Hello,
There is little documentation on RouterOS anti-spoofing protection.
Could you point out some documentation about anti-spoofing protection in RouterOS?
I set up static IPs and static ARP.
What can I do next?
Or is ARP anti-spoofing a lost war in advance?
Kind regards,
FFries
For Layer 3 anti-spoofing:
/ip settings rp-filter=loose
which does RFC3704 anti-spoofing, https://help.mikrotik.com/docs/display/ROS/IP+Settings
The firewall also does too, but depends on what you have configured 
.
Great thanks!
Will this also protect me from ARP poisoning?
Unfortunately there’s not a lot in the way of proper anti-spoofing (DHCP snooping, IP source guard, etc) on Mikrotik products. I’ve generally found these features to cause more problems than they are worth though with various interop issues and bugs.
Thanks.
How can I protect against ARP poisoning?
I set up static ARP and static IPs, what can I do more?
Tend to agree with @R1CH: “I’ve generally found these features to cause more problems than they are worth though”
You can disable arp on the interfaces. Or use smaller subnets, to force L3 routing. Or, If you’re using a bridge, then perhaps bridge “filter” MAY allow you more control - but then again the traffic have to go through the Mikrotik bridge to be caught. But rp_filter won’t likely help for ARP,but rp-filer =loose is almost always good idea, and the kernel’s “arp_filter” isn’t exposed since the interfaces control arp configuration (also somewhat limited even it was).
Configuration by fear is not really the best approach.
What are you afraid of?
Focus on allowed traffic and drop all else gets you 99% of the way to a confiig.