hello,
if i have 2 routerOS connected to each other and i want to hide ip from one of them to appear in arp table,
how can i do this ?
Why? If you remove it from the ARP table the IP will quit functioning.
create a static ARP entry in the one you want to hide from, using a bogus MAC address.
I agree with jakarras though - I don’t know what you’re trying to do, but there’s probably a better way to set things up so that such a strange thing isn’t required.
i want to hide it because of security issue , can this happen or no ?
ARP is an essential part of IP + Ethernet networking, so no - unless you’re prepared to create static ARP entries where required.
What is the security issue that you think a lack of ARP will solve?
My previous suggestion…
is the easiest way.
You could also block all traffic to/from the device’s MAC address, which would be much more secure than just blocking ARP.
/ip firewall filter
add chain=output dst-mac-address=xx:xx:xx:xx:xx:xx action=drop
add chain=input src-mac-address=xx:xx:xx:xx:xx:xx action=drop
Granted, this won’t interfere with ARP itself because ARP isn’t actually an IP protocol but an ethernet protocol, so you can only properly filter ARP on bridge interfaces using the bridge filters chains.
If you are concerned about someone finding the MAC address of the router, a simple ethernet sniffing will reveal that, static MAC or not, because each etnernet header contains its source and destination MAC.
In addition to what docmarius points out, they can also create a static ARP entry on their device and then static routes to that IP address via their static ARP entry. (they don’t even have to use its real IP address because ethernet will deliver the frame to the router and then the router will simply route based on the destination IP address)
Finally, if the user is savvy enough, they can even change the MAC address on their device and do whatever they want.
Yes, but the ethernet frames from/to that router will still show the MAC address. So it is useless as a security measure.
Unless the goal is something else, security through obscurity is nonsense..
This is the best statement I’ve read on the forums all day!
That’s why doing input filter with src-mac-address=badguy, output filter with dst-mac-address=badguy, and two forward rules with one having src-mac-address=badguy and the other with dst-mac-address=badguy… this is the only way to stop the badguy’s device from talking to or forwarding traffic through the router - and then it’s possible that the user’s device allows MAC spoofing, in which case he can get to your router all day long and you can’t stop him with filters.