Unexpected IP precedence shift on interface with Proxy-ARP

Hi everyone,
I've been using Mikrotik for several years now, and while I wouldn't call myself an expert, I've never had too many problems. Sometimes things are a bit tricky to get going, but then you get the hang of it, and wow!
For a few months now, I've been using proxy-arp mode on an interface, and I have to say it's very interesting, and I've gotten exactly the behavior I wanted. However, every now and then—once a month?—I connect and see the internet sign missing... apparently, what's happening is as if the three addresses I have on the interface are rotating, and the output address isn't the original one.

Let me try to explain better by describing the environment:

I have two networks:

Technicolor AGHP 19.4 --> 192.168.1.0/24

• 192.168.1.110 ether1 Mikrotik hAP ac^2 6.43.10 --> 192.168.88.0/24

On the ether1 interface in proxy-arp mode, there are two other IP addresses: 192.168.1.180 and 192.168.1.181. These allow me to reach the respective IP addresses of the 192.168.88.0/24 subnet, 192.168.88.180 and 192.168.88.178, from 192.168.1.0/24

[bonea@MikroTik] > ip firewall natprint
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; defconf: masquerade
chain=srcnat action=masquerade out-interface-list=WAN log=no log-prefix="" ipsec-policy=out,none

1 chain=dstnat action=dst-nat to-addresses=192.168.88.180 dst-address=192.168.1.180 log=no log-prefix=""

2 chain=dstnat action=dst-nat to-addresses=192.168.88.178 dst-address=192.168.1.181 log=no log-prefix=""

[bonea@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether2
1 192.168.1.180/24 192.168.1.0 ether1
2 192.168.1.181/24 192.168.1.0 ether1
3 192.168.1.110/24 192.168.1.0 ether1

This is the IP address order I see when it works. When it doesn't, the order looks like this:

[bonea@MikroTik] /ip address> print
Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK INTERFACE

0 ;;; defconf
192.168.88.1/24 192.168.88.0 ether2
1 192.168.1.110/24 192.168.1.0 ether1
2 192.168.1.180/24 192.168.1.0 ether1
3 192.168.1.181/24 192.168.1.0 ether1

I'm asking for help from the forum because, as a computer scientist, I'd like to understand:

• why this is happening
• where I can see what happened in the logs
• and, of course, how to prevent it from happening again.

Thank you very much, and I apologize for the automatic translation.

PS

Looking around, I found this: "The problem is probably related to the fact that the default masquerade takes the first available IP on the interface. If the order changes, the outgoing IP changes. You could solve this by using action=src-nat instead of masquerade, specifying the IP 192.168.1.110 in the to-addresses field." What do you think? If this is the right tip, why do the addresses change? I'm a bit interested in the ramifications of this seemingly unpredictable behavior.

AFAIK order of addresses shown should reflect order of defining those addresses on a particular interface. I don't know how configuration is applied from saved one at boot time, I would expect to see same order but it might be that order gets changed if things don't go as expected while booting. E.g. I would expect for address assignment to fail if interface is not yet initialized when boot process tries to assign the address. Assignment might be re-tried a few moments later so assignment ultimately succeeds. But if there are multiple addresses to be assigned, assignment of the first address might fail while the rest succeed and after the first assignment is re-tried (and it succeeds), the order of addresses might be different.

So yes, in case there are multiple addresses assigned to one interface, it's better to use "normal" SRC-NAT configuration instead of masquerade ... specially so if WAN IP address (192.168.1.110 in your case) is actually static (you manually set it up). There are two benefits of using masquerade instead of src-nat rules:

1. setup might be slightly easier as one has to specify only one specific property (interface or interface-list), the rest are taken automatically
2. if interface IP address is dynamic, then when using masquerade and interface IP address changes, masquerade automatically drops all existing connections and starts using the new interface IP address. With src-nat rules, one has to do that manually.

It seems to me that in your particular case none of two benefits apply (bullet #2 doesn't as you have static interface addresses and bullet #1 doesn't really apply because your setup is not as trivial as masquerade expects).

BTW, I fail to see how proxy-ARP applies in the described behaviour, using multiple IP addresses on an interface with goal to be able to use surplus addresses for DST-NAT doesn't involve proxy-ARP at all.

You didn’t really state clearly your intent for the multiple subnets and specific IPs, but I think I agree with @mkx. It seems like you just need regular routing and dst-nat/src-nat maybe. I think proxy-arp might be something you thought you needed but is really a red herring.

Maybe it would be beneficial for you to try and explain as simply as possible, without regard to the mikrotik router or config, what you are trying to do with your network devices/servers. That would probably make it much easier to understand what special features, if any, of the router you actually need.