Is there ANY way to limit ARP requests in MT??
Every so often I get slammed with my MT box doing thousands of ARP requests a second on my Public IP subnet.
I’m assuming this is coming from the internet, but I can’t find any way to limit or firewall this behaviour in Mikrotik.
Basically I’m a sitting duck for ARP attacks, right?
in you MT firewall set input chunnel drop
ip fir fil input
add chain=input acction=drop
accept only mac addresses of your clients and reject all others
you can achieve that by going to the interface which the clients are connected to and set the arp to reply-only
/interface ethernet set local arp=reply-only
in this case none of the clients can replicate with your MT even you so you should add your ip and mac address in the arp list as a static entry before doing this
regards
I can’t use static ARP since the customer is allowed to change their MAC.
Any other ideas??
I would like to see some of that, sounds like some bad misconfiguration somewhere. Only way RouterOS would make an ARP req is if it’s trying to reach (initiate connection to) the IPs it’s ARPing for. Also it would only ARP for adresses in the same subnet as it’s own interfaces. No packet from outside could trigger an ARP req. If RouterOS recieves a packet from it’s own subnet it already knows the MAC and wouldn’t make an ARP req except maybe from spoofed IP adresses, but this you can filter in the Firewall (check http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling#Sanity-check). If it comes from outside the WAN subnet, all RouterOS ever would ARP for is the MAC of the default GW.
Please post your config and show us some from your sniff.
Regards
Henrik