I have a strange behaviour , perhaps correct , explain me about…
My eth1 is 192.168.1.1/24
eth2 to eth5 have eth1 as master port
My windows machine 192.168.1.100 is connected to eth2 (192.168.1.1 default gateway)
If I connect a 10.0.0.5/24 machine on eth3 and add a 10.0.0.100 secondary address to my windows machine (this is done for testing purpose of out-of-factory 10.0.0.x devices ) the devices don’t talk each other , and in windows machine I get an IP error conflict alert (although not true)
I have to set a 10.0.0.x secondary address on eth1 to make this subnet devices visible each other.
Obviously this was done hundred times on common switches without any apparent problem.
Despite the fact this couldn’t be a correct way to do, why is this and what can one configure to use at best this practice on routeros machine switches without using Vlans ?
That’s why it’s failing. The Mikrotik knows how to reach 10.x.x.x - the default GW matches this, and furthermore, the destination is not the same interface (lan) so therefore, the Mikrotik will answer ARP requests for 10.x.x.x (in fact, it will answer ANY arp request that’s not in the 192.168.1.x range).
Probably you should just disable proxy arp - but if you do need it for something else you’re doing, then you don’t have to add the IP to the Mikrotik, just create a static route with eth1 as the gateway (use the interface name, not an IP address) - this way, the Mikrotik will not answer ARP requests for 10.x.x.x addresses because it knows this IP range is on the same interface. (proxy arp won’t reply for addresses that live on the same interface where it hears an ARP request)
I need to start L2TP server
L2TP pool is on the LAN subnet
Now, how can a L2TP client reach all machines on lan without using proxy-arp (because of issue above)???
If the L2TP pool is a different IP range than the LAN, then you don’t need proxy arp - you need the clients to route the LAN IP range via their L2TP connection. (if you don’t try to use split tunnel, this is easy because the L2TP connection becomes the default GW for the client if you’re not using split tunnel). The LAN will already be able to reach the L2TP addresses because they’re using the router as their default GW anyway, and the router knows how to reach each client via its routing table, so proxy-arp is not needed. It’s the routing on the client side that must be correct.
If you want the L2TP clients to be a part of your LAN, then you should assign IPs to the clients from the LAN IP range - don’t use a different IP range, and then enabling proxy-arp won’t be an issue - in fact it would be pretty much required.