Community discussions

MikroTik App
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

gratuitous arp issue

Thu Sep 02, 2021 2:07 pm

quick note: i am new to Mirotik products but have over 20 years of network troubleshooting experience with other vendors, so not totally green.

Issue clients phone wont finish 'initializing' upon bootup. while troubleshooting, i discovered that if i isolate the phone switch from the Mikrotik router, they finish the initialization process and start up just fine

took a wireshark trace and noticed that when the phone's start up they use a self-assigned Auto ipv4 address in the 169.254.0.0 range wo which the router responds to. the phone picks another,, and so on.

the client gave me access to the router and the only thing i noticed was that the interface is configured for proxy-arp.

before i suggest we put the value back to default, i thought i would ask the group if i'm on the right track...
trace.png
Regards
You do not have the required permissions to view the files attached to this post.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: gratuitous arp issue

Thu Sep 02, 2021 9:59 pm

The address space 169.254.x.y/16, is used when a host can not actually detect a DHCP server, thus it is assigning itself a link local address using a mechanism called APIPA ( Automatic Private IP Addressing )...

So, first it seems that this device can not detect a DHCP Server...

Gratuitous ARP, is used for a device to detect if there is a duplicate address in the network in accordance to the IP that it has assigned itself...
Am not sure, but it looks like it finds that there is a duplicate address, and i can only guess that it is not refered to the address 169.254.8.184...

But combining the above, from my point of view, the whole problem is caused because of a duplicate address, and thats why the DHCP wont assign an IP to that host ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: gratuitous arp issue

Thu Sep 02, 2021 10:30 pm

Screenshot from wireshark only shows that proxy-arp works ... phone invents an APIPA address, tries to verify it is unique in current LAN using ARP whohas .. and MT screws this royally because it answers the ARP request (as it's supposed to do with proxy arp setting) making phone believe the address under consideration is already occupied (by MT), then it tries another address. If that setting is set back to default, phone should be able to settle for APIPA address.

The real reason why phone doesn't get DHCP lease is not on the screenshot. One should investigate all traffic from and to phone starting from point in time when phone starts to initialize. If phone is set up as DHCP client, then attempt to contact DHCP server should be the first communication.
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: gratuitous arp issue

Thu Sep 02, 2021 10:59 pm

@mkx, how exactly MikroTIK finds that this IP is indeed in use ?

What are the chances that there is another device in the same network with an APIPA address assigned and that being the same as the Phone's ( 169.254.8.184 )?
I mean 169.254.8.184 is indeed duplicate or not ?
From my point of view, yes proxy-arp is enabled, but should only reply if it knew that there is a device in the network, behind the router with the same 169.254.8.184 address assigned...
That is the case or not ?
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11433
Joined: Thu Mar 03, 2016 10:23 pm

Re: gratuitous arp issue

Fri Sep 03, 2021 11:50 am

@mkx, how exactly MikroTIK finds that this IP is indeed in use ?

Not sure how mikrotik determines that IP address is already in use. In theory it should consult its own ARP tables and only answer the query when it finds entry exactly matching the target IP address and device is residing behind interface other than the one which received ARP whohas query. Which likely means that proxy-arp sometimes doesn't answer for mostly-silent destination addresses where ARP entry time-outs.


Address occupancy check procedure:
  1. get IP address (either using APIPA or via DHCP lease)
  2. ask if somebody is already using it by sending broadcast message ARP who has
  3. if somebody answers claiming it's using it, this means address is already in use.
    Repeat from bullet #1
  4. if nobody answers, this means IP address is free.
    Configure IP stack and get done with it.

Details about how to perform bullet #2 are different depending on how IP address was obtained, APIPA procedure is defined in RFC3927.

What are chances for another device on network to have same APIPA address? Not entirely impossible because chosen APIPA address is supposed to be chosen randomly ... if devices use same random generator and end up using same salt, they come up with same address. If APIPA address selection is done properly, then chances of address conflict are slim.

Yes, router should only reply with own MAC address to ARP whohas queries only if it knows that device with target IP address is indeed behind another router's interface. I guess there's room for bugs here :wink: But then, IMHO, IPv4 link-local addresses only have to be unique within same L2 subnet. The fact that proxy-arp is configured indicates that there is more than a single L2 network involved (or that whoever set it didn't exactly know what he was doing).
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: gratuitous arp issue

Fri Sep 03, 2021 4:25 pm

I guess there's room for bugs here
Yes, maybe ...
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Wed Sep 08, 2021 1:07 am

The address space 169.254.x.y/16, is used when a host can not actually detect a DHCP server, thus it is assigning itself a link local address using a mechanism called APIPA ( Automatic Private IP Addressing )...

So, first it seems that this device can not detect a DHCP Server...

Gratuitous ARP, is used for a device to detect if there is a duplicate address in the network in accordance to the IP that it has assigned itself...
Am not sure, but it looks like it finds that there is a duplicate address, and i can only guess that it is not refered to the address 169.254.8.184...

But combining the above, from my point of view, the whole problem is caused because of a duplicate address, and thats why the DHCP wont assign an IP to that host ...
the phones are part of an AT&T voip system and they believe it or not, they rely on 169.254.0.0 ip addresses for communication. apparently they use their own discovery protocol to find the gateway to get out, but the MT router kills the grat arp process.
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Wed Sep 08, 2021 1:09 am

@mkx, how exactly MikroTIK finds that this IP is indeed in use ?

What are the chances that there is another device in the same network with an APIPA address assigned and that being the same as the Phone's ( 169.254.8.184 )?
I mean 169.254.8.184 is indeed duplicate or not ?
From my point of view, yes proxy-arp is enabled, but should only reply if it knew that there is a device in the network, behind the router with the same 169.254.8.184 address assigned...
That is the case or not ?
i wondered the same thing and noticed the phones use different 169.254 addresses and the router gets inthe way every time. i agree with your point about proxy arp, but not sure why this is happening. i am going to suggest to the client we set arp back to enable and test again
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Wed Sep 08, 2021 1:10 am

@mkx, how exactly MikroTIK finds that this IP is indeed in use ?

Not sure how mikrotik determines that IP address is already in use. In theory it should consult its own ARP tables and only answer the query when it finds entry exactly matching the target IP address and device is residing behind interface other than the one which received ARP whohas query. Which likely means that proxy-arp sometimes doesn't answer for mostly-silent destination addresses where ARP entry time-outs.


Address occupancy check procedure:
  1. get IP address (either using APIPA or via DHCP lease)
  2. ask if somebody is already using it by sending broadcast message ARP who has
  3. if somebody answers claiming it's using it, this means address is already in use.
    Repeat from bullet #1
  4. if nobody answers, this means IP address is free.
    Configure IP stack and get done with it.

Details about how to perform bullet #2 are different depending on how IP address was obtained, APIPA procedure is defined in RFC3927.

What are chances for another device on network to have same APIPA address? Not entirely impossible because chosen APIPA address is supposed to be chosen randomly ... if devices use same random generator and end up using same salt, they come up with same address. If APIPA address selection is done properly, then chances of address conflict are slim.

Yes, router should only reply with own MAC address to ARP whohas queries only if it knows that device with target IP address is indeed behind another router's interface. I guess there's room for bugs here :wink: But then, IMHO, IPv4 link-local addresses only have to be unique within same L2 subnet. The fact that proxy-arp is configured indicates that there is more than a single L2 network involved (or that whoever set it didn't exactly know what he was doing).
i totally agree and want the IT guy to try setting arp back to enable and failing that we set up a new config.
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Mon Oct 04, 2021 6:46 pm

firstly, thanks for all the help.
soooo, i asked the IT guy to ensure all interfaces ARP setting is set back to 'enable'. He says he made the change and rebooted... same issue
so i went through the router config and the only thing i dont quite understand is that ports eth 5 - 9 are all connected to the same switch/vlan.
I dont have much experience with Mikrotik, but never seen this type of configuration. FYI.. everyone is on the Office VLAN/addressing

Any ideas why someone would do this?

attached some screenshots
Last edited by thetechfirm on Mon Oct 04, 2021 8:05 pm, edited 1 time in total.
 
tdw
Forum Guru
Forum Guru
Posts: 1843
Joined: Sat May 05, 2018 11:55 am

Re: gratuitous arp issue

Mon Oct 04, 2021 7:26 pm

Screenshots are not very helpful, post the output of /export hide-sensitive after redacting any public IPs, passwords in scripts, etc. (hide-sensitive only removes obviously sensitive data such as passwords and wireless keys).
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: gratuitous arp issue

Mon Oct 04, 2021 7:38 pm

I see your public IP address correctly, also the username, because you are so kind to censor it within the image, but you forget to censor the title...

You must use a VPN to access your router instead to leave it open to the world with default port...

Mi sa che non sei poi stato così Fortunato...
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Mon Oct 04, 2021 8:06 pm

totally missed that i didnt redact the public ips. will get the config properly.. thanks again
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Mon Oct 04, 2021 8:34 pm

let try this again. heres my config
Last edited by thetechfirm on Mon Oct 04, 2021 9:36 pm, edited 1 time in total.
 
User avatar
rextended
Forum Guru
Forum Guru
Posts: 11982
Joined: Tue Feb 25, 2014 12:49 pm
Location: Italy
Contact:

Re: gratuitous arp issue

Mon Oct 04, 2021 8:59 pm

Remove the config, you leave the no-ip script with password...

The points are 3:
1) is extermely hard give help without the config...
2) is extemely easy forget to remove something that must do not go public on the config...
3) do not use same password for no-ip and for winbox...
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Mon Oct 04, 2021 9:38 pm

i'm just going to replace the router with a Cisco or Ubiquiti as a test since i am more familar with those products
 
thetechfirm
just joined
Topic Author
Posts: 9
Joined: Thu Sep 02, 2021 1:58 pm

Re: gratuitous arp issue

Wed Nov 03, 2021 2:16 am

finally got some time to go back and took another wireshark capture and noticed that the Mikrotik mac address was the WAN mac address. never thought to check that port and proxy arp was enabled. put it back to arp and everything worked. woo hoo!!

Who is online

Users browsing this forum: BioMax, sybadi and 45 guests