Hello all,

I have an issue with ARP which I’m not able to fix, so I hope someone here will understand what’s happening.

I have a Mikrotik router running RouterOS v6.48.6 which provides DHCP service for my LAN and has one interface (ether1) connected to the ISP’s router. All the others, including two wifi, interfaces are members of a bridge.

Connected to ether5 I have an unmanaged switch and, attached to it, another AP.

Clients (wired and wifi) connected to that AP often cannot reach internet because they cannot resolve the default gateway’s ARP address. This address in on the bridge interface which has of course, arp activated.

With packet sniffer on the router I can see the ARP requests for it, but it seems I cannot see the replies.

Putting a static entry on client machines solves the issue. The issue happens with PC and phones, m$ and linux, with static and dhcp assigned IPs, wired or wifi, and I’ve changed 3 different APs. I suspect, but it is harder to be 100%, it happens also on a TV box which is directly wired into the switch (I cannot set static ARP entries into that).

jun/10/2023 16:03:30 by RouterOS 6.48.6

/interface bridge
add admin-mac=02:00:00:00:01:01 auto-mac=no comment=Bridge fast-forward=no name=bridge
/interface ethernet
set [ find default-name=ether1 ] comment=“Link verso Internet”
set [ find default-name=ether2 ] comment=“Link verso SmartTV”
set [ find default-name=ether5 ] comment=“Link verso la cucina”
/interface 6to4
add !keepalive local-address=192.168.1.1 name=6rd remote-address=81.208.50.214
/interface vlan
add interface=bridge name=guest vlan-id=2
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=REDACTED supplicant-identity=“” wpa2-pre-shared-key=REDACTED
add authentication-types=wpa2-psk eap-methods=“” management-protection=allowed mode=dynamic-keys name=“REDACTED " supplicant-identity=”" wpa2-pre-shared-key=REDACTED
add authentication-types=wpa2-psk eap-methods=“” group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=REDACTED supplicant-identity=“” unicast-ciphers=tkip,aes-ccm
wpa2-pre-shared-key=REDACTED
/interface wireless
set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-g/n country=italy disabled=no distance=indoors installation=indoor mode=ap-bridge security-profile=REDACTED ssid=
REDACTED station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
set [ find default-name=wlan2 ] adaptive-noise-immunity=ap-and-client-mode band=5ghz-a/n/ac channel-width=20/40/80mhz-XXXX country=italy disabled=no frequency=5640 installation=indoor mode=ap-bridge
security-profile=REDACTED ssid=REDACTED station-roaming=enabled wireless-protocol=802.11 wmm-support=enabled wps-mode=disabled
add mac-address=RE:DA:CT:ED:F7:43 master-interface=wlan1 name=wlan3 security-profile=LREDACTED ssid=REDACTED vlan-id=2 wds-default-bridge=bridge wps-mode=disabled
add mac-address=RE:DA:CT:ED:F7:44 master-interface=wlan2 name=wlan4 security-profile=REDACTED ssid=REDACTED vlan-id=2 wds-default-bridge=bridge wps-mode=disabled
add keepalive-frames=disabled mac-address=RE:DA:CT:ED:F7:41 master-interface=wlan1 mode=station multicast-buffering=disabled name=REDACTED security-profile=REDACTED ssid=“REDACTED”
station-roaming=enabled wds-cost-range=0 wds-default-cost=0 wps-mode=disabled
add mac-address=RE:DA:CT:ED:F7:42 master-interface=wlan1 mode=station multicast-buffering=disabled name=hotspot-work security-profile=“REDACTED” ssid=REDACTED station-roaming=enabled wds-cost-range=0
wds-default-cost=0 wps-mode=disabled
/ip pool
add name=std-pool ranges=172.30.2.100-172.30.2.199
add name=docker-macvlan ranges=172.30.2.32/27
add name=guest-pool ranges=192.168.0.1-192.168.0.9
/ip dhcp-server
add address-pool=std-pool disabled=no interface=bridge name=dhcp-main
add address-pool=guest-pool disabled=no name=server1
/user group
set full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api,romon,dude,tikapp
/interface bridge port
add bridge=bridge comment=defconf hw=no interface=ether2
add bridge=bridge comment=defconf interface=ether3
add bridge=bridge comment=defconf interface=ether4
add bridge=bridge comment=defconf interface=ether5
add bridge=bridge comment=defconf interface=wlan1
add bridge=bridge comment=defconf interface=wlan2
add interface=wlan3 pvid=2
add interface=wlan4 pvid=2
/interface bridge settings
set allow-fast-path=no use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=yes
/ip firewall connection tracking
set enabled=yes icmp-timeout=30s loose-tcp-tracking=no tcp-close-timeout=30s tcp-close-wait-timeout=1m tcp-established-timeout=5d tcp-fin-wait-timeout=2m tcp-last-ack-timeout=30s tcp-syn-received-timeout=2m
tcp-syn-sent-timeout=1m tcp-time-wait-timeout=2m tcp-unacked-timeout=1d5m udp-stream-timeout=30s
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add interface=bridge list=LAN
add interface=ether1 list=WAN
add interface=6rd list=WAN
/interface wireless connect-list
add disabled=yes interface=REDACTED security-profile=REDACTED ssid=“REDACTED”
add disabled=yes interface=REDACTED security-profile=REDACTED ssid=“REDACTED”
/ip address
add address=172.30.2.250/24 interface=bridge network=172.30.2.0
add address=192.168.1.1/24 interface=ether1 network=192.168.1.0
add address=192.168.0.254/24 network=192.168.0.0
add address=172.30.2.99/24 interface=bridge network=172.30.2.0
/ip cloud
set update-time=no
/ip dhcp-client
add default-route-distance=3 disabled=no interface=REDACTED use-peer-dns=no use-peer-ntp=no
add default-route-distance=2 !dhcp-options disabled=no interface=REDACTED use-peer-dns=no use-peer-ntp=no
/ip dhcp-server config
set store-leases-disk=never
/ip dhcp-server network
add address=172.30.2.0/24 dns-server=172.30.2.250 gateway=172.30.2.250 netmask=24 ntp-server=172.30.2.200
add address=192.168.0.0/24 dns-server=192.168.0.254 gateway=192.168.0.254
/ip dns
set allow-remote-requests=yes cache-max-ttl=52w1d10m servers=2001:4860:4860::8888,2001:4860:4860::8844,8.8.8.8,8.8.4.4

/ip ipsec policy
set 0 disabled=yes
/ip proxy
set anonymous=yes
/ip proxy access
add src-address=0.0.0.0
/ip route
add check-gateway=ping distance=10 gateway=192.168.1.254
add distance=1 dst-address=10.0.0.0/8 type=blackhole
add distance=1 dst-address=100.64.0.0/16 gateway=172.30.2.200
add distance=1 dst-address=172.16.0.0/12 type=blackhole
add distance=1 dst-address=172.31.0.0/16 gateway=172.30.2.200
add distance=1 dst-address=192.168.0.0/16 type=blackhole
/ip socks
set connection-idle-timeout=1h30m enabled=yes
/ip socks access
add dst-port=80 src-address=172.30.2.0/24
add dst-port=443 src-address=172.30.2.0/24
/ipv6 address
add address=REDACTED advertise=no interface=6rd
add address=REDACTED interface=bridge
add address=REDACTED advertise=no comment=Mio disabled=yes interface=bridge

/ipv6 nd
set [ find default=yes ] advertise-dns=no disabled=yes ra-interval=1m-2m ra-lifetime=3m
add advertise-dns=no interface=bridge ra-interval=20s-1m ra-lifetime=2m
add disabled=yes managed-address-configuration=yes other-configuration=yes ra-interval=20s-1m ra-lifetime=2m
/ipv6 nd prefix
add autonomous=no preferred-lifetime=5m valid-lifetime=10m
/ipv6 nd prefix default
set preferred-lifetime=5m valid-lifetime=10m
/ipv6 route
add distance=1 dst-address=2000::/3 gateway=6rd
/system clock
set time-zone-name=Europe/Rome
/system identity
set name=GW-250
/system ntp client
set enabled=yes primary-ntp=193.204.114.232 secondary-ntp=193.204.114.233
/system package update
set channel=long-term
/tool graphing interface
add interface=ether1
add interface=6rd
/tool graphing resource
add
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool sniffer
set filter-operator-between-entries=and filter-stream=yes streaming-enabled=yes streaming-server=172.30.2.200

I’ve redacted SSID and passwords. I’ve also altered the MAC Addresses for wifi interfaces changing only the first 12 bytes, leaving the remaining 4 intact. The bridge mac address was set to static just to help in the troubleshooting. Previously was automatically assigned and the issue was present. I’ve now set it to a legit, unique, static and easy to remember address (02:00:00:00:01:01).

I’ve also cut out both IPv4 and IPv6 firewall and address lists: since the issue is on ARP I think those aren’t relevant.

Please let me understand this issue: I really have no idea. Any help appreciated. Also, if needed, I can perform some tests.

Thanks,
Radel

Really there is no one willing to help me in the troubleshooting?

I really have no ideas: since I suspect the issue is in the bridge I’m tempted to disable the wlan and remove the bridge, but that would really be a pity…

Please!

Thanks,
Radel

Try to set proxy ARP on bridge. See https://wiki.mikrotik.com/wiki/Manual:IP/ARP#Proxy_ARP

Hello!

First of all thanks for your help!

I’ve tried proxy-arp, but the issue is still there. I tried on the bridge first, then on the member interface just to be sure because I don’t know how MT behave with this settings in the parent and/or child devices.

I’ve used proxy-arp (on linux, non on MT), but for other reasons ( a firewall in a DMZ filtering between different hosts in the same L2 and L3 networks). If only I had a MT router back then …

In this setup I expect the router to naturally reply on an ARP request for one of its IPs: I’ve seen the arp request in a trace, so I’m sure the request arrives, but I cannot see the reply going out.

For the record: I’ve already tried to enable the “ARP for leases” setting in DHCP, but it didn’t helped. That was a desperate move since MT’s arp table is populated: the issue is on the client’s table.

In case anyone wonders… I revert any attempt if it fails: I don’t want a malfunctioning router full of weird configs which interact in unexpected ways between each other and with my network.

Any other ideas?

Thanks,
Radel

I recommend you to use netinstall to install the current version of RouterOS (6.49.10 when you want to remain on v6 or otherwise 7.11.2) and then reconfigure your router by pasting the export into a command prompt section by section.
Or even better by manually configuring again what you really need to have. NOT by loading a backup.

Everything should work fine but apparently something internally went wrong.

This is a bit late. I had a similar issue, so I’ll put my fix here for posterity.

Clearing the arp cache on my Windows machine caused the gateway to become unreachable. I could see the ARPs leaving the machine in wireshark, but no response was returned. I enabled “broadcast flood” on my bridged interfaces, and I was immediately able to receive ARP responses.

Mikrotik documentation on broadcast-flood states:

“When enabled, bridge floods broadcast traffic to all bridge egress ports. When disabled, drops broadcast traffic on egress ports. Can be used to filter all broadcast traffic on an egress port. Broadcast traffic is considered as traffic that uses FF:FF:FF:FF:FF:FF as destination MAC address, such traffic is crucial for many protocols such as DHCP, ARP, NDP, BOOTP (Netinstall), and others.”

ARP uses that broadcast MAC address so the ARP requests were being filtered before reaching the gateway.

I have same problem but my router have already enabled Broadcast Flood.
Model RB951G-2HnD
I exported the configuration and checked every line, nothing strange found. I have over 60 Mikrotik routers and about 9 years experience with them but is the first time to see such problem.
I cannot reinstall routeros anytime soon because I won’t have physical access to it for another 4 months.