Community discussions

MikroTik App
 
phroekazoid
just joined
Topic Author
Posts: 1
Joined: Thu May 14, 2020 2:34 pm

LAN arp broadcasts leaked outside bridge ports

Thu May 14, 2020 2:58 pm

Hello,

Lost few good hours investigating an annoying but interesting issue.
Topology: 2 x 941-2nD routers with 6.45.9 firmware and OS (tried upgrading to 6.46.6 with same results)
R1 - configured as border with 2 uplinks (eth1 and eth4). wlan, lan2 and lan3 in bridge.
R2 - configured as a simple bridge with all ports in bridge (eth and wlan), connected to lan2 of R1.
When client connects to wlan on R2, with packet sniffer I see it's MAC address on WAN ports.
Verified with one of ISPs, and they showed me a screenshot with their device learning my device MAC (the one than just connected). Consequently, ISP border router learns the wrong MAC address instead of the one from uplink port and forwards packets there. This leads to packets from ISP being dropped, consequently entire LAN, including R1 cannot ping ISP gateway IP. As soon I clear the ARP entry for the border router MAC, it is re-learned within miliseconds and connection remains stable until another client connects to wlan on either R1 or R2.

Fun started when I noticed if I disable wlan on R1 (my edge router), MAC address is not visible anymore on WAN ports.
After few good hours of troubleshing possible causes: bridge settings, firewall clear, NAT removal, etc, I figured that disabling Broadcast flood on wlan on R1, fixed the issue.

Conclusion: Broadcast flood option on wlan interface causes broadcasts to leak on ports which are outside bridge to which wlan belongs.
Can Mikrotik team look into the issue? Seem's like a bug
CONFIG:
R1 - https://pastebin.com/Q0MmqTSj,
R2 as mentioned above is a plain bridge without NAT or firewall, I replaced this one with another D-Link, in bridge mode, and got same results
Screenshot from Packet Sniffer, with my local MAC address leaked on eth4: https://imgur.com/a/wPWWEt1
 
cstik
just joined
Posts: 2
Joined: Wed Jun 09, 2021 5:45 pm

Re: LAN arp broadcasts leaked outside bridge ports

Wed Jun 09, 2021 5:56 pm

Hello,

Similar issue. It is RB2011UiAS v6.47.10 with only wire ports.
ether1 router port uplink to ISP.
ether2-ether10 and spf1 are LAN bridge.
Client mac from ether2 went out on ether1 router port and caused a security violation on ISP side.
Magical ether2? :)
Up to now it happened one time for 4 days of installation.
Pretty annoying, ISP blocked the uplink port.

No solution at the moment.
 
raytaylor
just joined
Posts: 21
Joined: Wed Dec 28, 2011 12:19 pm
Location: Melbourne

Re: LAN arp broadcasts leaked outside bridge ports

Sat Dec 17, 2022 10:32 pm

I am having the same problem on 6.49.7 with a RB2011 customer router.
ether1 (LAN) goes to local lan switch
ether2 (WAN) goes to isp uplink

Our router on the isp end can see neighbor devices plugged into the (LAN) port of the customer router.
In the customer router there is no bridging so we shouldnt be able to see the LAN hosts from our router.

I have tried factory resetting with no default configuration and just set up two separate subnets on the two interfaces of the customer rb2011. I still get leaked arp between the two interface ports (ether1 and ether2)

Who is online

Users browsing this forum: DanMos79 and 32 guests