I just noticed in firewall logs that mikrotik tries to ping random devices from public wifi network. I can't say what exactly is correlation between public wifi network and other networks. The only thing I can think of is that it's the only network that has actively used DHCP server (on that mikrotik) while all other networks use static IP addresses (or have DHCP server but devices use mostly static IPs anyways)

It makes me a bit concerned if it's not compromised... is it normal for ROS to sometimes just ping devies for no particular reason? I don't have any scripts that could cause such behavior. http and ssh are only opened to management network (on firewall level). Winbox is disabled. Source addresses are checked against interfaces on firewall (so it really is only opened to management network, there's no way to spoof IP). It's CCR1009 on ROS 6.43.2 (current branch)

Maybe it's part of route verification (check gateway)?
Are you sure its ping? Some interfaces may have xSTP enabled which will send packets on interval.

Maybe it's part of route verification (check gateway)?
Are you sure its ping? Some interfaces may have xSTP enabled which will send packets on interval.

It's ICMP 8:0. According to firewall on mikrotik AP. I think it's maybe verification whether IP is free before assigning it to DHCP. I heard some DHCP servers do that to avoid colliding with hosts using static IP inside DHCP range. Though I'm not sure if Mtk does that...

I don't use any bridge STP protocols (explicitly disabled) and AP is directly connected to CCR (no switches in between)

quoting https://tools.ietf.org/html/rfc2131 (DHCP specs) :
RFC 2131, section 2.2

As a consistency check, the allocating server SHOULD probe the reused address before allocating the address, e.g., with an ICMP echo request, and the client SHOULD probe the newly received address, e.g., with ARP.

RFC 2131, section 3.1.2

When allocating a new address, servers SHOULD check that the offered network address is not already in use; e.g., the server may probe the offered address with an ICMP Echo Request. Servers SHOULD be implemented so that network administrators MAY choose to disable probes of newly allocated addresses.

This does NOT prove, that your observation is caused by DHCP, however, it is very likely to be that case. Those pings should not be completely random - based on DHCP logs, you should be able to see a pattern. If pings don't correspond with (re)assigning IP addresses at all, it might suggest that there is another culprit.

Also - check if Dude is enabled on the offending device, or even a discreet Dude server configured to send probes from this device. Ping is a common probe.

Also - check if Dude is enabled on the offending device, or even a discreet Dude server configured to send probes from this device. Ping is a common probe.

Nope DUDE is not enabled. And such thing doesn't occur for all other networks including ones that have DHCP enabled but unused. I think it's just probing for reused addresses.

quoting https://tools.ietf.org/html/rfc2131 (DHCP specs) :
RFC 2131, section 2.2

As a consistency check, the allocating server SHOULD probe the reused address before allocating the address, e.g., with an ICMP echo request, and the client SHOULD probe the newly received address, e.g., with ARP.

RFC 2131, section 3.1.2

When allocating a new address, servers SHOULD check that the offered network address is not already in use; e.g., the server may probe the offered address with an ICMP Echo Request. Servers SHOULD be implemented so that network administrators MAY choose to disable probes of newly allocated addresses.

This does NOT prove, that your observation is caused by DHCP, however, it is very likely to be that case. Those pings should not be completely random - based on DHCP logs, you should be able to see a pattern. If pings don't correspond with (re)assigning IP addresses at all, it might suggest that there is another culprit.

Now it makes me wonder a bit... Because I was blocking those pings for like few months now so... What were implications of such behavior xD. I mean nobody really said that there's something's wrong but on the other hand people rarely complain about public wifi...

Now it makes me wonder a bit... Because I was blocking those pings for like few months now so... What were implications of such behavior xD. I mean nobody really said that there's something's wrong but on the other hand people rarely complain about public wifi...

If nobody used your WiFi network with statically configured IP addresses, then chances of IP address collision were slim at any rate. Luckily lusers don't tend to do that on wifi (even on ethernet people mostly ceased doing it).

Blocking ICMP echo requests caused that any IP address seemed unoccupied to DHCP server as it never got any reply to its queries.
In theory this pitfall could be closed by clients (verification on their side) but this depends on configuration of APs: do they allow client-to-client communication?