Problem with arp

nostromog · January 31, 2019, 1:41pm

I had yesterday a sudden, unexpected outage in a small Mikrotik router I’m using for internet temporarily.

At the moment I had little firewall protection as it was a quick experiment that lasted a bit more than expected, now I have taken care of it.

The setup is:

I’m running Router OS 6.43.8, a quite plain configuration, very close to default except that ipv6 is enabled and at the moment I had little to no IPv6 firewall
WAN is ether1, straight ethernet dhcp with CGNAT in the provider side, and SLAAC that gives me native IPv6
a bridge with the rest of the interfaces, only wifi is being used

What I observed after my internet stopped working was: Nothing was accessible outside my LAN, either ipv4 or ipv6. I had a strange ipv6 default route, with two nexthops leading to different link local addresses. I checked and both were pingable. One was, of course, the router. The other?

I found the mac address, but could not make sense of it. So I logged into the router, and found that it was there, in the arp table.

/ip arp print 
Flags: X - disabled, I - invalid, H - DHCP, D - dynamic, P - published, C - complete 
 #    ADDRESS         MAC-ADDRESS       INTERFACE                                                         
 0 DC MMM.MMM.MMM.MMM    XX:XX:XX:XX:XX:XX ether1          <- my upstream router                          
 1 DC 192.168.NN.NNN  YY:YY:YY:YY:YY:YY bridge                         <- my laptop
 2 DC MMM.MMM.MMM.MMM    XX:XX:XX:XX:XX:XX bridge          <- my upstream router (AGAIN!)

So, my upstream router appeared both in my bridge and in ether1. I cross-checked, and could not understand it, so I decided to reboot to see if it was a fluke or memory corruption, in spite of the router having being working all right for more than one day

After reboot the situation was the same. No outside access, this error in arp table, my default ipv6 route with two next hops…

I kept looking and found something strange, that was the cause of my firewall getting crazy: there was an error under internet-detect, which was active, and bridge appeared both as LAN and WAN.

I deactivated internet-detect, created the right interface lists:

/interface list member print 
Flags: X - disabled, D - dynamic 
 #   LIST                                                          INTERFACE                                                        
 0   LAN                                                           bridge                                                           
 1   WAN                                                           ether1

And had to reboot, as the internet detected ones were refusing to disappear. After the reboot everything went ok.

I checked that everything was working and added a much better ipv6 firewall (before I had only two rules rejecting invalid packets)

My question is how could my bridge see an ether1 neighbour when ether1 is not there? Is there a known bug or race condition that leds to interfaces being bridged unwillingly? I’m more concerned with the possibility of an arp poisoning or similar attack than with a bug that is not easy to trigger (some sort of race condition, etc.) At the moment the problem happened traffic was quite low and not many things were happening.

Any clues?