interface arp 'reply-only' and more than one ip prefix

lmatys · October 24, 2013, 2:55pm

Hello. I can observe strange problem, on CCR and 6.4/6.5 ROS version.
We set up interfaces ‘arp reply-only’ to force clients using dhcp (dhcp server adds static arp entries for each dhcp client, and simple queue).

So, if the interface had only one ip prefix, for example: 10.10.10.1/24 the clients which obtain ip address from dhcp server have L2 communication (hosts resolve mac address od the 10.10.10.1 and can ping 10.10.10.1).

The problem is when the interface has two or more ip prefixes, for example:

10.10.10.1/24
192.168.10.1/24

And now, the clients from 10.10.10.0/24 network obtain ip address from dhcp server, can resolve mac adress of the 10.10.10.1 and then ping it.

But the client from network 192.168.10.0/24 can obtain ip address, BUT CAN NOT resolve mac address of the 192.168.10.1.
The address 192.168.10.1 do not respond for the arp request who has 192.168.10.1 ?!?!

If I deleted the prefix 10.10.10.1/24, and then have only one 192.168.10.1/24, then the clients from network 192.168.10.0/24 can resolve mac address of the 192.168.10.1 and next ping it.

Any ideas ?
Best Regards.

Feklar · October 24, 2013, 5:52pm

From your description, you have 2 DHCP servers running on the same layer2 interface. How does the router know what address range to hand out to guests? You’ll probably want to post an export of your configuration so people can see what is going on.

lmatys · October 24, 2013, 6:01pm

The router uses radius serwer to set up ip adresses to the hosts and simple queues.

/interface vlan
add interface=ether2 l2mtu=1586 name=vlan10 vlan-id=10
add interface=ether2 l2mtu=1586 name=vlan20 vlan-id=20
add interface=ether2 l2mtu=1586 name=vlan30 vlan-id=30
add interface=ether2 l2mtu=1586 name=vlan40 vlan-id=40
add interface=ether2 l2mtu=1586 name=vlan50 vlan-id=50

/ip dhcp-server
add add-arp=yes disabled=no interface=vlan10 lease-time=1h name=server1 use-radius=yes
add add-arp=yes disabled=no interface=vlan20 lease-time=1h name=server2 use-radius=yes
add add-arp=yes disabled=no interface=vlan30 lease-time=1h name=server3 use-radius=yes
add add-arp=yes disabled=no interface=vlan40 lease-time=1h name=server4 use-radius=yes
add add-arp=yes disabled=no interface=vlan50 lease-time=1h name=server5 use-radius=yes

/ip address
add address=192.168.201.1/24 interface=vlan10 network=192.168.201.0
add address=10.10.201.1/24 interface=vlan10 network=10.10.201.0
add address=192.168.202.1/24 interface=vlan20 network=192.168.202.0
add address=10.10.202.1/24 interface=vlan20 network=10.10.202.0
add address=192.168.203.1/24 interface=vlan30 network=192.168.203.0
add address=10.10.203.1/24 interface=vlan30 network=10.10.203.0
add address=192.168.204.1/24 interface=vlan40 network=192.168.204.0
add address=10.10.204.1/24 interface=vlan40 network=10.10.204.0
add address=192.168.205.1/24 interface=vlan50 network=192.168.205.0
add address=10.10.205.1/24 interface=vlan50 network=10.10.205.0

/ip dhcp-server network
add address=192.168.201.0/24 dns-server=1.1.1.1,2.2.2.2 gateway=192.168.201.1 netmask=24 ntp-server=1.1.1.1,2.2.2.2
add address=192.168.202.0/24 dns-server=1.1.1.1,2.2.2.2 gateway=192.168.202.1 netmask=24 ntp-server=1.1.1.1,2.2.2.2
add address=192.168.203.0/24 dns-server=1.1.1.1,2.2.2.2 gateway=192.168.203.1 netmask=24 ntp-server=1.1.1.1,2.2.2.2
add address=192.168.204.0/24 dns-server=1.1.1.1,2.2.2.2 gateway=192.168.204.1 netmask=24 ntp-server=1.1.1.1,2.2.2.2
add address=192.168.205.0/24 dns-server=1.1.1.1,2.2.2.2 gateway=192.168.205.1 netmask=24 ntp-server=1.1.1.1,2.2.2.2

/radius
add address=4.4.4.4 secret=secret service=ppp,login,dhcp
add address=5.5.5.5 secret=secret service=ppp,login,dhcp

/user aaa
set use-radius=yes

/ppp aaa
set use-radius=yes

Best regards.

Feklar · October 24, 2013, 6:26pm

When someone gets a 192 lease do they show up in the ARP table of the MikroTik? If you statically assign them an ARP entry, are they then able to talk to the router on that subnet?

lmatys · October 24, 2013, 6:36pm

After getting the lease, I can see arp entry of the host in the arp table
I will test it, and let you know.

Regards.

lmatys · October 25, 2013, 7:50am

Hello. I can confirm, that even adding arp entry by hand, there is no L2 communication between the hosts.
Can anybody check it?

I have the same situation at the different segments of the network, with complete different equipment using CCR.
Regards.

Feklar · October 25, 2013, 3:00pm

I’m not really sure what else to check or try. Could you try a different board to see if it’s tied to just the CCR? The best thing to do right now would probably be to contact support@mikrotik.com.

lmatys · October 25, 2013, 3:10pm

I sent it to the support. I will try to check it on the different board.
Best regards.

lmatys · November 5, 2013, 12:29pm

Info from Mikrotik Support:

"Hello,

Yes, I reproduced it with success.
ARP reply-only problem will be fixed in RouterOS v6.6

Regards,"

Regards.