Prevent IP Stealing / ARP / No DHCP

Hello,

I am using a CRS226-24G-2S+ switch and I would like to block IP stealing.
I have some users with Linux boxes that are able to add / change IP’s from my /24 subnet.

My network is something like this:

So…I would like to setup the CRS to deny traffic forward for IPs that are not owned by the users. Also, I do not wish to use DHCP server on router or switch.

Just a simple IP / MAC / Inteface binding.

For example:
Server 1 has IP 89.33.200.10, MAC 00:26:55:2f:e4:76 and is connected to port 5 in switch.
In IP - Arp List I added a static setup: IP= 89.33.200.10, MAC= 00:26:55:2f:e4:77, PORT=4

[admin@MikroTik] > ip arp add address=89.33.200.10 interface=ether4 mac-address=00:26:55:2f:e4:77

But I can still ping the IP from outside the network. Any advice?

Thank you

By adding static ARP entries on the (gateway) router, you can make sure any connection from there goes to the right machine. Especially if you set the arp-mode on that interface to “reply-only”.

To block ARP among hosts on the same broadcast domain, you’ll have to get fancy with bridge filtering rules (allowing only ARP replies for the IPs you want to allow, per port).

Can you give an example how to get fancy

Lets say that on port 5 we only allow 192.168.10.100 witch MAC address 00:14:11:D2:C5:30.

Thank you