularly about once every 2 minutes and sends these spike of 1-2Mbps to every device connected to the bridge. Im pretty sure at this point it is a bug in Mikrotik and possibly happened when the host table is larger like a few thousand entries.

We are seeing the same issue with spikes on our bridge traffic. When we do a tcpdump we find that the main router is just dumping random traffic out on all ports of the bridge and for some reason ignoring where it should go based on the entries in the bridge host table. Ours is pretty regularly about once every 2 minutes and sends these spike of 1-2Mbps to every device connected to the bridge. Im pretty sure at this point it is a bug in Mikrotik and possibly happened when the host table is larger like a few thousand entries.

You are a very brave man having a bridge with thousand of entries!
For that amount of hosts 1-2mbps broadcast traffic is nothing.

cheers