Proxy-arp issue

mitol · October 16, 2017, 9:14pm

We have a fairly complicated setup with multiple broadband connections / routers and several subnets on the local side.

On the LAN side we have three 24 port switches with a single connection between switches. 1 → 2 → 3. No loops after double checking the inter switch connections.

Each router also has a single connection to one of the three switches depending on location.

We are using an RB750GR3 acting as a VPN endpoint on one external IP and pointing to addresses in the 192.168.10.0/24 range

I have enabled proxy-arp on the LAN interface of the RB750 to allow access to the internal 192.168.10.0/24 range from the other side of the VPN.

The only IPs on the RB750 are the external & internal 192.168.10.xx addresses.

My issue is that for some reason the RB750 is acting as if in local-proxy-arp mode for addresses in the 192.168.1.0/24 range.

When I do an ip scan in the 192.168.1.0/24 range I get an ARP return of the routers MAC. I also get long lists of established connections in the firewall.

Most importantly though I get intermittent connectivity between hosts in the 192.168.1.0/24 range.

This does not effect any of the other class c ranges we operate on the LAN.

Any suggestions?

idlemind · October 16, 2017, 11:15pm

Proxy-ARP will return the MAC of the router for any IP the router has a route for on the segment Proxy-ARP is on for.

You could make the VPN it’s own IP range and disable Proxy-ARP.

mitol · October 16, 2017, 11:25pm

That is my issue. This router has no route, IP addresses or anything else for the 192.168.1.0/24 range. It is setup to exclusively deal with the 192.168.10.0/24 range

Unless I am misunderstanding you, this is already the case.

We run a DHCP pool to assign an IP in the 192.168.10.0/24 range. All systems that we want to access over the L2TP/IPSec VPN externally are also in this range. Without the proxy-arp on the LAN interface we are unable to access systems on the LAN externally.

idlemind · October 17, 2017, 2:12am

Does the router have any routes? I imagine a default gateway? If so that would match 192.168.1.0/24 and therefore replies to ARP requests.

From what you are describing, are the 3 switches each connected to one another without VLANs?

Maybe draw us a topology. Something simple will do like Paint if you don’t have Visio.

The last item about the VPN. I separate the VPN pool from the LAN pool. Either something wholly different like 10.168.10/24 for the VPN of 192.168.10.0/24 LAN. The router will route traffic between the LAN and VPN naturally without Proxy-ARP. I only use overlapping subnets if I absolutely have too.