Community discussions

MikroTik App
 
alfred998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Apr 27, 2018 4:58 pm

invalid arp 00-00-00-00-00-00

Sat Feb 20, 2021 9:57 pm

I dont know where to put this question because i am using all kind of mikrotik devices that might be involved.

I noticed in Dude that my devices (which report through snmp) had invalid arp-s for different IPs and MAC XEROXCORP:00:00:00. The longer a device had stayed on, the more invalid arps.
Xerox is irrelevant because it's just how 00:00:00:00:00:00 is recognized. I checked on the computers themselves and the invalid records are indeed there.

Computers are all Windows 10, connected to three CSS326 and then a RB750Gr3. I also have two cAP ac managed by CAPsMAN on the 750. Dude is on a second RB750Gr3.
They are connected like this SW2, SW3 --> SW1, SW1 --> Router. cAP1, cAP2 --> SW1. Dude --> SW1.

I have Port Isolation configured on the three CSS326, so these computers shouldn't even talk to each other. Each computer is meant to communicate with the router, dude, and one or two other computers.

My questions are 1. Where do these 00:00:00:00:00:00 come from, and 2. Why do I see records for IP-s that shouldn't be talking to each other ..

Maybe someone has encountered this before.
  192.168.1.100        00-00-00-00-00-00     invalid
  192.168.1.120        00-00-00-00-00-00     invalid
  192.168.1.121        00-00-00-00-00-00     invalid
  192.168.1.122        00-00-00-00-00-00     invalid
  192.168.1.123        00-00-00-00-00-00     invalid
  192.168.1.126        00-00-00-00-00-00     invalid
  192.168.1.127        00-00-00-00-00-00     invalid
  192.168.1.130        00-00-00-00-00-00     invalid
  192.168.1.132        00-00-00-00-00-00     invalid
  192.168.1.135        00-00-00-00-00-00     invalid
  192.168.1.144        00-00-00-00-00-00     invalid
  192.168.1.145        00-00-00-00-00-00     invalid
  192.168.1.146        00-00-00-00-00-00     invalid
  192.168.1.180        00-00-00-00-00-00     invalid
  192.168.1.181        00-00-00-00-00-00     invalid
  192.168.1.183        00-00-00-00-00-00     invalid
  192.168.1.184        00-00-00-00-00-00     invalid
 
alfred998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Apr 27, 2018 4:58 pm

Re: invalid arp 00-00-00-00-00-00

Sat Feb 20, 2021 10:40 pm

This is the configuration on the router
# feb/20/2021 21:04:59 by RouterOS 6.47.9
# software id = XXXX-XXXX
#
# model = RB750Gr3
# serial number = ########
/interface bridge
add name=gst-brg
add arp=proxy-arp igmp-snooping=yes name=lim-brg
add arp=proxy-arp igmp-snooping=yes name=loc-brg priority=0x1000
add name=pub-brg
add name=wif-brg
/interface ethernet
set [ find default-name=ether3 ] loop-protect=on rx-flow-control=on \
    tx-flow-control=on
/caps-man configuration
add datapath.bridge=gst-brg mode=ap name=guest security.authentication-types=\
    wpa-psk,wpa2-psk ssid=Guests
add datapath.bridge=wif-brg mode=ap name=wifi \
    security.authentication-types=wpa-psk,wpa2-psk ssid=WiFi
/interface list
add name=WAN
add name=LAN
add name=LIM
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=guest-pool ranges=10.10.10.2-10.10.10.254
add name=main-pool ranges=192.168.1.190-192.168.1.240
add name=l2tp-pool ranges=192.168.1.25-192.168.1.45
add name=wifi-pool ranges=11.11.11.2-11.11.11.254
/ip dhcp-server
add address-pool=main-pool disabled=no interface=loc-brg lease-time=3h name=\
    main-dhcp
add address-pool=guest-pool disabled=no interface=gst-brg lease-time=1h name=\
    guest-dhcp
add address-pool=wifi-pool disabled=no interface=wif-brg lease-time=3h name=\
    wifi-dhcp
/ppp profile
add bridge=loc-brg dns-server=8.8.8.8 interface-list=LAN local-address=\
    192.168.1.1 name=l2tp-local remote-address=l2tp-pool use-encryption=\
    yes
add bridge=lim-brg dns-server=8.8.8.8 interface-list=LIM local-address=\
    192.168.1.1 name=l2tp-lim remote-address=l2tp-pool use-encryption=yes
/queue simple
add max-limit=4M/4M name="WiFi Guest" target=gst-brg
add burst-limit=15M/30M burst-threshold=10M/20M burst-time=10s/10s dst=\
    pub-brg max-limit=10M/20M name="WiFi - main" target=wif-brg
add burst-limit=20M/50M burst-threshold=15M/40M burst-time=10s/10s dst=\
    pub-brg max-limit=15M/40M name="LAN - main" target=loc-brg time=\
    8h30m-16h30m,mon,tue,wed,thu,fri,sat
/snmp community
set [ find default=yes ] disabled=yes
add addresses=192.168.1.2/32 authentication-protocol=SHA1 \
    encryption-protocol=AES name=onesnmp security=private
/system logging action
add disk-file-count=1 disk-file-name=disk1/log/vpn name=vpn target=disk
add disk-file-count=1 disk-file-name=disk1/log/login name=login target=disk
add disk-file-count=1 disk-file-name=disk1/log/caps name=caps target=disk
add disk-file-count=1 disk-file-name=disk1/log/error disk-lines-per-file=2000 \
    name=error target=disk
/user group
set read policy="local,telnet,ssh,reboot,read,test,winbox,password,sniff,sensi\
    tive,api,romon,dude,tikapp,!ftp,!write,!policy,!web"
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
add name=user policy="telnet,reboot,read,test,winbox,!local,!ssh,!ftp,!write,!\
    policy,!password,!web,!sniff,!sensitive,!api,!romon,!dude,!tikapp"
add name=dude policy="read,winbox,dude,!local,!telnet,!ssh,!ftp,!reboot,!write\
    ,!policy,!test,!password,!web,!sniff,!sensitive,!api,!romon,!tikapp"
/caps-man manager
set enabled=yes upgrade-policy=suggest-same-version
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=loc-brg
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=wifi \
    slave-configurations=guest
/interface bridge port
add bridge=loc-brg interface=ether3
add bridge=loc-brg interface=ether4
add bridge=loc-brg interface=ether5
add bridge=pub-brg interface=ether2
add bridge=pub-brg interface=ether1
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface l2tp-server server
set allow-fast-path=yes authentication=mschap2 default-profile=l2tp-local \
    enabled=yes use-ipsec=required
/interface list member
add interface=loc-brg list=LAN
add interface=pub-brg list=WAN
add interface=lim-brg list=LIM
/ip address
add address=192.168.1.1/24 interface=loc-brg network=192.168.1.0
add address=10.10.10.1/24 interface=gst-brg network=10.10.10.0
add address=xx.xx.xx.94/30 interface=pub-brg network=xx.xx.xx.92
add address=xx.xx.xx.88/27 interface=pub-brg network=xx.xx.xx.64
add address=11.11.11.1/24 interface=wif-brg network=11.11.11.0
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=8.8.8.8 gateway=10.10.10.1
add address=11.11.11.0/24 dns-server=8.8.8.8 gateway=11.11.11.1
add address=192.168.1.0/24 dns-server=8.8.8.8 gateway=192.168.1.1
/ip dns
set servers=8.8.8.8
/ip dns static
add address=192.168.1.1 name=router.lan
/ip firewall address-list
add address=192.168.1.121-192.168.1.122 list=app
add address=192.168.1.241-192.168.1.243 list=shared
add address=216.218.206.0/25 list=novpn
add address=200.109.64.0/25 list=novpn
add address=45.79.176.0/24 list=novpn
add address=46.166.176.0/24 list=novpn
add address=146.88.240.0/24 list=novpn
add address=81.26.200.0/24 list=novpn
add address=170.130.187.0/24 list=novpn
add address=122.228.19.0/24 list=novpn
add address=45.56.109.0/24 list=novpn
/ip firewall filter
add action=accept chain=input connection-state=established,related,untracked
add action=drop chain=input connection-state=invalid
add action=accept chain=input disabled=yes protocol=icmp
add action=accept chain=input dst-port=500,1701,4500 in-interface-list=WAN \
    log=yes log-prefix=vpn protocol=udp src-address-list=!novpn
add action=drop chain=input in-interface-list=!LAN
add action=fasttrack-connection chain=forward connection-state=\
    established,related src-address-list=app
add action=accept chain=forward connection-state=\
    established,related,untracked
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward connection-nat-state=!dstnat connection-state=\
    new in-interface-list=WAN
add action=drop chain=forward dst-address=!192.168.1.2 dst-address-list=\
    !shared in-interface=wif-brg out-interface=loc-brg
add action=drop chain=forward dst-address=!192.168.1.2 dst-address-list=\
    !shared in-interface-list=LIM out-interface-list=LAN
add action=drop chain=forward dst-address=!192.168.1.241 in-interface=\
    gst-brg out-interface=loc-brg
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add check-gateway=ping distance=1 gateway=xx.xx.xx.65
add distance=2 gateway=xx.xx.xx.93
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh address=192.168.1.0/24 port=2200
set api disabled=yes
set winbox address=192.168.1.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ppp secret
add name=User profile=l2tp-local service=l2tp
add name=Limited profile=l2tp-lim service=l2tp
/snmp
set enabled=yes trap-community=onesnmp trap-interfaces=ether3 trap-target=\
    192.168.1.2 trap-version=3
/system clock
set time-zone-autodetect=no time-zone-name=Europe/Brussels
/system identity
set name=hEX
/system logging
set 0 topics=info,!caps
set 1 action=error
add action=vpn topics=l2tp,!debug
add action=caps topics=caps
add action=login topics=account
add topics=error
/system ntp client
set enabled=yes primary-ntp=81.94.123.16 secondary-ntp=87.195.109.207
/system package update
set channel=long-term
/system routerboard settings
set auto-upgrade=yes
/system watchdog
set watchdog-timer=no
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=none
/tool mac-server ping
set enabled=no
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: invalid arp 00-00-00-00-00-00

Sat Feb 20, 2021 10:45 pm

My questions are
1. Where do these 00:00:00:00:00:00 come from, and
2. Why do I see records for IP-s that shouldn't be talking to each other ..
As for 2., the ARP table is used by RouterOS itself to translate IP addresses of the devices to their MAC addresses when it needs to deliver packets to them, so it is normal that it can see devices that cannot see each other thanks to bridge port isolation.

As for 1., a single device that went mad may respond to ARP queries with a response indicating MAC address 0:0:0:0:0:0. As ARP requests are broadcast, the mad device may respond to all requests no matter what IP address they queried about.

The source MAC address of the Ethernet frame carrying the ARP response may differ from the MAC address in the body of the response.

So I'd configure the sniffer on the RB750 to record ARP traffic into a file, let it run for a couple of hours, and then open the file using Wireshark and use a display filter to show only ARP responses (including gratuitous ARPs) whose body indicates sender MAC address 0:0:0:0:0:0; if you are lucky, the source MAC address of the frame will be the mad device's actual one and it will identify the device. If the source MAC is all 0's as well, you'll have to set up switch rules matching on src-mac-address=0:0:0:0:0:0 on the 326s to see through which port these frames come in, or at least to drop such frames if they don't have counters associated to them (I don't have any CRS3xx to check).
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alfred998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Apr 27, 2018 4:58 pm

Re: invalid arp 00-00-00-00-00-00

Sat Feb 20, 2021 10:52 pm

Just a remark while I try to digest the new information you gave me. it's CSS not CRS, so they have SwOS only.

So beside the mad device, are you saying that it's the router that is telling to computers about 00:00:00:00:00:00. ie they aren't receiving it directly from the mad device ?
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: invalid arp 00-00-00-00-00-00

Sat Feb 20, 2021 11:22 pm

Are you saying that it's the router that is telling to computers about 00:00:00:00:00:00. ie they aren't receiving it directly from the mad device ?
Maybe I've misunderstood where you can see those weird ARP records - are they on the router or on the PCs? If on the PCs, the responses must be coming from the 750 or the wireless devices connected to the cAPs (or maybe the cAPs themselves) - in short, from anything that is not port-isolated from the PC receiving that response. ARP responses do not bypass port isolation. But is there port isolation between the RB750's ports to which the individual CSS326 are connected? I.e. cannot a frame from a PC connected to one CSS326 make it to a PC connected to another CSS326?

Plus you have the bridges configured on your /ppp profile rows, which suggests you extend them to remote routers connected via L2TP, so there are plenty of paths through which the ARP responses may come...
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alfred998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Apr 27, 2018 4:58 pm

Re: invalid arp 00-00-00-00-00-00

Sun Feb 21, 2021 12:05 am

The invalid entries appear on the PCs. Now that I checked, the ARP List on both the router (RB750) and dude (the other RB750) are fine. The cAP dont have any arp entry because their traffic is managed by the router. I also have firewall rules to drop traffic coming from the wifi except a few IPs (like 192.168.1.2 which is the dude server).
There isn't port isolation between the CSS326. First one is connected to the router, and the other two to him. But port isolation on all three makes it so that PCs can reach the router, but not the rest of each other (with few exceptions), notably not the IPs I see in the invalid entries.
I use VPN to connect from my computer at home, but the local bridge does indeed have proxy-arp. Knowing me, it's probably something I have done and not a mad device.
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: invalid arp 00-00-00-00-00-00

Sun Feb 21, 2021 12:23 am

I'm not suggesting the cAP itself sends the nonsense, I suggest it is some wireless device connected to the bridge on the 750 via the cAP.

And unless you'd configure the 0:0:0:0:0:0 as the admin-mac of the bridge (which you haven't according to the config export), I cannot see how you could make the 750 respond with that MAC. I've noticed the proxy-arp, but it is not sufficient alone - the own MAC of the bridge would have to be that all zeroes one, and all the IP addresses from those ARP records would have to be assigned to ppp (l2tp, pptp, ...) clients.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alfred998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Apr 27, 2018 4:58 pm

Re: invalid arp 00-00-00-00-00-00

Sun Feb 21, 2021 3:03 pm

Sleeping this over, I think the invalid entries come from IPs the computer knows about, but cant reach to find the MAC. So the question is what is telling the PC about the others and why is it trying to connect to them. Maybe SNMP trap, or Dude server. Each computer is only connected (because of port isolation) to Router, Dude, Printer, and one PC with a shared folder :


Image
Last edited by alfred998 on Sun Feb 21, 2021 3:54 pm, edited 1 time in total.
 
sindy
Forum Guru
Forum Guru
Posts: 6875
Joined: Mon Dec 04, 2017 9:19 pm

Re: invalid arp 00-00-00-00-00-00

Sun Feb 21, 2021 3:51 pm

So you think it is actually a presentation error (the ARP record with no MAC address learned is shown as 0:0:0:0:0:0)?
Could be, you can easily check by pinging a non-existent address within the subnet range from one of the PCs. If it appears on that suspicious list, your assumption is confirmed.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.
 
alfred998
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 59
Joined: Fri Apr 27, 2018 4:58 pm

Re: invalid arp 00-00-00-00-00-00

Sun Feb 21, 2021 4:00 pm

I noticed yesterday that after an IP scan the table got filled with invalid entries for the whole range. It still doesn't explain why a computer would try to reach others, notably the ones that actually exist.

Who is online

Users browsing this forum: biomesh, eworm, FezzFest, nickrod50 and 180 guests