Hi guys,
I’m gonna try to explain this as simply as possible (for you and me)
Typically an ARP request is sent out with the “reply to” address set to the IP of the interface (or in the case of multiple subnets on a single interface, from the IP of the interface that is in the same subnet as the IP we’re ARPing for), however I have a special case.
I have have a bridge interface and static routes for 5 subnets set to route out the bridge, although there is no addresses from those subnets assigned on the bridge.
I do have other RFC1918 addresses set on that bridge. I’ve found that RouterOS is sending ARP requests for those 5 subnets NOT on the bridge with the “reply to” address set to the LOWEST of the RFC1918 addresses that ARE on the bridge.
My basic request is that we’re given some ability to set what the “reply to” address is when ARP requests are being sent out an interface which has no IP address in the same subnet the ARP request is for. Otherwise it seems to default to the lowest address on the interface.
edit sorry for the long post, might be worth the read thou
I just tried that, and ARPs are still being sent with the lowest IP of the bridge as the “reply to” address .
So, since the “reply to” address being used is an IP routed over my VPN, a minute or two (when the mtik’s ARP timeout expires) after connecting to my VPN, I can no longer reach any services over it because my Mtik cannot resolve my machine’s MAC address. Since I think my machine is trying to reply over the VPN.
As you may have guessed, my machine’s default gateway does NOT reside on the Mtik, but my traffic does pass through the Mtik’s bridge interface on the way to its default gateway. I have a bridge NAT rule set so any traffic from my machine to the VPN server is redirected on the Mtik (since the Mtik can reach the VPN host directly), so it doesn’t reach the normal configured default GW. And hence, I have static routes set so any traffic from the VPN server reaching my machine doesn’t need to go through the default gateway either; it’s routed directly out the bridge. The default gateway I
'm speaking about is a bandwidth rate limiter and traffic accounter, so I don’t want traffic to or from management services going over it.
I have other management IP addresses configured on this bridge (I know, one big spread out, multiple subnet VLAN , that’s a separate problem) that are routed over the VPN.
My goal is to have the “reply to” address be something NOT routed over the VPN. Since I’m routing all of 10.0.0.0/8 over it, I can’t just assign a lower IP address on the bridge.. there are none. I can’t use a public IP either, all of mine are higher than 10.0/8. So I would like to use a 172.16/12 IP, and have some hope of setting the “reply to” address in ARP requests to that IP, when it’s ARPing for hosts that aren’t in a subnet on the bridge.
Another option for me would probably be just to configure to VPN to exclude routing this one particular “lowest IP” over it, so ARPs can be responded to. I’m gonna try that next..
That worked.. but I still desire some way to set the “reply to” address.
I use the same traffic redirection scheme mentioned above so our customers aren’t billed for our network monitoring communications, DNS, etc. A problem arises when a customer’s device has our IP on its WAN interface, and the same subnet as the “lowest IP” on our bridge on their LAN interface. See what I mean? When my mtik sends an ARP request to such a device, it tries to reply to it over its LAN interface… so then it can’t reach our management services, unless I set up static ARP entries for those devices.
Bumping since I posted on a quiet day and may not have been seen..
The “preferred src” address is a viable option if it also set the arp “reply to” address used when sending ARP requests for those routes that don’t actually have an IP on the interface.
.