For some unknown reason my WAN interface collects public IP addresses.
Setup is quite simple. My Routerboard connects through the IDS with the edge router. Mikrotik is used as Hotspot gateway to the remote platform. We use couple other MikroTiks with firmware 6.29 and these have 5-8 ARP entries. Same type of configuration however device with large number of ARP entries has OVPN client running. Issue happened or we noticed it yesterday. I’ve rebooted device but ARP list remained untouched. Tried to delete all entries but they came back asap. Last night we had maybe 4 Hotspot users connected. I’ve increased max-arp-entries to 16k but this is very temp solution.
Anyone had similar issues?
do you tried to reproduce it without “edge router” (UBNT thing meant?)?
its may be simpy attempt to flood you. sometimes Thru border/edge device, sometimes - Using it(after exploitation and planting malware/rootkit/APT in), cuz they not very good in retaining firware secure and leave unpatched “citical” holes/issues for weeks, sometimes for months.
if issue persist without other elements - then dump you config(not in binary shape), and NetInstall you Routerboard back to consistent/untouched state.
you will be amazed bout vendor-based percentage distribution among routers-based hosts for botnets, sold in darknet(of any kind).
What type of WAN connection is it? I have seen this before when an ISP misconfigures a bridge device (e.i. A cable modem). Normally, your WAN port should only see the gateway’s MAC. If something happens and suddenly all of the other clients on the ISP’s network start seeing each other, you will end up with all of them in the MAC table. This happens with some cable modems that bridge the management and user networks. You start seeing all of the DHCP requests for every modem and router on the system.