I believe I have a client trying to use the IP of my gateway router. Is there a way to log each change in the ARP table for a specific IP. I need to know what MAC address is attempting to use the IP of my gateway router. The only evidence that anyone is trying to use the gateway IP is that pings to devices connected to the gateway get dropped for 5-10 consecutive pings except when I set the gateway MAC address as a static ARP entry on the device I am pinging.
Any other way to catch them?
On my old FREEBSD server I was able to run a DMSG to see when this would happen.
OK, using the code below, I have discovered that other Mikrotik boxes are causing the issue…
The correct gateway mac address is 00:40:F4:28:12:D4 all the other mac addresses are those of Crossroads boards that are configured as pseudobridges. Any suggestions why the macs are changing?
17:20:14 script,info mac change 00:0C:42:14:0D:15
17:20:28 script,info mac change 00:40:F4:28:12:D4
17:37:12 script,info mac change 00:0C:42:08:6D:0D
17:37:16 script,info mac change 00:40:F4:28:12:D4
17:46:10 script,info mac change 00:0C:42:14:13:75
17:46:14 script,info mac change 00:40:F4:28:12:D4
18:12:34 script,info mac change 00:0C:42:08:6D:0D
18:12:46 script,info mac change 00:40:F4:28:12:D4
18:15:44 script,info mac change 00:0C:42:08:6D:0D
18:15:52 script,info mac change 00:40:F4:28:12:D4
18:38:32 script,info mac change 00:0C:42:08:6D:0D
18:38:36 script,info mac change 00:40:F4:28:12:D4
18:54:02 script,info mac change 00:0C:42:14:13:81
18:54:06 script,info mac change 00:40:F4:28:12:D4
18:55:06 script,info mac change 00:0C:42:08:6D:0D
18:55:18 script,info mac change 00:40:F4:28:12:D4
19:00:02 script,info mac change 00:0C:42:14:13:75
19:00:06 script,info mac change 00:40:F4:28:12:D4
19:31:38 script,info mac change 00:0C:42:14:13:75
19:31:42 script,info mac change 00:40:F4:28:12:D4
19:32:50 script,info mac change 00:0C:42:14:13:75
19:32:58 script,info mac change 00:40:F4:28:12:D4
OK, six month later and I still have this problem… only worse because we have add many more Crossroads configured as Pseudo bridges.
I do believe the issue is with using the Pseudo Bridge configuration. On our network, we have several RB411s running STATION WDS with 900 mhz cards and they never appear as the “theif”. We also have a few Crossroads boards using WDS and they do not appear as the “theif” either.
I have tried both Pseudo Bridge and Pseudo Bridge Clone with the same results.
Not sure how the Pseudo Bridges are broadcasting the change, but maybe a good solution would be to block the requests on the Pseudo Bridge?
MIKROTIK SUPPORT, I need your help… this might force us to drop Mikrotik if we can’t find a solution.
I have contacted support and their suggestions have not helped (Setting rstp and an admin Mac on the bridge of the crossroads board). The only way I have been able to prevent the crossroads board from broadcasting it’s MAC as the gateway is to create an EoIP tunnel from the crossroads to the gateway while placing the EoIP tunnel interface on the gateway into a bridge by it self. I then disable Pseudobridge on the crossroads and remove wlan1 from the crossroads bridge and add the EoIP tunnel to the bridge.
While this can be done, it is a real band aid solution and requires more steps thet I had hoped for.
ALSO, I have now switched to using RB411s in pseudobridge mode and NONE of these boards have this problem!! This must be a crossroads problem???
Anyway, I was wondering if there might be a way to create a filter on the crossroads bridge to stop the outgoing arp broadscast (or whatever is causing the problem) using the combination of the crossroads MAC address and my gateway IP, however I don’t have enough knowledge to know how to filter the correct information.
Does anyone have any suggestions on what type of arps (or whatere) are being done that would cause other devices on the network to think the gateway has changed it’s IP?