Community discussions

MikroTik App
 
User avatar
purba
just joined
Topic Author
Posts: 5
Joined: Fri Oct 16, 2020 3:12 pm

Client isolation and proxy-arp

Fri Oct 16, 2020 4:39 pm

Hello,

I'm trying to implement L2 "client isolation". Clients use same /24 subnet.
I want to put them into separate vlans but I don't want to split /24 into /30.
In order to do that I'm using static routes and also proxy-arp as I still want them to be able to communicate trough router's firewall.


I've created 2 vlans

vlan303 with client1 192.168.160.7/24
vlan304 with client2 192.168.160.8/24

and a bridge loopback0 with no interfaces added to it.
I've assigned IP 192.168.160.254 to loopback0.

I've set static routes on router
For 192.168.160.7 gateway=vlan303 and preffered_address=192.168.160.254
For 192.168.160.8 gateway=vlan304 and preffered_address=192.168.160.254


So far so good, testing.
Ping from router to client1 goes ok.
I've also allowed forwarding icmp between vlans, so client2 sends pings to client1 and this also works ok.

But then after a longer test it appears that pings from router to client1 and client2->client1 both stopping randomly.
And that can even be 50-60% of pings.

When everything ok, ARP table on the router shows IP and MAC of client1 with DC(dynamic,complete) state.
When ping is not ok, IP and MAC of client1 has only D in ARP table, that means some "incomplete" state.

During that period tcpdumping on client1 shows that ARP requests are sent not from preffered_address (192.168.160.254), but from the first address listed in IP->Addresses on router.
And then in some random time router suddenly sends ARP request from 192.168.160.254, client1 send back reply and everything is back to OK again.


Any idea in which direction to start digging ?
 
tdw
Long time Member
Long time Member
Posts: 511
Joined: Sat May 05, 2018 11:55 am

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 4:51 pm

Using gateway=someinterface is only valid for point-to-point interfaces, and using the same subnet on different interfaces requires special handling.

Port isolation or bridge horizon would be a more usual approach for isolating clients within the same L2 network.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 5305
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:09 pm

Why force yourself into an untenable or overly complex scenario. If the clients should not see each other put them on a different subnet period.
They can always share devices or you can set up certain pC to pC connectivity via firewall rules.

What is driving you to this insane design??
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
MTUNA Certified, by the Ascerbic Llama!
 
User avatar
purba
just joined
Topic Author
Posts: 5
Joined: Fri Oct 16, 2020 3:12 pm

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:27 pm

Using gateway=someinterface is only valid for point-to-point interfaces, and using the same subnet on different interfaces requires special handling.

Port isolation or bridge horizon would be a more usual approach for isolating clients within the same L2 network.

Thank you for reply,

I was looking for "easier" way than bridging )
As from manual, proxy-arp should exactly be it in my case.
My scenario is that I host VMs for clients using both real and private IP space. Making /30 subnets for real IP space is "expensive".
Also, in setup I described, I only need to setup firewall rules in firewall->filter and they would both work for wan and "inter-client" communication. In case with bride I'd need to create bridge filtering as well )

But the setup looks little complicated, I agree with you ))
 
User avatar
purba
just joined
Topic Author
Posts: 5
Joined: Fri Oct 16, 2020 3:12 pm

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:30 pm

Why force yourself into an untenable or overly complex scenario. If the clients should not see each other put them on a different subnet period.
They can always share devices or you can set up certain pC to pC connectivity via firewall rules.

What is driving you to this insane design??

Thank you for reply,

The main idea is to save real IPv4 space, much better to use 1 IP per client, not 4 in case I split into /30 )
 
tdw
Long time Member
Long time Member
Posts: 511
Joined: Sat May 05, 2018 11:55 am

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 5:50 pm

I was looking for "easier" way than bridging )
As from manual, proxy-arp should exactly be it in my case.
Not really, the examples do not have the same subnet on different interfaces.

My scenario is that I host VMs for clients using both real and private IP space. Making /30 subnets for real IP space is "expensive".
Also, in setup I described, I only need to setup firewall rules in firewall->filter and they would both work for wan and "inter-client" communication. In case with bride I'd need to create bridge filtering as well )
You could use /31 subnets for the links, with the usual Mikrotik workaround as it doesn't support them directly, or /32 addresses at each end if the VMs support it so you only use one public IP per client, or route the public IP to the VM (the VMs would have to be configured to use this as the source address for outgoing connections), or use 1:1 NAT
 
FIPTech
Member
Member
Posts: 489
Joined: Tue Dec 22, 2009 1:53 am

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 7:20 pm

Why not use Port isolation in the switch chip settings ?

This is hardware filtering, so it does not take CPU time from the router, and is at L2 so probably more secure than L3 isolation.

Bridge horizon is another solution but is software only i think.
 
sindy
Forum Guru
Forum Guru
Posts: 5918
Joined: Mon Dec 04, 2017 9:19 pm

Re: Client isolation and proxy-arp

Fri Oct 16, 2020 7:25 pm

Why not use Port isolation in the switch chip settings ?
Not every Mikrotik device has a switch chip, and not every switch chip supports rules.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
User avatar
purba
just joined
Topic Author
Posts: 5
Joined: Fri Oct 16, 2020 3:12 pm

Re: Client isolation and proxy-arp

Sun Oct 18, 2020 6:38 pm

Thank you, guys!

Port isolation is not an option, as I don't have physical links but vlans coming from virtualization hosts.

At the moment, I've tested setting /32 instead of static routes with gateway=someinterface

/ip address
add address=192.168.160.254 interface=vlan303 network=192.168.160.7
add address=192.168.160.254 interface=vlan304 network=192.168.160.8

with proxy-arp on both vlan303 and vlan304.
so far so good )

VMs still have /24 subnets, I can group multiple client VMs into one vlan for direct communication between them
and I can put them in different groups and use firewall for communication between such groups. )
 
dpsguard
newbie
Posts: 33
Joined: Sun Apr 26, 2020 12:50 am

Re: Client isolation and proxy-arp

Mon Oct 19, 2020 3:40 pm

@purba this is very interesting solution. Did you mean that the client machines/VMs are in wider mask, while the VLAN interface IP is /32 and the same for all these vlans. Plus you set up ARP to be proxy-arp?

In such case, instead of a single IP per client, if you were to do /29 per client, will you then set network to be something like 192.168.160.0, 192.168.160.8, 192.168.160.16 etc..? And then use these /29 subnet arrived IPs, but with /24 mask on the client machines to allow them talk to each other, and then to internet, but no client can talk to another client, unless you allowed them thru firewall?

Can you share bit more of the configuration, if there is anything extra to it? I am trying to achieve something similar for a totally different use case. I need to have Wi-Fi where each apartment unit in a small building, can have their own vlan for isolation, allowing connection among their own devices, but not to any other apartment unit, but everyone shares the same big pool of IPaddresses via dhcp.

Thanks
 
User avatar
purba
just joined
Topic Author
Posts: 5
Joined: Fri Oct 16, 2020 3:12 pm

Re: Client isolation and proxy-arp

Tue Oct 20, 2020 10:44 am

@purba this is very interesting solution. Did you mean that the client machines/VMs are in wider mask, while the VLAN interface IP is /32 and the same for all these vlans. Plus you set up ARP to be proxy-arp?

In such case, instead of a single IP per client, if you were to do /29 per client, will you then set network to be something like 192.168.160.0, 192.168.160.8, 192.168.160.16 etc..? And then use these /29 subnet arrived IPs, but with /24 mask on the client machines to allow them talk to each other, and then to internet, but no client can talk to another client, unless you allowed them thru firewall?

Can you share bit more of the configuration, if there is anything extra to it? I am trying to achieve something similar for a totally different use case. I need to have Wi-Fi where each apartment unit in a small building, can have their own vlan for isolation, allowing connection among their own devices, but not to any other apartment unit, but everyone shares the same big pool of IPaddresses via dhcp.

Thanks


Yes, that's it.

In my case I have public /24 subnet. I need to share it between customers VMs with maximum isolation.

On VM side IPs are set with /24. Like 192.168.160.7/24 in my example.

On router side I have to set manualy IP address and network for every vlan.
In case i have multiple client IPs in vlan, I do

/ip address add address=192.168.160.254 interface=vlan303 network=192.168.160.7
/ip address add address=192.168.160.254 interface=vlan303 network=192.168.160.16
/ip address add address=192.168.160.254 interface=vlan303 network=192.168.160.116
...
/ip address add address=192.168.160.254 interface=vlan304 network=192.168.160.8

If proxy-arp is off for vlan303 and vlan304,
192.168.160.7, 192.168.160.16 and 192.168.160.116 communcate to each other (they are in one L2 segment, router is not involved)
but not to 192.168.160.8, which is on another vlan.

In case I need to allow them communicate, I set proxy-arp=on on both vlans.
Now all communication between hosts on same subnet but different vlans goes through router.
And I control it with firewall.

This is configuration I'm testing now. It doesn't look to be "standard" one.
But it works for for me and I guess is going to production soon.

I'm not sure how to solve this with DHCP, as in my case I'm setting every client IP manually with /ip address add address=192.168.160.254 interface=vlan* network=192.168.160.*
The DHCP server has to be set-up on some interface, maybe bridging with `Use IP Firewall` is the solution in your case?
 
FIPTech
Member
Member
Posts: 489
Joined: Tue Dec 22, 2009 1:53 am

Re: Client isolation and proxy-arp

Tue Oct 20, 2020 11:54 am

Seems to me that L3 isolation for different clients is not enough. For example there is no Mac isolation, that mean that if a mac address is duplicated there can be problems. Arp attacks could be done too and there is no possibility to filter L2 broadcast storms.

And this solution need firewall filtering, subject to errors or forgettings, If you add on top of that IPv6, that is becoming mandatory today at least for Internet services, it will be more complicated and subject to even more problems.

For client isolation, staying at level 2, Using Vlans, QinQ, VXlans, EoiP tunnels is mandatory when there are different clients, i think.

Using a L3 solution, a security problem between two clients could become your main problem...
 
dpsguard
newbie
Posts: 33
Joined: Sun Apr 26, 2020 12:50 am

Re: Client isolation and proxy-arp

Tue Oct 20, 2020 6:06 pm

@purba, thanks for explanation of your solution.

As per this wiki link below, the network is normally auto calculated (basically network is not subnet that I was thinking of, but the network itself address, the starting address of the subnet) but if it is specified, then it is a single address for the other end (to become a point to point segment essentially). So you are correct that for each VM / node, you will need to assign a separate far / node end IP.

The link below also states that we can have multiple IP addresses on an interface, but you have same IP address of 192.168.160.254 for all your vlan interfaces and that is puzzling. I would have assumed that you are allowed to have multiple secondary addresses on the same vlan interface or physical interface, but not sure how the RouterOS allowing for same IP to be used on different VLAN interfaces. Maybe that is the way of isolating the L3 gateway address from the L2 VLAN.

https://wiki.mikrotik.com/wiki/Manual:IP/Address

You may want to do a ARP Scan from one VM to see if it sees any IP other than the gateway to confirm that you will not run into some L2 anomalies. I am hoping you are all good, but just in case.

And yes, my requirements are totally different. I need to have a bridged interface to run a larger dhcp pool to share by all these isolated VLANs, which I am trying to find solution to.

Thanks and very best

Who is online

Users browsing this forum: Bing [Bot], CZFan, DarkNate, gvendr, Lelik200 and 129 guests