Upcoming Maintenance Alert:

The UBNT Community will be upgraded at 5pm MDT on April 25th. During this time the community forums will be set to read-only status.

Learn more

×
Reply
New Member
Posts: 27
Registered: ‎05-22-2017

Router vs bridge

Hi guys.

 

I have done a lot of reading on this topic and no one can give me a straight answer on this topic.

 

I run a small WISP with just under 100 clients so far and looking to expand to a lot more. I have the entire network in bridge mode at the moment. Can someone please tell me why this is such a bad idea. Every CPE is in bridge mode with a static private IP. From there every client has a router installed at there house that has dhcp enabled on it to hand out address for there own LAN. 

 

I know most people say that they have there CPEs in router mode, but in my mind why would you turn a radio into a router if you supply the client with a router already. As far as safety is concerned I have a firewall in place at each CPEs to drop all packets that wants to connect to other clients and my sectors. Then also I have each sectors "isolate clients" turned on.

 

Is there something that im missing here.

 

Thank you very much. 

New Member
Posts: 27
Registered: ‎05-22-2017

Bridge mode or Routed

Hi guys.

 

I have done a lot of reading on this topic and no one can give me a straight answer on this topic.

 

I run a small WISP with just under 100 clients so far and looking to expand to a lot more. I have the entire network in bridge mode at the moment. Can someone please tell me why this is such a bad idea. Every CPE is in bridge mode with a static private IP. From there every client has a router installed at there house that has dhcp enabled on it to hand out address for there own LAN. 

 

I know most people say that they have there CPEs in router mode, but in my mind why would you turn a radio into a router if you supply the client with a router already. As far as safty is concerned I have a firewall in place at each CPEs to drop all packets that wants to connect to other clients and my sectors. Then also I have each sectors "isolate clients" turned on.

 

Is there something that im missing here.

 

Thank you very much. 

Regular Member
Posts: 605
Registered: ‎03-17-2016
Kudos: 113
Solutions: 40

Re: Bridge mode or Routed

I'm no expert but I'll chime in a little here....

Are your customers routers getting a public or private IP address (wan)? Do some of your clients require public IPs/1:1 Nat?

We still have segments in bridge mode/flat as you describe. We use a combination of both but are always transitioning to routed, especially in newer segments.
One of the biggest issues with running a flat network is broadcast storms. If a loop of sorts arises somewhere it can potentially take down the entire network. You can also have roque dhcp servers broadcasting onto your network when it's flat. Simply having a customer plug in a wire incorrectly can create a broadcast storm. Essentially running a flat network is fine for most smaller networks. When you start to scale up past a couple hundred clients it's just good practice to have a routed network. Or at least segmented to start.

Reason I ask about public IPs as well is that unless you have a few blocks of ipv4 to just pass out to everyone and anyone you will grow to a point that it's just impossible to do. Yes ipv6 is an option but not fully supported with all equipment these days. Well in my experience it is usable in some cases but not quite there yet to deploy 100% over ipv4.

By routing at tower locations or segements of your network you can hand out private IPs to the clients behind the router and save on publics. Unless you have clients, usually businesses or gamers that require 1:1 Nat you can address them differently or give them a public IP if/when needed. This is another reason but It also really depends on your client type.
Another purpose for routed is redundancy. When you get big enough you need to create multiple paths to route traffic and have alternate paths in case of radio/equipment issues or failure. Even over saturation of links can require multiple paths for traffic to flow and is nearly impossible in a flat network to achieve. Yes you can use stp/rstp for failover in most cases but it's not economical at a large scale. When you start using OSPF/BGP in your network routed is a must and that's when it will make more sense.
As long as you truly have your customers/clients segmented and you still at a smaller scale as you describe, running a bridge/flat network is fine majority of the time. Like other say. There isn't one perfect formula for every network. You will get different answers from everyone and we all have different ways to achieve the same things. All of our clients are different and this requires different topology and methods.
Would you mind sharing your firewall procedures you describe along with isolation techniques?
New Member
Posts: 27
Registered: ‎05-22-2017

Re: Bridge mode or Routed

Thank you very much for your reply.

 

To answer your first question. All clients get assigned a private IP address from me from my local subnet. What i sell to clients is a simple easy cheap TP-link WAN router. So I will have a LAN cable from the POE LAN port going to the clients WAN port on the TP-Link router which in return is configured with a private ip from my subnet. All of my clients have Internet via the bridge that NATs at my main UBNT edge router pro.

 

Then as for broadcast storms I think we doing ok for the simple reason that I think I have made my network pretty basic. From my ER-pro i have a ES-lite and then from port 2 on my ES-lite I have my air fibers connected directly into that port which in return goes to my main tower right into another ES-lite and out of that ES 3 APs connected. So that then goes to all my CPEs. There is no chance of a loop in the network and it will have slim chances for broadcast storms.

 

Then as for rogue DHCPs that cant happen in my case due to the fact that none of my CPEs receives any DHCP from my router and then on each cpe dish under the network config tab I have enabled the firewall setting that blocks all DHCP request by blocking port 67 and 68.

 

Then I strongly agree with you regarding redundancy. I have no back up link for when a radio fails. However with the new airOS 8.3 it allows me to input a second SSID as a back up. All 4 my APs on tower 1 and 2 are within 1m of each other. So i wont have a big drop in signal if the CPE will fail over to the secondary SSID.

 

Thank you so much for your input and I really value every word you have said. I want to move over to a routed network but was unsure as to the benefits of doing so. My biggest concern was that with a flat network the ARP will eat up all data traffic and that it will kill my network. If that could be stopped via simple firewall rules then im all ears. As for the configs that you asked for its really basic stuff. On all rocket prism AC radios if it is set to PTMP mode it has an option to isolate clients. I have that turned on so it will stop traffic being broadcast to all CPEs, then to make 100% sure I have set up firewall rules on each CPE in my case Litebeam ACs to drop all traffic going to the other CPEs. Ie. if my cpe is on 192.168.30.1 i add a rule to the firewall to drop all packets to go to 192.168.30.0/24 and then a second rule to stop all traffic going to 192.168.20.0/24 which would be the sectors. So in essence the CPE can only talk directly to my router.

 

I hope to hear from you agian to point out my mistakes.

Ubiquiti Employee
Posts: 2,324
Registered: ‎04-14-2017
Kudos: 620
Solutions: 58

Re: Router vs bridge

Did you also post this in the other section?
New Member
Posts: 27
Registered: ‎06-15-2017
Kudos: 5

Re: Router vs bridge

[ Edited ]

I would also like an answer to this question too. I do like the idea of running CPEs in bridged mode and separating traffic using vlans, firewalls, and "isolated clients" mode. But I do like the idea of running CPEs in router mode and not having to separate traffic with vlans, which is complicated for less technical people to understand. I look forward to hear what the more experienced people on this forum think is best.

Cisco Certified Network Associate (CCNA) Routing & Switching
Bachelor of Science - School of Information Technology
New Member
Posts: 27
Registered: ‎05-22-2017

Re: Router vs bridge

Ozar i have posted this question by mistake on this forum. the actual forum is here https://community.ubnt.com/t5/airMAX-Wireless-Networking/Bridge-mode-or-Routed/m-p/2012687#U2012687

Ubiquiti Employee
Posts: 9,041
Registered: ‎11-27-2012
Kudos: 2573
Solutions: 576
Contributions: 73

Re: Router vs bridge

I merged your duplicate threads.  In the future, please try not to post the same question in multiple sections.  

UBNT_Alternate_Logo.png
Ubiquiti Networks airMAX Support Team

Check out our ever-evolving Help Center for answers to many common questions!

New Member
Posts: 27
Registered: ‎06-15-2017
Kudos: 5

Re: Router vs bridge

I really liked @TSHS answer it cleared up a lot of questions I had between Router vs Bridged, thanks!
Cisco Certified Network Associate (CCNA) Routing & Switching
Bachelor of Science - School of Information Technology
Established Member
Posts: 779
Registered: ‎09-27-2015
Kudos: 367
Solutions: 15

Re: Router vs bridge

We put CPE radios into router mode to ensure each customer's private network remains separate from our own network. Putting a router inside the customer's home has the same effect providing the customer doesn't mess with your install. If the customer pulls your WAN cable out of your router they now have a layer2 connection to your network - no bueno. Using the CPE as a router the only way the customer can gain layer2 access to our network is if they have their own radio and can somehow connect it to one of our APs - that's very unlikely and we would notice it right away if it somehow did happen.

 

 

New Member
Posts: 27
Registered: ‎05-22-2017

Re: Router vs bridge

Thanks for all the answers gents.

 

I think that I will leave my network bridge at this point in time as I do not see the benefit of complicating the network by routing everything. Each customer has a router behind the CPE and every CPE is set up with firewall rules to block any DHCP coming in and leaving the network. With client isolation turned on at my towers and with protected ports configured on my ES-lite it its more safe than your avg bridge network.

 

Thanks for all the answers. 

Highlighted
Member
Posts: 178
Registered: ‎09-30-2015
Kudos: 12
Solutions: 2

Re: Router vs bridge

We use the dish as the router and thats the pppoe client and the customer can not get in, no matter what he does with the wire in the house he can not mess with the network, i know another local wisp has the router in the house so the customer can access his network directly by playing swap the wires not good, we just disable the dhcp in the customers router and plug the dish in to one of its lan ports, if they need port forwarding we do it, a small amount of effort against tracking network issues.

 

Phill, UK.

Reply