I have been given one static IP address to use out of a CIDR block /28 from my ISP.
The full address/28 is needed so the gateway can be reached.
What is the easiest way to restrict the router from doing anything with the other addresses?
Unless it’s configured to use them it won’t.
To make sure you could use the MikroTik firewall. First accept your IP/32 then deny PREFIX/28 going out on your WAN interface.
Personally I wouldn’t worry though.
I’d rather not use/rely on the firewall if there is a simpler way to handle this.
The issue is not layer 3 traffic, but layer 2 traffic (arp). It is showing up and causing grief with the service provider by performing ARP traffic on the addresses that are not assigned.
The IP is xxx.xxx.xxx.166/28 gateway on .161.
The /ip/arp print shows .161, .163, .164, .165, .167, .168, .171, .172
The service provider is detecting this traffic coming from our port and shutting it down.
Again, if the firewall method is the best practice, so be it, but if there is a different better way to do it, we’d rather do that.
Thanks!
There will only be ARP traffic to addresses within your subnet when there is actual IP traffic attempted towards those addresses.
Try to find out what it is. Some scanner running?
Make sure that your WAN interface doesn’t have proxy-arp enabled. If you didn’t configure any of the other addresses from your range on the Mikrotik, then that is the only reason I can think of that your router would be responding to ARPs on those IPs.
Besides that - the rest of those IPs are yours to use as well, yes? If not, then it’s a silly ISP to assign a /28 onto an interface and expect the customers’ gear to just play nice.