I’ve updated the main router in my school this week from the 6.x to last 7.x version (7.4) and I’ve started noticing some problem that I haven’t noticed in my lab environment:
I’m using from many years the “reply-only” arp option on the interfaces of the laboratories of my school, to increase the security, assigning all the ips from the mikrotik’s dhcp (static leases), and with the 6.x version, and previous versions, have ever worked perfectly.
Now the “reply-only” option seam still working, but I’ve some problem on the arp table: many of the record of the table from those interfaces are marked as invalid, like this one:
I’ve tried deleting one of those invalid records from the arp table and made the computer to do a new dhcp request. I can see the leases on the dhcp server that is bound, but nothing appear on the arp table for that device.
I’ve double checked in the dhcp server configuration and the “Add ARP for leases” option is flagged.
Here’s are part of the configuration of one of the interfaces and the relative dhcp server:
hello
the same for me but it happens from time to time. all arp are invalid. devices are getting dhcp but have no internet access.
I was tryiung to make supout file but each time ccr is been rebooting after 32%.
I use hotspot on the bridge where bonding and vlans are setupped. and I had no such issue before upgrading from 6 ROS to 7
I also had the same problem on version 7.9 when I turned on Reply-only ARP, then the Hotspot login page didn’t work, I checked the ARP table and it said Invalid
Except this time the ARP record remains invalid even after a reboot. To get this fixed I had to remove and re-add the entry. Rebooted after each action, for good measure.
For me, the problem seems to occur immediately after the hotspot user appears in the active list. As a workaround, disabling the ARP entry and then enabling it using the following hotspot user-profiles On-Login script has solved the problem for now.
:local arplist [/ip arp find where disabled =no]
:foreach i in=$arplist do={
if ([/ip arp get $i address] = $address) do={
/ip arp disable $i
/ip arp enable $i
}
}
To add the script to all Hotspot users (removes current On-Login scripts):
The above script works only for static ARP entries. A workaround for dynamic entries is to disable and enable add-arp-for-leases on the DHCP server.
Here is a script that works for both (removes current On-Login scripts):
/ip hotspot user profile set [find] on-login="Fix_arp_schedule"
/system script add dont-require-permissions=no name=Fix_arp owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source=":lo\
cal darplist [/ip arp find where invalid=yes and dynamic=yes]\r\
\nif ( [:len \$darplist] > 0 ) do={ \r\
\n:log info [:len \$darplist]\r\
\n:local dlist [/ip dhcp-server find where add-arp=yes and disabled=no]; \r\
\n/ip dhcp-server set \$dlist add-arp=no; \r\
\n/ip dhcp-server set \$dlist add-arp=yes; }\r\
\n\r\
\n\r\
\n:local sarplist [/ip arp find where invalid=yes and dynamic=no and disable\
d=no]\r\
\nif ( [:len \$sarplist] > 0 ) do={ \r\
\n/ip arp disable \$sarplist;\r\
\n/ip arp enable \$sarplist;\r\
\n}"
/system script add dont-require-permissions=no name=Fix_arp_schedule owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/\
system scheduler add name=Fix_arp interval=00:00:01 on-event=\"/system sch\
eduler remove Fix_arp;/system script run Fix_arp;\""
/system scheduler add disabled=no interval=5s name=FixArp on-event=Fix_arp policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon
