Hi

When we have a mikrotik with proxy-arp enabled on an interface, (that isn't our gateway), it seems randomly the mikrotik is responding to ARP requests to say IPs belong to it, that dont. So you can ping something on the network fine, and then all of a sudden the mikrotik responds and the ARP table on the client things that the right MAC to send to for this other device is at the Mikrotik MAC, when in actual fact there is already layer2 access to it?

If we make the mikrotik a gateway, the problem doesn't happen (we dont get the poisened arp entry), but if its not the gateway, we do?

What do you guys think, is this a bug, or am I overlooking something?

Maybe you don't understand what proxy arp is doing?
That behaviour sounds OK. The router will answer any ARP request for which it knows how to route the destination.

Normally you will never mix that with a default gateway. You maybe need to describe better what you do.

It sounds like the proxy-arp router is sometimes thinking that some other Interface is the default route (or a specific route to whatever IP it's arp poisoning)
Basically, proxy-arp means that an interface should respond to ARP requests for any IP address in the routing table of the host, and whose next hop interface is not the proxy-arp interface itself. Suppose the bottom router sends an ARP request for HostX. Normally, the top router should answer proxy-arp requests and the side router will not reply because it will use the top router to reach Host X.

Suppose the primary route fails in the side router (even if the top router is really online and available and able to reach host X), then the side router will have a different path to reach Host X and it will begin answering ARP requests for HostX.

This can get even more strange if the reason the right router's backup route to X is taking over is due to routing loops caused by redistribution of static routes, for instance.

...

I imagine that your scenario is probably something along the lines of a customer device which connects by PPPoE and it has gone to the backup PPPoE server and then back to the primary, but the backup server's MAC address is remaining in the primary router's ARP cache..... (this used to happen to me back in the ISDN days - which is what lead to me learning dynamic routing as opposed to proxy arp)

It sounds like the proxy-arp router is sometimes thinking that some other Interface is the default route (or a specific route to whatever IP it's arp poisoning)

Drawing1.png

Basically, proxy-arp means that an interface should respond to ARP requests for any IP address in the routing table of the host, and whose next hop interface is not the proxy-arp interface itself. Suppose the bottom router sends an ARP request for HostX. Normally, the top router should answer proxy-arp requests and the side router will not reply because it will use the top router to reach Host X.

Suppose the primary route fails in the side router (even if the top router is really online and available and able to reach host X), then the side router will have a different path to reach Host X and it will begin answering ARP requests for HostX.

This can get even more strange if the reason the right router's backup route to X is taking over is due to routing loops caused by redistribution of static routes, for instance.

...

I imagine that your scenario is probably something along the lines of a customer device which connects by PPPoE and it has gone to the backup PPPoE server and then back to the primary, but the backup server's MAC address is remaining in the primary router's ARP cache..... (this used to happen to me back in the ISDN days - which is what lead to me learning dynamic routing as opposed to proxy arp)

ok, reading this makes everything go into instant sense, because we use proxy-arp mostly for VPNs tunnel IPs to be presented to the LAN network, but as I read your section about "any IP address in the routing table of the host, and whose next hop interface is not in the proxy-arp interface itself", and boom, you've fixed my understanding of the PPTP use-case, which could incorrectly be said to be "makes the host respond to any IP for which it knows not to be on the proxy-arp interface". Works for the definition of the PPTP tunnel, but doesn't work so when an IP may have had to route through a backup or alternative route as you have pointed out.

Thanks for the help!

Maybe you don't understand what proxy arp is doing?
That behaviour sounds OK. The router will answer any ARP request for which it knows how to route the destination.

Normally you will never mix that with a default gateway. You maybe need to describe better what you do.

I dont think I agree with that, based on this common case: a gateway router that also needs to serve a VPN server to the same network (and that is probably one of the most common use-cases for proxy-arp), its also straight out of the wiki for PPTP here at http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP