Community discussions

MikroTik App
 
User avatar
purba
just joined
Topic Author
Posts: 4
Joined: Fri Oct 16, 2020 3:12 pm

Client isolation and proxy-arp

Fri Oct 16, 2020 4:39 pm

Hello,

I'm trying to implement L2 "client isolation". Clients use same /24 subnet.
I want to put them into separate vlans but I don't want to split /24 into /30.
In order to do that I'm using static routes and also proxy-arp as I still want them to be able to communicate trough router's firewall.


I've created 2 vlans

vlan303 with client1 192.168.160.7/24
vlan304 with client2 192.168.160.8/24

and a bridge loopback0 with no interfaces added to it.
I've assigned IP 192.168.160.254 to loopback0.

I've set static routes on router
For 192.168.160.7 gateway=vlan303 and preffered_address=192.168.160.254
For 192.168.160.8 gateway=vlan304 and preffered_address=192.168.160.254


So far so good, testing.
Ping from router to client1 goes ok.
I've also allowed forwarding icmp between vlans, so client2 sends pings to client1 and this also works ok.

But then after a longer test it appears that pings from router to client1 and client2->client1 both stopping randomly.
And that can even be 50-60% of pings.

When everything ok, ARP table on the router shows IP and MAC of client1 with DC(dynamic,complete) state.
When ping is not ok, IP and MAC of client1 has only D in ARP table, that means some "incomplete" state.

During that period tcpdumping on client1 shows that ARP requests are sent not from preffered_address (192.168.160.254), but from the first address listed in IP->Addresses on router.
And then in some random time router suddenly sends ARP request from 192.168.160.254, client1 send back reply and everything is back to OK again.


Any idea in which direction to start digging ?
 
tdw
Long time Member
Long time Member
Posts: 510
Joined: Sat May 05, 2018 11:55 am

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 4:51 pm

Using gateway=someinterface is only valid for point-to-point interfaces, and using the same subnet on different interfaces requires special handling.

Port isolation or bridge horizon would be a more usual approach for isolating clients within the same L2 network.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5299
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:09 pm

Why force yourself into an untenable or overly complex scenario. If the clients should not see each other put them on a different subnet period.
They can always share devices or you can set up certain pC to pC connectivity via firewall rules.

What is driving you to this insane design??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
purba
just joined
Topic Author
Posts: 4
Joined: Fri Oct 16, 2020 3:12 pm

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:27 pm

Using gateway=someinterface is only valid for point-to-point interfaces, and using the same subnet on different interfaces requires special handling.

Port isolation or bridge horizon would be a more usual approach for isolating clients within the same L2 network.

Thank you for reply,

I was looking for "easier" way than bridging )
As from manual, proxy-arp should exactly be it in my case.
My scenario is that I host VMs for clients using both real and private IP space. Making /30 subnets for real IP space is "expensive".
Also, in setup I described, I only need to setup firewall rules in firewall->filter and they would both work for wan and "inter-client" communication. In case with bride I'd need to create bridge filtering as well )

But the setup looks little complicated, I agree with you ))
 
User avatar
purba
just joined
Topic Author
Posts: 4
Joined: Fri Oct 16, 2020 3:12 pm

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:30 pm

Why force yourself into an untenable or overly complex scenario. If the clients should not see each other put them on a different subnet period.
They can always share devices or you can set up certain pC to pC connectivity via firewall rules.

What is driving you to this insane design??

Thank you for reply,

The main idea is to save real IPv4 space, much better to use 1 IP per client, not 4 in case I split into /30 )
 
tdw
Long time Member
Long time Member
Posts: 510
Joined: Sat May 05, 2018 11:55 am

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:50 pm

I was looking for "easier" way than bridging )
As from manual, proxy-arp should exactly be it in my case.
Not really, the examples do not have the same subnet on different interfaces.

My scenario is that I host VMs for clients using both real and private IP space. Making /30 subnets for real IP space is "expensive".
Also, in setup I described, I only need to setup firewall rules in firewall->filter and they would both work for wan and "inter-client" communication. In case with bride I'd need to create bridge filtering as well )
You could use /31 subnets for the links, with the usual Mikrotik workaround as it doesn't support them directly, or /32 addresses at each end if the VMs support it so you only use one public IP per client, or route the public IP to the VM (the VMs would have to be configured to use this as the source address for outgoing connections), or use 1:1 NAT
 
FIPTech
Member
Member
Posts: 487
Joined: Tue Dec 22, 2009 1:53 am

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 7:20 pm

Why not use Port isolation in the switch chip settings ?

This is hardware filtering, so it does not take CPU time from the router, and is at L2 so probably more secure than L3 isolation.

Bridge horizon is another solution but is software only i think.
 
sindy
Forum Guru
Forum Guru
Posts: 5905
Joined: Mon Dec 04, 2017 9:19 pm

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 7:25 pm

Why not use Port isolation in the switch chip settings ?
Not every Mikrotik device has a switch chip, and not every switch chip supports rules.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
purba
just joined
Topic Author
Posts: 4
Joined: Fri Oct 16, 2020 3:12 pm

Re: Client isolation and proxy-arp

Sun Oct 18, 2020 6:38 pm

Thank you, guys!

Port isolation is not an option, as I don't have physical links but vlans coming from virtualization hosts.

At the moment, I've tested setting /32 instead of static routes with gateway=someinterface

/ip address
add address=192.168.160.254 interface=vlan303 network=192.168.160.7
add address=192.168.160.254 interface=vlan304 network=192.168.160.8

with proxy-arp on both vlan303 and vlan304.
so far so good )

VMs still have /24 subnets, I can group multiple client VMs into one vlan for direct communication between them
and I can put them in different groups and use firewall for communication between such groups. )
 
dpsguard
newbie
Posts: 32
Joined: Sun Apr 26, 2020 12:50 am

Re: Client isolation and proxy-arp

Mon Oct 19, 2020 3:40 pm

@purba this is very interesting solution. Did you mean that the client machines/VMs are in wider mask, while the VLAN interface IP is /32 and the same for all these vlans. Plus you set up ARP to be proxy-arp?

In such case, instead of a single IP per client, if you were to do /29 per client, will you then set network to be something like 192.168.160.0, 192.168.160.8, 192.168.160.16 etc..? And then use these /29 subnet arrived IPs, but with /24 mask on the client machines to allow them talk to each other, and then to internet, but no client can talk to another client, unless you allowed them thru firewall?

Can you share bit more of the configuration, if there is anything extra to it? I am trying to achieve something similar for a totally different use case. I need to have Wi-Fi where each apartment unit in a small building, can have their own vlan for isolation, allowing connection among their own devices, but not to any other apartment unit, but everyone shares the same big pool of IPaddresses via dhcp.

Thanks

Who is online

Users browsing this forum: Baidu [Spider] and 101 guests