Mikrotik/Unifi WiFi DHCP Exhaustion?

Got a weird issue on my CCR2004 (v7.15.1). The WiFi I use is UniFi. It seems that when a mobile device (Android or Apple) joins my Guest WiFi, it takes up 5 or 6 DHCP leases with MAC address 00:00:00:00:00:00 and then eventually gets an IP address. I only noticed it today because I was unable to connect to the guest WiFi and noticed I was getting a 169 address. I checked and all 254 addresses were taken up, the majority of which were taken up by 00:00:00:00:00:00. Changed the Guest Wifi PSK just in case I had been compromised which stopped the ARP conflict errors in my logs and allowed everything to go back to normal, but then once I and a few others rejoined I started seeing loads of ARP conflic errors and 00:00:00:00:00:00 DHCP leases.

Has anyone seen this before? Is there anything I can do to stop the mobile devices exhibiting this behaviour? Annoyingly I’m not sure if the devices are rejecting the leases or something like that.

Edit: The ARP conflic messages seem to show MAC addresses that aren’t present on my network but they are definitely private MAC addresses that you would normally see on iPhones without fixed MACs.

Theres been some cases here over the years like that.

The issues that I remember were caused by:

• vlan config problems on or between the Mikrotik and Ubiquiti
• Rogue DHCP servers
• Incorrect Guest WiFi configs

Probably the best way to get help from the VLAN/wifi experts here is to export your config (minus s/n and other personal stuff) and post it along with a quick diagram of your setup, details on the Unifi WiFi and any errors you are seeing.

On your UniFi controller, check the setting of the WiFi networks, do you have settings such as "Proxy ARP" or "Multicast and Broadcast Control" active? If yes, try to turn them off. If you turn on "Multicast and Broadcast Control", then you'll need to add the MAC addresses of the router to the exception list.

Proxy-ARP appears to have been the culprit, thank you!

Out of interest, why would that have been the case? Just an increased amount of ARP traffic?

Do you have some special settings for your DHCP lease time (like unusually long or short)?

With WiFi, sending broadcast and multicast packets is a very "expensive" operation, because those must be sent at the lowest common data rate (for example 6 Mbps or even only 1 Mbps), which means it takes significant more airtime (which is shared among all clients) to send fewer packets, compared to normal unicast traffic. So the access point systems will have several tricks and settings to try to minimize broadcast and multicast traffic.

ARP is broadcast, with that hosts send messages to everyone to discover which MAC address is associated with a particular IP address. On UniFi APs when you turn one Proxy ARP (which is not the same as the proxy-arp mode on RouterOS!), the AP will read the ARP responses, and remember which IP addresses are currently associated with which MAC address. Later, when it sees an ARP query broadcast message, if the address is already in its cached list, it will send the ARP response directly, without having to forward the broadcast packet to all the clients and relaying the response. This reduces broadcast traffic, even more if there are many clients.

On RouterOS the DHCP server has a conflict-detection setting that is by default yes. When the setting is active, and the DHCP server gets a request from a DHCP client for a lease, after getting an available IP address from the address pool, the DHCP server will send ARP broadcast asking "who has this IP address". If it gets back a response, and the MAC address in the response doesn't match the MAC address of the DHCP client, then it's considered that the address is currently used by another device, which is a conflict. It probably creates the lease with the 00:00:00:00:00:00 MAC address to remember this (address in used) and asks the pool for a new IP address and retries.

My guess is that the UniFi APs are caching the ARP entries for too long, longer than the configured DHCP lease time on RouterOS, or if not that, caching them long after the devices have disconnected/left the network. So, while on RouterOS an address is already marked as free/available, it's still in the Proxy ARP cache of the UniFi APs. When the DHCP server tries to gives that address to the DHCP client, and sends the ARP broadcast, the access point responds with the MAC address of the previous owner, and the RouterOS DHCP server has to mark the address as used and pick a new one.

In my networks with UniFi APs and RouterOS routers I don't have Proxy ARP turned on in UniFi. But on the router, I usually turn on "Add ARP For Leases" on the DHCP server instances, and then set the ARP mode of the bridges and VLAN interfaces to reply-only. With this reply-only setting the router will never send ARP queries on the interfaces and will only trust its own ARP table, that has entries populated by the DHCP server, as well as manually added static ARP entries for every device not using DHCP. This helps reduce ARP traffics, while also adds a bit more security.

Thanks a lot! Really helpful and detailed response.

Interesting stuff here. I really does seem that Ubiquiti proxy-arp is the root cause here, but I wonder about the mechanism.

Looking around one of my access points, I cant find any setting for the arp cache timeouts in the GUI, and if you go to the cli all the arp settings are in line with Linux defaults (~30 seconds for gc_stale_time, base_reachable_time and gc_interval). Arp entries should time out within a minute or 2. I wonder how it gets entries for all of the available dhcp addresses? Perhaps a bug, or maybe some feedback loop with the dchp-server?

Guess the moral of the story is turn off proxy-arp unless you really really need it.

Greetings. Same issue here. L009 with a Cisco 150ax AP for wifi. DHCP leases are not being recycled. Seems they are held until the device returns to give it the same IP. In the Cisco WAP, there isn’t a proxy-arp setting to check.

In the router, I tried to set the bridge to “reply-only” for ARP in the router, but it killed the entire network, unreachable & everything stop transmitting. Setting this back to “enabled” brought everything back online.

Not sure why the router is holding the DHCP IP’s. Out of a pool of 204 available IP’s, It’s down to about 60 available. Anyone new that connects, well, just depletes the pool. The customers do not return on a daily basis. But when they do, they seem to get the same IP as initial IP obtained a week or 2 ago. A reboot did nothing for this. Same result

RouterOS 7.19.6
DHCP Lease time: 10min

Before switching the ARP mode on the bridge or VLAN interfaces to reply-only you have to make sure that the DHCP servers all have Add ARP For Leases turned on, so that they can populate the RouterOS ARP table with the content from the leases. For all devices that don't use DHCP but have manual address assignment, you'll also need to go to IP -> ARP and manually add corresponding static entries. Only then can you change the mode to reply-only. I did mention this in the previous post, but was not clear enough.

Without the necessary entries in the ARP table (either through Add ARP For Leases or manually added) the router doesn't know which MAC address to use when having to talk to IP addresses, because it doesn't send ARP broadcast anymore. That's what you could observe with:

Thank you for the reply. You were clear in your post, I wasn’t clear in my post. Apologies for that.

I assign static addresses via the DHCP server. There are about 13 devices statically assigned via DHCP, the rest of the /24 block are acquired dynamically. Add arp for leases has been turned on since inception, a while now. There are no VLANs in this setup yet.

Below is the dhcp server configured:
/ip dhcp-server add add-arp=yes address-pool=LAN interface="Lan Bridge" lease-time=10m name=dhcp1 use-reconfigure=yes

Not sure why these aren’t displayed in the export above, but also enabled are the below:
Use framed as classless
Conflict detection

Mikrotik exports normally only settings that are different from default, try with verbose parameter.

Greetings. Thank you. I have exported the config with verbose. Should I start a new thread since it’s a different WAP? Cisco vs Unifi. Or just post it here?

I don't see any reason to not continue here, the issue is the same, even if on a different device.

Thank you! Unfortunately, I can’t paste the config. The error I get is (used </> for code):

An error occurred: Body is limited to 32000 characters; you entered 66835.

removed file

No way I could add the config here. I ended up just attaching the file. There’s a bunch of garb in there, things that haven’t been touched. Assuming it’s due to the verbose trigger.

Yep, export verbose is verbose.

Greetings. Any assistance that can be provided? Out of dhcp addresses 50-254, there is one available IP left. It’s not returning the IP’s back to the pool. Next step is to create a next pool just in case. If anyone can provide assistance as to why the IP’s aren’t being returned, it would be greatly appreciated

# 2025-10-14 20:24:32 by RouterOS 7.19.6
# software id = STAL-2C8C
#
# model = L009UiGS
# serial number = ""
/interface bridge add name="Lan Bridge"
/interface ethernet set [ find default-name=ether1 ] comment=ISP1
/interface ethernet set [ find default-name=ether2 ] disabled=yes
/interface ethernet set [ find default-name=ether3 ] disabled=yes
/interface ethernet set [ find default-name=ether4 ] disabled=yes
/interface ethernet set [ find default-name=ether5 ] disabled=yes
/interface ethernet set [ find default-name=ether6 ] comment="Cisco Meraki_Toast_DMARC"
/interface ethernet set [ find default-name=ether7 ] comment="Netgear Nighthawk_Office"
/interface ethernet set [ find default-name=ether8 ] comment=SimpliNet_Cisco_WAP_Bar poe-out=off
/interface ethernet set [ find default-name=sfp1 ] comment=2.5G_SFP disabled=yes
/interface wireguard add comment=Client_WG_Private listen-port=23234 mtu=1420 name=Client_WG_Private
/interface wireguard add comment=SimpliNet_Network listen-port=23233 mtu=1420 name=SimpliNet_Network
/interface list add comment=defconf name=WAN
/interface list add comment=defconf name=LAN
/ip pool add comment="Lan Bridge" name=LAN ranges=10.21.1.50-10.21.1.254
/ip pool add name=LAN_2 ranges=10.21.2.2-10.21.2.254
/ip dhcp-server add add-arp=yes address-pool=LAN interface="Lan Bridge" lease-time=10m name=dhcp1 use-reconfigure=yes
/port set 0 name=serial0
/queue simple add limit-at=1M/30M max-limit=30M/500M name=Roku_Bar_Right target=10.21.1.45/32
/queue simple add limit-at=1M/30M max-limit=30M/500M name=Roku_ATM target=10.21.1.46/32
/queue simple add limit-at=1M/30M max-limit=30M/500M name="Roku_Back Wall" target=10.21.1.47/32
/queue simple add limit-at=1M/30M max-limit=30M/500M name=Roku_Bar_Left target=10.21.1.48/32
/queue simple add limit-at=1M/30M max-limit=30M/500M name=Roku_Bar_Center target=10.21.1.49/32
/queue simple add limit-at=1M/10M max-limit=30M/500M name="Cisco_Meraki_Toast POS" target=10.21.1.13/32
/queue simple add limit-at=10M/10M max-limit=30M/500M name=Security_NVR target=10.21.1.44/32
/interface bridge port add bridge="Lan Bridge" interface=ether2
/interface bridge port add bridge="Lan Bridge" interface=ether3
/interface bridge port add bridge="Lan Bridge" interface=ether4
/interface bridge port add bridge="Lan Bridge" interface=ether5
/interface bridge port add bridge="Lan Bridge" interface=ether6
/interface bridge port add bridge="Lan Bridge" interface=ether7
/interface bridge port add bridge="Lan Bridge" interface=ether8
/ip firewall connection tracking set tcp-established-timeout=30m
/ip neighbor discovery-settings set discover-interface-list=LAN
/ip settings set max-neighbor-entries=4096
/ipv6 settings set disable-ipv6=yes
/interface list member add interface=ether1 list=WAN
/interface list member add interface="Lan Bridge" list=LAN
/interface list member add interface=Client_WG_Private list=LAN
/interface wireguard peers add allowed-address=10.10.0.0/24,10.15.0.0/24,10.21.0.0/16,192.168.201.0/24 comment=SimpliNet_Network endpoint-address="removed" endpoint-port=23233 interface=SimpliNet_Network name=SimpliNet_Network persistent-keepalive=25s public-key="removed"
/ip address add address=10.21.1.1/24 interface="Lan Bridge" network=10.21.1.0
/ip address add address=10.15.0.10/24 interface=SimpliNet_Network network=10.15.0.0
/ip address add address=10.21.0.1/24 interface=Client_WG_Private network=10.21.0.0
/ip cloud set update-time=no
/ip dhcp-client add comment=WAN1 interface=ether1 script=":local gw \$\"gateway-address\"\
    \n:local int \"\$interface\"\
    \n:local intComm [/ip dhcp-client get [find interface=\$int] comment]\
    \n:local name [/system identity get name]\
    \n:local currIP [/ip firewall address-list get [find list=\"Client_WAN1\"] address]\
    \n:local nRule [/ip firewall nat get [find comment=\"SRCNAT_WAN1\"] to-addresses]\
    \n\
    \n## Update the items when the lease is obtained\
    \n:if (\$bound=1) do={\
    \n  :if ((\$currIP != \$\"lease-address\") or (\$nRule !=  \$\"lease-address\")) do={\
    \n    :log warning \"DHCP Client lease address changed. Updating NAT rule & address-list\"\
    \n    /ip firewall nat set [find comment=\"SRCNAT_WAN1\"] to-addresses=\$\"lease-address\"\
    \n    /ip firewall address-list set [find list=\"Client_WAN1\"] address=\$\"lease-address\"} else={\
    \n      :log warning \"NAT rule & address-list match DHCP Client lease address. No updates are needed\"}}\
    \n\
    \n## Email upon completion.\
    \n:delay 5s\
    \n:log warning \"Sending email to admin\"\
    \n/tool e-mail send to=router@simplinetsolutions.com subject=\"\$[/system identity get name] \$int DHCP-Client\" body=\"Date: \$[/system clock get date] \\r Time: \$[/system clock get time] \\r Device: \$name \\r IP address: \$\"lease-address\" \\r\\r DHCP-Client script is complete for \$int \$intComm\"\
    \n" use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease add address=10.21.1.10 client-id=1:14:84:73:65:a5:18 comment=SimpliNet_Cisco_WAP_Bar mac-address=14:84:73:65:A5:18 server=dhcp1
/ip dhcp-server lease add address=10.21.1.11 client-id=1:0:0:5e:0:1:1 mac-address=00:00:5E:00:01:01 server=dhcp1
/ip dhcp-server lease add address=10.21.1.20 client-id=1:76:82:1b:c9:2c:8d comment=SimpliNet_Admin mac-address=76:82:1B:C9:2C:8D server=dhcp1
/ip dhcp-server lease add address=10.21.1.13 client-id=1:c:8d:db:96:cf:e5 comment=Cisco_Meraki_Toast_POS mac-address=0C:8D:DB:96:CF:E5 server=dhcp1
/ip dhcp-server lease add address=10.21.1.46 mac-address=BC:D7:D4:58:4B:0B server=dhcp1
/ip dhcp-server lease add address=10.21.1.47 mac-address=BC:D7:D4:6A:C3:58 server=dhcp1
/ip dhcp-server lease add address=10.21.1.49 mac-address=38:64:07:98:CC:8F server=dhcp1
/ip dhcp-server lease add address=10.21.1.42 client-id=1:1c:ee:c9:d:b9:83 comment=Elo_Touchscreen_DoorDash mac-address=1C:EE:C9:0D:B9:83 server=dhcp1
/ip dhcp-server lease add address=10.21.1.12 client-id=1:10:da:43:a9:23:78 comment=Netgear_Nighthawk_Office mac-address=10:DA:43:A9:23:78 server=dhcp1
/ip dhcp-server lease add address=10.21.1.44 client-id=1:8:ed:ed:44:b7:d7 comment=Security_NVR mac-address=08:ED:ED:44:B7:D7 server=dhcp1
/ip dhcp-server lease add address=10.21.1.45 comment=Roku_Streamers_45-49 mac-address=38:64:07:98:CC:AB server=dhcp1
/ip dhcp-server lease add address=10.21.1.48 mac-address=50:06:F5:3B:99:28 server=dhcp1
/ip dhcp-server network add address=10.21.1.0/24 dns-server=10.21.1.1 gateway=10.21.1.1 ntp-server=10.21.1.1
/ip dns set allow-remote-requests=yes cache-max-ttl=3d doh-max-concurrent-queries=400 doh-max-server-connections=500 doh-timeout=8s max-concurrent-queries=400 max-concurrent-tcp-sessions=500 mdns-repeat-ifaces="Lan Bridge" servers=1.1.1.2,1.0.0.2,208.67.222.222 use-doh-server=https://security.cloudflare-dns.com/dns-query verify-doh-cert=yes
/ip dns static add address=1.1.1.2 name=security.cloudflare-dns.com/dns-query type=A
/ip dns static add address=1.0.0.2 name=security.cloudflare-dns.com/dns-query type=A
/ip firewall address-list add address="removed" comment=SimpliNet_WAN list=Authorized
/ip firewall address-list add address=192.168.201.20-192.168.201.29 comment=SimpliNet_Admin list=Authorized
/ip firewall address-list add address=10.10.0.0/24 comment=SimpliNet_Admin list=Authorized
/ip firewall address-list add address=1.1.1.2 list=allowed_DNS
/ip firewall address-list add address=1.0.0.2 comment=Allowed_DNS list=allowed_DNS
/ip firewall address-list add address=17.253.26.251 list=allowed_NTP
/ip firewall address-list add address=162.159.200.123 list=allowed_NTP
/ip firewall address-list add address=162.159.200.1 list=allowed_NTP
/ip firewall address-list add address=216.239.35.12 list=allowed_NTP
/ip firewall address-list add address=17.253.26.123 comment=Allowed_NTP list=allowed_NTP
/ip firewall address-list add address=10.10.0.0/24 comment=SimpliNet_Admin list=SimpliNet_Network
/ip firewall address-list add address=192.168.201.20-192.168.201.29 comment=SimpliNet_Admin list=SimpliNet_Network
/ip firewall address-list add address=192.168.201.15 comment=SimpliNet_Drive list=SimpliNet_Network
/ip firewall address-list add address=10.21.1.20-10.21.1.25 comment=SimpliNet_Admin_Local list=Authorized
/ip firewall address-list add address=8.8.8.8 disabled=yes list=allowed_DNS
/ip firewall address-list add address=10.15.0.1 list=SimpliNet_Network
/ip firewall address-list add address=10.21.0.0/24 comment=Client_WG_Private list=Client_WG_Private
/ip firewall address-list add address=10.21.1.50-10.21.1.254 comment=Client_DHCP_Pool list=Client_DHCP_Pool
/ip firewall address-list add address="removed" comment=Client_WAN list=Client_WAN1
/ip firewall address-list add address=10.21.1.1-10.21.1.49 list=SimpliNet_Client
/ip firewall address-list add address=10.15.0.10 comment=SimpliNet_Client list=SimpliNet_Client
/ip firewall address-list add address=208.67.222.222 list=allowed_DNS
/ip firewall address-list add address=10.21.1.0/24 disabled=yes list=SimpliNet_Client
/ip firewall address-list add address=10.21.1.40-10.21.1.49 comment=Queued_Devices list=Queued_Devices
/ip firewall address-list add address=10.21.1.13 comment=Cisco_Meraki_Toast_POS list=Queued_Devices
/ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=input comment="defconf: accept to local loopback" dst-address=127.0.0.1
/ip firewall filter add action=accept chain=input comment="defconf: accept ICMP after RAW" protocol=icmp
/ip firewall filter add action=accept chain=input comment="accept wireguard handshake_SimpliNet" dst-port=23233 log-prefix=WG_handshake protocol=udp
/ip firewall filter add action=accept chain=input comment="accept wireguard handshake_Client" disabled=yes dst-port=23234 log=yes log-prefix=WG_handshake protocol=udp
/ip firewall filter add action=accept chain=input comment="accept Client_WG services" disabled=yes dst-port=53,123 log-prefix=Customer_WG_DNS protocol=udp src-address-list=Client_WG_Private
/ip firewall filter add action=accept chain=input comment="accept admin access" log-prefix=ADMIN src-address-list=Authorized
/ip firewall filter add action=drop chain=input comment="drop management port from DHCP pool" dst-port=7280,8291 in-interface-list=LAN log=yes log-prefix=DROP_Manage protocol=tcp src-address-list=Client_DHCP_Pool
/ip firewall filter add action=drop chain=input comment="defconf: drop all else not from LAN" in-interface-list=!LAN log-prefix=DROP_else
/ip firewall filter add action=accept chain=forward comment="accept SimpliNet Network" dst-address-list=SimpliNet_Client in-interface=SimpliNet_Network log-prefix=SimpliNet_in src-address-list=SimpliNet_Network
/ip firewall filter add action=accept chain=forward dst-address-list=SimpliNet_Network log-prefix=SimpliNet_out out-interface=SimpliNet_Network src-address-list=SimpliNet_Client
/ip firewall filter add action=drop chain=forward comment="drop all else SimpliNet traffic" in-interface=SimpliNet_Network log-prefix=drop-else_WG
/ip firewall filter add action=drop chain=forward log-prefix=drop-else_WG out-interface=SimpliNet_Network
/ip firewall filter add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-mark=no-mark connection-state=established,related hw-offload=yes
/ip firewall filter add action=accept chain=forward comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
/ip firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid
/ip firewall filter add action=accept chain=forward comment="internet access" in-interface-list=LAN out-interface-list=WAN
/ip firewall filter add action=accept chain=forward comment="accept Client Wireguard traffic" disabled=yes in-interface=Client_WG_Private log-prefix=Client_WG_in src-address-list=Client_WG_Private
/ip firewall filter add action=accept chain=forward disabled=yes dst-address-list=Client_WG_Private log-prefix=Client_WG_out out-interface=Client_WG_Private
/ip firewall filter add action=accept chain=forward comment="port forwarding" connection-nat-state=dstnat
/ip firewall filter add action=drop chain=forward comment="defconf: drop all else" log-prefix=DROP_else_FWD
/ip firewall mangle add action=mark-connection chain=prerouting comment="mark connection for Queued Devices" connection-mark=no-mark in-interface-list=LAN log-prefix=Queued_LAN new-connection-mark=Queued src-address-list=Queued_Devices
/ip firewall mangle add action=mark-connection chain=forward connection-mark=no-mark dst-address-list=Queued_Devices in-interface-list=WAN log-prefix=Queued_WAN new-connection-mark=Queued
/ip firewall mangle add action=mark-connection chain=prerouting connection-mark=no-mark in-interface-list=LAN log=yes log-prefix=AGGREGATED_block new-connection-mark=x_AGGREGATED_block src-mac-address=C2:BF:AE:C8:36:D2
/ip firewall nat add action=src-nat chain=srcnat comment=SRCNAT_WAN1 out-interface-list=WAN to-addresses="removed"
/ip firewall nat add action=redirect chain=dstnat comment="Redirect DNS traffic" dst-address=!10.21.1.1 dst-port=53 in-interface-list=LAN log-prefix=TCP_DNS protocol=tcp src-address=!10.21.1.1
/ip firewall nat add action=redirect chain=dstnat dst-address=!10.21.1.1 dst-port=53 in-interface-list=LAN protocol=udp src-address=!10.21.1.1
/ip firewall nat add action=masquerade chain=srcnat comment="Netgear_Nighthawk_remote access" dst-address=10.21.1.12 in-interface=SimpliNet_Network src-address-list=Authorized to-addresses=10.21.1.12
/ip firewall raw add action=accept chain=prerouting comment="accept Authorized from WAN" src-address-list=Authorized
/ip firewall raw add action=drop chain=prerouting comment="drop non-legit traffic from WAN" dst-port=53 in-interface-list=WAN log-prefix=RAW-DROP_DNS-tcp protocol=tcp src-address-list=!allowed_DNS
/ip firewall raw add action=drop chain=prerouting dst-port=53 in-interface-list=WAN protocol=udp src-address-list=!allowed_DNS
/ip firewall raw add action=drop chain=prerouting dst-port=123 in-interface-list=WAN log-prefix=RAW-DROP_DNS-tcp protocol=tcp src-address-list=!allowed_NTP
/ip firewall raw add action=drop chain=prerouting dst-port=123 in-interface-list=WAN protocol=udp src-address-list=!allowed_NTP
/ip firewall raw add action=drop chain=prerouting comment="drop malicious addresses" in-interface-list=WAN log-prefix=DROP_AGGREGATED src-address-list=y-blocklist_AGGREGATED
/ip firewall raw add action=drop chain=prerouting in-interface-list=WAN log-prefix=DROP_AGGREGATED src-address-list=z-blocklist_1
/ip firewall raw add action=drop chain=prerouting in-interface-list=WAN log-prefix=DROP_AGGREGATED src-address-list=z-blocklist_4
/ip firewall raw add action=drop chain=prerouting in-interface-list=WAN log-prefix=DROP_AGGREGATED src-address-list=z-blocklist_5
/ip firewall raw add action=add-src-to-address-list address-list=x-AGGREGATED_blocked address-list-timeout=1w chain=prerouting dst-address-list=y-blocklist_AGGREGATED
/ip firewall raw add action=drop chain=prerouting dst-address-list=y-blocklist_AGGREGATED log-prefix=DROP_AGGREGATED
/ip firewall raw add action=drop chain=prerouting dst-address-list=z-blocklist_1 log-prefix=DROP_AGGREGATED
/ip firewall raw add action=drop chain=prerouting dst-address-list=z-blocklist_4 log-prefix=DROP_AGGREGATED
/ip firewall raw add action=drop chain=prerouting dst-address-list=z-blocklist_5 log-prefix=DROP_AGGREGATED
/ip route add disabled=no distance=1 dst-address=10.10.0.0/24 gateway=SimpliNet_Network routing-table=main scope=30 suppress-hw-offload=no target-scope=10
/ip route add disabled=no distance=1 dst-address=192.168.201.0/24 gateway=SimpliNet_Network routing-table=main scope=10 suppress-hw-offload=no target-scope=5
/ip service set ftp disabled=yes
/ip service set ssh disabled=yes
/ip service set telnet disabled=yes
/ip service set www disabled=yes
/ip service set winbox address=10.10.0.0/24,"removed",192.168.201.0/24,10.21.0.0/16,10.21.1.20/32,10.15.0.0/24 port=7280
/ip service set api disabled=yes
/ip service set api-ssl disabled=yes
/ipv6 firewall filter add action=drop chain=input
/ipv6 firewall filter add action=drop chain=forward
/ipv6 firewall raw add action=drop chain=prerouting
/system clock set time-zone-autodetect=no time-zone-name=America/New_York
/system identity set name=LAZ-4265
/system logging add disabled=yes topics=dns
/system ntp client set enabled=yes
/system ntp server set broadcast=yes broadcast-addresses=10.21.1.255 enabled=yes multicast=yes
/system ntp client servers add address=162.159.200.123
/system ntp client servers add address=216.239.35.12
/system ntp client servers add address=17.253.26.123
/system ntp client servers add address=17.253.26.251
/system ntp client servers add address=162.159.200.1
/system routerboard settings set auto-upgrade=yes enter-setup-on=delete-key
/tool mac-server set allowed-interface-list=LAN
/tool mac-server mac-winbox set allowed-interface-list=LAN

Is your Arp table "stale"?
Maybe you can try running a script to clean it, see (it seems to me a similar case to yours):

Greetings. Thank you for the response & link. I did have some stale, about 10, but most were labeled failed after clearing the arp table & running an IP-Scan. I did end up adding “/ip arp remove [ find where !complete ]” to the scheduler to clear it out daily at 7am. This command did clear the failed entries, resulting in a clean arp table.

I’m know nothing about max-neighbor-entries, so I’ll leave that alone. But that is set to 4096 on a recommendation from anav years ago on other setups. Kinda just kept that across all the routers. Running this script via scheduler every morning will do, I have no issue with that at all.

Thanks again for pointing me to that thread. Appreciate the assistance here!

Yep, good that it helps , but someone must come out with a good idea on how these entries "multiply" themselves, maybe we cannot do anything about it, but until we don't find out the base reason why this happen the priodically running clearing script is only a temporary and partial patch.

I wonder if running it once a day is enough to keep these arp entries tamed, I don't think that running it more often (let's say every three or four hours) would have any impact on connectivity, but still, even if it works, it is an ugly way to deal with the issue.