Hello,
i’ve noticed a very strange behaviour on my hAP ac2. When the router connects via SSTP to a RB2011 the log starts flooding with warning messages like “Detected conflict by ARP response for 172.16.1.249 from 6C:3B:6B:D6:0A:3E”. Searched and found that such a MAC prefix: 6C:3B:6B is a Mikrotik device (it is the RB2011). At the same time at RB2011 the log starts flooding with warnings like “dhcp1 offering lease 192.168.21.48 for 82:8B:7F:A8:F4:16 without success” which is an iPhone6 (iOS14, with disabled Private Addressing) connected to the WiFi AP of the hAP ac2. Other two hAP ac2’s that connect with the exact same way don’t have this issue. RB2011 bridge is set as arp-proxy and on the hAP ac2’s bridge is ARP:enabled. On the others hAP ac2 there are newer iOS devices that are connected via WiFi that work like a charm. Also on the troubled hAP ac2 there is also a MacBook pro connected via WiFi that isn’t causing any problem. I cannot find what it is wrong? Any ideas?
Thanks in advance.
# nov/30/2020 14:19:40 by RouterOS 6.47.8
# model = RBD52G-5HacD2HnD
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n comment=!!!!!_2GHz disabled=\
no distance=indoors frequency=auto installation=indoor mode=ap-bridge \
ssid=!!!!!_2GHz station-roaming=enabled wireless-protocol=802.11
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=\
20/40/80mhz-XXXX comment=!!!!!_5GHz disabled=no distance=indoors \
frequency=auto installation=indoor mode=ap-bridge ssid=!!!!!!!_5GHz \
station-roaming=enabled wireless-protocol=802.11
/interface bridge
add admin-mac=!!:!!:!!:!!:!!:!! auto-mac=no comment=\
"Local main bridge interface" name=Bridge.local
/interface ethernet
set [ find default-name=ether1 ] comment=\
"Internet feed from Cosmote FTTH 100M/10M" rx-flow-control=auto
/interface wireless manual-tx-power-table
set wlan1 comment=!!!!!_2GHz
set wlan2 comment=!!!!!_5GHz
/interface wireless nstreme
set wlan1 comment=!!!!!!_2GHz
set wlan2 comment=!!!!!!_5GHz
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
supplicant-identity=MikroTik
/interface wireless
add mac-address=!!:!!:!!:!!:!!:!! master-interface=wlan2 name=wlan3 \
security-profile=profile ssid="!!!!!'s Guest Wireless Network" \
station-roaming=enabled
add mac-address=!!:!!:!!!:!!!:!!:!! master-interface=wlan1 name=wlan4 \
security-profile=profile ssid="!!!!!!'s Guest Wireless Network" \
station-roaming=enabled
/ip pool
add name=DHCP_Pool.local ranges=172.16.1.234-172.16.1.254
/ip dhcp-server
add add-arp=yes address-pool=DHCP_Pool.local always-broadcast=yes disabled=no \
interface=Bridge.local lease-time=8h10m name=DHCP_Srv.local
/ppp profile
set *FFFFFFFE bridge=Bridge.local
/interface sstp-client
add authentication=mschap1,mschap2 connect-to=\
-------------.sn.mynetname.net:---- http-proxy=0.0.0.0:---- name=\
SSTP_ToOffice profile=default-encryption user=!!!!!!!_Faliro
/queue interface
set wlan1 queue=only-hardware-queue
set wlan2 queue=only-hardware-queue
set wlan3 queue=only-hardware-queue
set wlan4 queue=only-hardware-queue
/interface bridge filter
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward in-interface=wlan3
# wlan3 not ready
# in/out-bridge-port matcher not possible when interface (wlan3) is not slave
add action=drop chain=forward out-interface=wlan3
# wlan4 not ready
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward in-interface=wlan4
# wlan4 not ready
# in/out-bridge-port matcher not possible when interface (wlan4) is not slave
add action=drop chain=forward out-interface=wlan4
/interface bridge port
add bridge=Bridge.local comment=defconf interface=ether2
add bridge=Bridge.local comment=defconf interface=ether3
add bridge=Bridge.local comment=defconf interface=ether4
add bridge=Bridge.local comment=defconf interface=ether5
add bridge=Bridge.local comment=defconf interface=wlan1
add bridge=Bridge.local comment=defconf interface=wlan2
add bridge=Bridge.local interface=wlan3
add bridge=Bridge.local interface=wlan4
/ip neighbor discovery-settings
set discover-interface-list=all
/interface list member
add comment=defconf interface=Bridge.local list=LAN
add comment=defconf interface=ether1 list=WAN
/interface wireless access-list
add ap-tx-limit=8 interface=wlan4
add ap-tx-limit=8 interface=wlan3
/ip address
add address=172.16.1.1/24 comment=defconf interface=ether2 network=172.16.1.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add comment=defconf disabled=no interface=ether1 use-peer-dns=no
/ip dhcp-server alert
add alert-timeout=none disabled=no interface=Bridge.local
/ip dhcp-server network
add address=172.16.1.0/24 comment=defconf dns-server=172.16.1.1 gateway=\
172.16.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8,8.8.4.4
/ip dns static
add address=172.16.1.1 comment=defconf name=router.lan
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
add action=masquerade chain=srcnat out-interface=all-ppp
/ip firewall service-port
set sip ports=5060,5061,5062,5063,5064 sip-direct-media=no
/ip route
add check-gateway=ping comment=\
"Static route to 192.168.21.0/24 subnet for Office" distance=2 \
dst-address=192.168.21.0/24 gateway=192.168.21.36
add check-gateway=ping comment=\
"Static route to 192.168.100.0/24 subnet for !!!!!!!!" distance=2 \
dst-address=192.168.100.0/24 gateway=192.168.21.36
add check-gateway=ping comment=\
"Static route to 192.168.131.0/24 subnet for +++++++" distance=2 \
dst-address=192.168.131.0/24 gateway=192.168.21.36
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set winbox port=!!!!!!!!
set api-ssl disabled=yes
/ip smb
set domain=!!!!!!!!!!
/ip upnp
set enabled=yes
/ip upnp interfaces
add interface=Bridge.local type=internal
add interface=ether1 type=external
/system clock
set time-zone-name=Europe/Athens
/system identity
set name=!!!!!!_Faliro
/system ntp client
set enabled=yes primary-ntp=162.159.200.1 secondary-ntp=72.5.72.15
/system ntp server
set enabled=yes
/tool romon
set enabled=yes