Community discussions

MikroTik App
 
cutedrummerboy
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Thu Nov 14, 2013 6:32 pm

High ARP Incoming

Thu Apr 07, 2016 6:51 pm

can anyone tell me why this is happening. i am facing this at incoming direction.
arp_flood.png
You do not have the required permissions to view the files attached to this post.
Device: RB2011UIAS-RM, RB750GL, CISCO SG300-28, UNIFI UAP-LR
 
pe1chl
Forum Guru
Forum Guru
Posts: 6678
Joined: Mon Jun 08, 2015 12:09 pm

Re: High ARP Incoming

Thu Apr 07, 2016 8:10 pm

What is connected there?
 
sash7
Frequent Visitor
Frequent Visitor
Posts: 69
Joined: Sun Mar 20, 2016 10:39 pm

Thu Apr 07, 2016 8:29 pm

it's normal, probably have windows machines on this interface, try to "took" each other)

Sent from my LG-H502 using Tapatalk
 
cutedrummerboy
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Thu Nov 14, 2013 6:32 pm

Re: High ARP Incoming

Thu Apr 07, 2016 9:16 pm

that interface is connected to a city wide lan of my isp and have a /24
Device: RB2011UIAS-RM, RB750GL, CISCO SG300-28, UNIFI UAP-LR
 
pe1chl
Forum Guru
Forum Guru
Posts: 6678
Joined: Mon Jun 08, 2015 12:09 pm

Re: High ARP Incoming

Thu Apr 07, 2016 10:23 pm

Then what can you do? When an ISP deploys that kind of thing you will have to live with the effects.
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: High ARP Incoming

Thu Apr 07, 2016 10:50 pm

are you using proxy-arp?
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
User avatar
chechito
Forum Guru
Forum Guru
Posts: 1772
Joined: Sun Aug 24, 2014 3:14 am
Location: Bogota Colombia
Contact:

Re: High ARP Incoming

Fri Apr 08, 2016 4:37 am

that interface is connected to a city wide lan of my isp and have a /24

i have seen /22 subnets without this behavior something has to be wrong
 
User avatar
pukkita
Trainer
Trainer
Posts: 3037
Joined: Wed Dec 04, 2013 11:09 am
Location: Spain

Re: High ARP Incoming

Fri Apr 08, 2016 11:22 am

chechito you'll be surprised to see more than one (and two) ISP setups, obviously they're not L2-isolating customers downlinks.

Cutedrummerboy: I'd try speaking directly to the ISP. If they're limiting you at the router you're losing bandwidth.

Can you describe in detail your setup? (equipment, wiring)
Simplicity is the Ultimate Sophistication - Da Vinci
Getting the most out of this forum
 
pe1chl
Forum Guru
Forum Guru
Posts: 6678
Joined: Mon Jun 08, 2015 12:09 pm

Re: High ARP Incoming

Fri Apr 08, 2016 11:35 am

i have seen /22 subnets without this behavior something has to be wrong
The problem could be that the provider offers proxy-arp on their router, and the customers do not bother to set
the default gateway in their router but rely on that proxy-arp. In that case, they will probably run in performance
or memory problems, but maybe they do not notice. You are the victim because you see all that arp traffic too.

However, even without proxy arp this is not a good setup. When some other user is not online and gets a
serious amount of incoming traffic, there will be constant arping for his address (especially with a bad router
that does not have some form of arp rate limiting).
It may be that someone is a victim of a DDOS attack and has decided to shut down his router to sit it out,
and then you are confronted with the arp traffic that results from it.

Again, when an ISP makes deployments like this there is little you can do.
(other than pointing them to the weaknesses of their "simple and elegant" solution to metro networking)

The first thing to do is make a trace using the packet sniffer and find the details of the arp traffic. Who is
(claiming to) sending it, what address are they arping for? Is that inside or outside the subnet?
This info will bring you towards the cause of the problem and maybe a solution.
 
nxs02
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Nov 07, 2015 1:25 pm
Location: Planet Earth

Re: High ARP Incoming

Fri Apr 08, 2016 3:35 pm

so ether2 is ur inbound traffic from ur ISP to ur router? but why not using ur ether1 interface?
im curious too what packet is that. based on my experience, its very difficult to trace who sending it and what add they arping it.
 
pe1chl
Forum Guru
Forum Guru
Posts: 6678
Joined: Mon Jun 08, 2015 12:09 pm

Re: High ARP Incoming

Fri Apr 08, 2016 4:26 pm

so ether2 is ur inbound traffic from ur ISP to ur router? but why not using ur ether1 interface?
im curious too what packet is that. based on my experience, its very difficult to trace who sending it and what add they arping it.
No, that is not difficult at all! Just trace to a file and examine it in wireshark.
The problem is when it is from outside (i.e. triggered by outside traffic coming in through the router).
 
cutedrummerboy
Member Candidate
Member Candidate
Topic Author
Posts: 137
Joined: Thu Nov 14, 2013 6:32 pm

Re: High ARP Incoming

Fri Apr 08, 2016 5:55 pm

well my isp use a router called flash router made by http://ipacct.com/en/home/. they give me one ip address and i configured NAT on ether2.
and they run PAT on their router. before that flood my ARP configuration was just enable, after that i make the gateway in ip/arp static and interface arp reply only.
Device: RB2011UIAS-RM, RB750GL, CISCO SG300-28, UNIFI UAP-LR
 
pe1chl
Forum Guru
Forum Guru
Posts: 6678
Joined: Mon Jun 08, 2015 12:09 pm

Re: High ARP Incoming

Fri Apr 08, 2016 6:22 pm

well my isp use a router called flash router made by http://ipacct.com/en/home/. they give me one ip address and i configured NAT on ether2.
and they run PAT on their router. before that flood my ARP configuration was just enable, after that i make the gateway in ip/arp static and interface arp reply only.
I hope you have a default route configured to point to their gateway and others do that as well.
When people configure their_ip/0 on the interface and no route, and they answer proxy-arp, then things
will work but there will be extreme ARP traffic and their router's ARP table will be large.

To find out what is exactly happening you need to trace (packet sniffer) and analyze the situation.

Who is online

Users browsing this forum: oamaravery, pidde, sterhTG, w4rh0und and 106 guests