Community discussions

MUM Europe 2020
 
pavlik386
just joined
Topic Author
Posts: 6
Joined: Wed Jan 03, 2007 8:50 pm
Location: Czech Republic

RouterOS "ARP syndrome" or "ARP leak"

Wed Jan 03, 2007 9:01 pm

Hello.

It is long, but necessary.

Test settings:
--------------

RouterBoard 153 version 2.9.34

ARP: ENABLED - on all interfaces
NOTE: ARP_PROXY IS NOT ACTIVATED ON ANY INTERFACE

ether1 00-0c-42-0d-1d-6a
ether2 00-0c-42-0d-1d-6b
ether3 00-0c-42-0d-1d-6c
ether4 00-0c-42-0d-1d-6d
ether5 00-0c-42-0d-1d-6e

ether1 192.168.101.12/24
ether2 192.168.102.12/24
ether3 192.168.103.12/24
ether4 192.168.104.12/24
ether5 192.168.105.12/24

Windows adapter list:
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-00-00-B0-0D-EE
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.105.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.104.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.103.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.102.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0


Test results:
-------------
Arp table is always discarded before test (arp -d).

Connected to physical ether1
Arp list after
ping 192.168.102.12 ping 192.168.103.12 ping 192.168.104.12 ping 192.168.105.12

Internet Address Physical Address Type
192.168.102.12 00-0c-42-0d-1d-6a dynamic - bad record
192.168.103.12 00-0c-42-0d-1d-6a dynamic - bad record
192.168.104.12 00-0c-42-0d-1d-6a dynamic - bad record
192.168.105.12 00-0c-42-0d-1d-6a dynamic - bad record

NO RECORD SHOULD BE HERE

Connected to physical ether2
Arp list after
ping 192.168.102.12 ping 192.168.103.12 ping 192.168.104.12 ping 192.168.105.12

Internet Address Physical Address Type
192.168.102.12 00-0c-42-0d-1d-6b dynamic - only correct record
192.168.103.12 00-0c-42-0d-1d-6b dynamic - bad record
192.168.104.12 00-0c-42-0d-1d-6b dynamic - bad record
192.168.105.12 00-0c-42-0d-1d-6b dynamic - bad record

Connected to physical ether3
Arp list after
ping 192.168.102.12 ping 192.168.103.12 ping 192.168.104.12 ping 192.168.105.12

Internet Address Physical Address Type
192.168.102.12 00-0c-42-0d-1d-6c dynamic - bad record
192.168.103.12 00-0c-42-0d-1d-6c dynamic - only correct record
192.168.104.12 00-0c-42-0d-1d-6c dynamic - bad record
192.168.105.12 00-0c-42-0d-1d-6c dynamic - bad record

Connected to physical ether4
Arp list after
ping 192.168.102.12 ping 192.168.103.12 ping 192.168.104.12 ping 192.168.105.12

Internet Address Physical Address Type
192.168.102.12 00-0c-42-0d-1d-6d dynamic - bad record
192.168.103.12 00-0c-42-0d-1d-6d dynamic - bad record
192.168.104.12 00-0c-42-0d-1d-6d dynamic - only correct record
192.168.105.12 00-0c-42-0d-1d-6d dynamic - bad record

Connected to physical ether5
Arp list after
ping 192.168.102.12 ping 192.168.103.12 ping 192.168.104.12 ping 192.168.105.12

Internet Address Physical Address Type
192.168.102.12 00-0c-42-0d-1d-6e dynamic - bad record
192.168.103.12 00-0c-42-0d-1d-6e dynamic - bad record
192.168.104.12 00-0c-42-0d-1d-6e dynamic - bad record
192.168.105.12 00-0c-42-0d-1d-6e dynamic - only correct record


Test conclusion:
----------------
Mikrotik's ARP is not working properly.
Only IP assigned to ether interface should answer.
I tried other routerboards and all have broken ARP subsystem.
RouterOS PC version 2.9.38 does not work correctly too.


I understand it is linux but there are some problems:
1) I am windows programmer and not much into the linux.
2) I do not see any interesting configuration files in terminal or ftp.
3) I did not even find what Linux version it is.


Questions:
----------
1) Does anybody knows how to repair Mikrotik with configuration or any other way ?

2) Does anybody know if it is global Linux problem or Mikrotik's fault ?

3) If it is Linux problem, can be Mikrotik patched in some way ?

4) Maybe it is well known problem, but why nobody knows then ?


Thank You.
 
changeip
Forum Guru
Forum Guru
Posts: 3804
Joined: Fri May 28, 2004 5:22 pm

Wed Jan 03, 2007 10:16 pm

That MAC shown in the arp -a table is the MAC that answered for that IP - not necessarily the mac/ip pair down further. If you are using any NAT or anything that would reply it will show those alternate subnets with the main physical MAC. Is something not working because of this, or are you just noticing this and it's not a problem?

I believe windows would do the same thing - if you had a windows server on 5 subnets but only using a single interface and had routing enabled.

Sam
 
pavlik386
just joined
Topic Author
Posts: 6
Joined: Wed Jan 03, 2007 8:50 pm
Location: Czech Republic

Thu Jan 04, 2007 11:06 am

changeip:
Thank you for reply, but you do not understand the problem.

I know how "arp -a" is working.
It is not about 5 subnets on my windows computer with 1 interface.
It is about 5 interfaces on RouterBoard 153.

If I am connected to one interface, only this interface should answer arp requests and only with ip (one or many) defined on this interface.
In my test there is only one ip on any of 5 Mikrotik interfaces.

I do not use NAT or anything else now.
This mikrotik was given to me for testing due to bad ARP behaviour.
I just only found out it is really not working right.

Pavel
 
User avatar
normis
MikroTik Support
MikroTik Support
Posts: 24417
Joined: Fri May 28, 2004 11:04 am
Location: Riga, Latvia

Thu Jan 04, 2007 12:07 pm

in linux and routeros the address belongs to the router, not to the interface. the router will answer regarding all it's addresses. the interface entity is only used to create the default route, and that is it's only use
 
User avatar
bjohns
Member Candidate
Member Candidate
Posts: 272
Joined: Sat May 29, 2004 4:11 am
Location: Sippy Downs, Australia
Contact:

Thu Jan 04, 2007 1:06 pm

in linux and routeros the address belongs to the router, not to the interface. the router will answer regarding all it's addresses. the interface entity is only used to create the default route, and that is it's only use
I believe this to be the case with most, if not all real routers.
 
User avatar
grzesjan
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Feb 24, 2006 7:43 pm
Location: Poland

Thu Jan 04, 2007 3:38 pm

in linux and routeros the address belongs to the router, not to the interface. the router will answer regarding all it's addresses. the interface entity is only used to create the default route, and that is it's only use
In Linux it is configurable under /proc/sys/net.

Gregor
Gregor
 
pavlik386
just joined
Topic Author
Posts: 6
Joined: Wed Jan 03, 2007 8:50 pm
Location: Czech Republic

Thu Jan 04, 2007 3:54 pm

in linux and routeros the address belongs to the router, not to the interface. the router will answer regarding all it's addresses. the interface entity is only used to create the default route, and that is it's only use
In Linux it is configurable under /proc/sys/net.

Gregor
Good news, but do you know if it is possible to edit it in routeros ?

I found something here: http://linux-ip.net/html/ether-arp.html
ARP flux describe other problem, where other interface replies instead.
There is something like arp_filter, but I do not have idea how to set it in routeros or if it is possible in it's linux kernel.

Pavel
 
User avatar
grzesjan
Member Candidate
Member Candidate
Posts: 144
Joined: Fri Feb 24, 2006 7:43 pm
Location: Poland

Thu Jan 04, 2007 5:57 pm

In Linux it is configurable under /proc/sys/net.
Good news, but do you know if it is possible to edit it in routeros ?
It is not possible. I have answered to Normis.

Gregor
Gregor
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Re: RouterOS "ARP syndrome" or "ARP leak"

Thu Jan 04, 2007 7:07 pm

pavlik386,

your test setup itself is based on an invalid network configuration.

With these parameters
ether1 192.168.101.12/24
ether2 192.168.102.12/24
ether3 192.168.103.12/24
ether4 192.168.104.12/24
ether5 192.168.105.12/24

Windows adapter list:
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-00-00-B0-0D-EE
Dhcp Enabled. . . . . . . . . . . : No
IP Address. . . . . . . . . . . . : 192.168.105.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.104.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.103.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
IP Address. . . . . . . . . . . . : 192.168.102.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
and then connecting the windows machine to one of the ports ether1..ether5 you are creating a network setup that can never work correctly. The problem is that you are aliasing multiple IP addresses on the windows machine's network adapter and that these IP addresses belong to various different hardware interfaces (ether1..ether5) on the router. Let's assume you connected the windows machine to ether2 on the router.
Now there also are addresses 192.168.103.12, 192.168.104.12 and 192.168.105.12 connected to ether2 but the router can not handle this correctly because it expects these addresses to be directly connected to other interfaces (ether3..ether5). Clients that are physically connected to ether2 can not have an address that falls into a network that is associated with an interface other than ether2 on the router (unless that other interface is bridged to ether2, and even then the router's IP address would be installed on the bridge interface instead).

All of this is not MikroTik specific but just the rules of correct IP networking.

--Tom
 
pavlik386
just joined
Topic Author
Posts: 6
Joined: Wed Jan 03, 2007 8:50 pm
Location: Czech Republic

Re: RouterOS "ARP syndrome" or "ARP leak"

Thu Jan 04, 2007 9:47 pm

I have to clarify something.
pavlik386,
your test setup itself is based on an invalid network configuration.
I know it is invalid, it is for test purpose.
and then connecting the windows machine to one of the ports ether1..ether5 you are creating a network setup that can never work correctly.
Yes, I know !
I am solving ARP replies messing MAC tables.
Let's assume you connected the windows machine to ether2 on the router.
Now there also are addresses 192.168.103.12, 192.168.104.12 and 192.168.105.12 connected to ether2 but the router can not handle this correctly because it expects these addresses to be directly connected to other interfaces (ether3..ether5).
You are right.
.. and should not send a single packet with these IP addresses on ether2 (ARP too).
Clients that are physically connected to ether2 can not have an address that falls into a network that is associated with an interface other than ether2 on the router (unless that other interface is bridged to ether2, and even then the router's IP address would be installed on the bridge interface instead).
In my case these are not clients, but aliens and I do not want send any packet (ARP too) to them on ether2.
All of this is not MikroTik specific but just the rules of correct IP networking.
Yes, but we are not living in a perfect world and not whole network is in our hands.

And problem still remains.
I asked many people and everyone said it should not happen from Mikrotik.

grzesjan wrote it is possible to solve it on Linux.
So it must be possible on RouterOS too.

Funny thing:
When you set ARP ether2 to "reply-only", it works correctly.
In this case ARP for IP on ether2 works and other IP ARPs are ignored.
That is how it should work.

Problem is I have to make complete static ARP table for ether2 and it is not very good solution.
 
User avatar
tneumann
Member
Member
Posts: 394
Joined: Sat Apr 16, 2005 6:38 pm
Location: Germany

Thu Jan 04, 2007 10:16 pm

What IP address did you set as default gateway on the Windows PC when you did your ping tests?

--Tom
 
pavlik386
just joined
Topic Author
Posts: 6
Joined: Wed Jan 03, 2007 8:50 pm
Location: Czech Republic

Fri Jan 05, 2007 10:48 am

What IP address did you set as default gateway on the Windows PC when you did your ping tests?
No default gateway set.
Gateway is not problem.

If it is defined it is not used anyway, bacause all needed subnets are defined on windows interface.
In this case there is no need to use gateway.
ARP request is send for IP in ping, not gateway IP.

Pavel
 
pavlik386
just joined
Topic Author
Posts: 6
Joined: Wed Jan 03, 2007 8:50 pm
Location: Czech Republic

Sun Jan 07, 2007 1:38 pm

I'd like to end this.

In Linux it is about this:
arp_filter
arp_ignore
arp_announce

Now, RouterOS authors should implement control over these variables.

Who is online

Users browsing this forum: Google [Bot], mweidner, Sob, tdw and 134 guests