I'm trying to understand why I see duplicate IP addresses on my neighbors. Can someone explain what's going on here:



Bill

Duplicate IP addresses show different MAC addresses. My first guess would be that IP setup on those devices is not entirely correct. Perhaps the remote device has bridge joining a few interfaces and IP settings (IP address etc.) are not bound to bridge interface but rather to one member port ... So you should inspect config on those devices to see if there's something out of place.

I've seen this a couple of times (count is easily three-digit) and it is really annoying.
The interface list for discovery should only contain the bridge the lan-facing interface is bound to. No physical interfaces belonging to the same bridge.
In 100% of my cases the issue only appeared on access points.
These APs were under CAPsMAN control. And the physical wlan interfaces were manually added to the bridge.
The proven working solution is to define the correct bridge in /interface wireless cap and remove the manual interface mapping to the local bridge.
Then reboot the APs and the issue should be gone.

Good luck,
-Chris

Thank you both for your help. I'm very much a beginner at Mikrotik.

These are all APs in which I used QuickSet to configure them. The 3011 is my core router with dedicated ports to each of the APs.

I will work on this and report back.

Thanks again.

Bill

I see this behavior too, on a network established for years, one that does not have any of the addressing issues proposed, or use CapsMAN, and NEVER showed this behavior until a recent release, on or around the time of the one that changed the user password encryption method. I am confident that it is a recently introduced bug. I have not reported it since it didn't really affect my work (I could just ignore the duplicates).

For example (see image) GateAP.RH at 192.168.128.199 is an old SXT being used as a bridge (actually a single-device AP). The ether and wireless ports are bridged together and have an admin MAC address. Previously, only the admin MAC address would show in this table (correct operation). Now, /ip neighbors also shows the ether port's MAC address with wonky properties: no IPv6, zero uptime, and a blank board name. You can see it also does exactly the same for AP.RH. This is just wrong. Feel free to report it to support@mikrotik.com .

Here is a /export from one of the APs showing up as duplicate on my core 3011 router. I've XX'ed out the passwords.

Could someone look and give me some pointers?

[admin@Z-Office-AP-5GHz] > /export
# feb/04/2020 08:56:24 by RouterOS 6.45.7
# software id = WW2J-3NMF
#
# model = RouterBOARD 962UiGS-5HacT2HnT
# serial number = 6F1306878527
/interface bridge
add name=bridge1
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
supplicant-identity=MikroTik wpa-pre-shared-key=bXXXXXX \
wpa2-pre-shared-key=bXXXXXX
add authentication-types=wpa-psk,wpa2-psk eap-methods="" management-protection=\
allowed mode=dynamic-keys name=profile1 supplicant-identity="" \
wpa-pre-shared-key=bXXXXXX wpa2-pre-shared-key=bXXXXXX
add authentication-types=wpa-psk,wpa2-psk,wpa-eap,wpa2-eap eap-methods="" \
management-protection=allowed mode=dynamic-keys name=profile-5ghz \
supplicant-identity="" wpa-pre-shared-key=bXXXXXX \
wpa2-pre-shared-key=bXXXXXX
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-g/n disabled=no frequency=2422 mode=\
ap-bridge security-profile=profile1 ssid=Z-XXXXXX
set [ find default-name=wlan2 ] band=5ghz-a/n/ac channel-width=20/40/80mhz-Ceee \
disabled=no frequency=5765 mode=ap-bridge security-profile=profile-5ghz \
ssid=Z-XXXXXX wireless-protocol=802.11
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=sfp1
add bridge=bridge1 interface=wlan2
add bridge=bridge1 interface=wlan1
/interface list member
add interface=ether1 list=WAN
add interface=ether2 list=LAN
add interface=ether3 list=LAN
add interface=ether4 list=LAN
add interface=ether5 list=LAN
add interface=sfp1 list=LAN
add interface=wlan2 list=LAN
add interface=wlan1 list=LAN
/ip address
add address=192.168.1.2/24 interface=ether2 network=192.168.1.0
/ip dns
set servers=192.168.1.1
/ip route
add distance=1 gateway=192.168.1.1
/snmp
set enabled=yes location=Z-Office-AP-5GHz
/system clock
set time-zone-name=America/Los_Angeles
/system identity
set name=Z-Office-AP-5GHz
[admin@Z-Office-AP-5GHz] >

Bill

I don't know if this is related to duplicate IP neighbour, but in exported config we can see classical configuration error: LAN IP address is set to ether2 which is slave interface of bridge1. Correct setup would be LAN IP address set on bridge1 interface. Another error (leftover from default config) is config which sets ether1 as member of WAN interface list. Not that this matters as your config doesn't seem to use interface lists.

Out of curiosity: which interfaces have MACs 6C:3B:6B:73:E6:34 and 6C:3B:6B:73:E6:2D? You can check that running commands /interface bridge print or /interface ethernet print or /interface wireless print ...

This may be an issue in the OP's configuration, but the bug exhibits even on configurations that do not contain such an error. See image. All MAC addresses are correct, all bridging is correct, all addressing is correct, yet neighbors still show up more than once, only one of them with correct properties.

...

Out of curiosity: which interfaces have MACs 6C:3B:6B:73:E6:34 and 6C:3B:6B:73:E6:2D? You can check that running commands /interface bridge print or /interface ethernet print or /interface wireless print ...

[admin@Z-Office-AP-5GHz] > /interface ethernet print
Flags: X - disabled, R - running, S - slave
# NAME MTU MAC-ADDRESS ARP SWITCH
0 RS ether1 1500 6C:3B:6B:73:E6:2D enabled switch1
1 S ether2 1500 6C:3B:6B:73:E6:2E enabled switch1
2 S ether3 1500 6C:3B:6B:73:E6:2F enabled switch1
3 S ether4 1500 6C:3B:6B:73:E6:30 enabled switch1
4 S ether5 1500 6C:3B:6B:73:E6:31 enabled switch1
5 S sfp1 1500 6C:3B:6B:73:E6:32 enabled
[admin@Z-Office-AP-5GHz] > /interface wireless print
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 l2mtu=1600 mac-address=6C:3B:6B:73:E6:34 arp=enabled
interface-type=Atheros AR9300 mode=ap-bridge ssid="Z-Network"
frequency=2422 band=2ghz-g/n channel-width=20mhz secondary-channel=""
scan-list=default wireless-protocol=any vlan-mode=no-tag vlan-id=1
wds-mode=disabled wds-default-bridge=none wds-ignore-ssid=no
bridge-mode=enabled default-authentication=yes default-forwarding=yes
default-ap-tx-limit=0 default-client-tx-limit=0 hide-ssid=no
security-profile=profile1 compression=no

1 R name="wlan2" mtu=1500 l2mtu=1600 mac-address=6C:3B:6B:73:E6:33 arp=enabled
interface-type=Atheros AR9888 m
frequency=5765 band=5ghz-a/n/ac
secondary-channel="" scan-list=
vlan-mode=no-tag vlan-id=1 wds-
wds-ignore-ssid=no bridge-mode=
default-forwarding=yes default-
hide-ssid=no security-profile=p
[admin@Z-Office-AP-5GHz] >

Bill

Come to think of it: on my 6.45.7 I don't see any neighbour duplicates. However, I do see spurious entries such as one with MAC address shown as "00:00:00:00:00:00" or entry which actually belongs to a linux host running winbox (under wine) I'm connecting from. Those spurious entries seem to disappear from the list after a while (100+ seconds).

So I agree with @macsrwe that this phenomenon is not caused by configuration on remote devices, it's a bug in winbox and the bug presents itself differently on different winbox versions.
Winbox 3.20 (both 32 and 64 bit versions) behave as written in previous paragraph. Winbox 3.18 (32 bit) doesn't show the all-zero-MAC entry, but shows the winbox-running linux as well. I have older versions of winbox as well, but those are not compatible with recent ROS.

Seems that it's winbox which triggers these spurious entries. If I connected to RB via CLI and checked neighbour list there (/ip neighbor print detail), I could see all those spurious entries as well. After I closed all winbox clients, those spurious entries slowly vanished, some after 3 minutes or so.