Hello,
We have installed CCR1009-7G-1C-1S+ in our premises and enabled the hotspot feature for managing access to the users as well as bandwidth management. We are facing a strange issue, wherein the router starts to send ARP replies/announcement for all the IP addresses in our network with its own MAC. We have checked that proxy-ARP is disabled for all the interfaces. ARP option is set to the default option of “enabled”.
Wireshark capture shows that if a ARP request is sent to the router with IP of a different host, it responds with its own MAC.
What could be reason behind this and how to fix it?
Please follow the hint in my automatic signature below.
The config export is attached to this post.
mikrotik.txt (4.81 KB)
I cannot see anything that could cause the arp=proxy-arp behaviour either.
What I can see is that you haven’t edited out your public IP at one place, so you may want to remove that file and post a better obfuscated one. And, more important, the absence of any rules blocking access to management services of your router (ssh, www, winbox, …) in your firewall means that some malware may have squatted on your CCR already.
So in any case, I’d recommend you to export the configuration as text without the hide-sensitive (do not use /system backup save), store it verbatim somewhere outside the router, then disconnect all the router’s interfaces from the network, netinstall it, copy-paste the text configuration back, create some decent rules in chain input of /ip firewall filter, and only after that, connect the router back to the network. The firewall rules must block access to management of the router also from the client side.
Whether your topic issue, i.e. the arp responses sent by the router itself, are caused by a malware or by some piece of configuration that broke loose is hard to say.