Community discussions

MikroTik App
 
ikiji
just joined
Topic Author
Posts: 19
Joined: Tue Aug 13, 2019 9:59 pm

Multiple ARP entries for the same MAC

Sat Dec 03, 2022 11:54 pm

Hi,

Apologies if this is a dumb question but hoping someone can point me in the right direction.

I've had an LG (WebOS) TV for years and over the past couple of months (trying to pinpoint if it was linked to an Mtk upgrade or not) I've had very intermittent issues where the TV's various built in streaming apps, or anything that is requiring an Internet connection has been failing.

Upon jumping onto the Mtk, I noticed something which struck me as weird and that was I've seen up to 10 entries at one point in the ARP table where the TV's MAC address has shown different IPs.

Right now for example, it is showing 2 entries (.25 and .27) where the Bridge port is correct (ether 5) but the 3rd entry (.28) which is the one that actually matches the IP the TV currently has assigned has no MAC, bridge port or host data shown yet when you look at the DHCP leases that is the IP it's been given.

Screenshots probably explain this better.
2022-12-03_21-40-31.png
The TV is the only device I've seen this behaviour with - has something gone awry with the TV?
Could it be something I've misconfigured somewhere
Or could it be a bug in certain versions of RoS (running 7.6 on an RB951G-2HnD [mipsbe])?

TIA
Neil
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Multiple ARP entries for the same MAC

Sun Dec 04, 2022 9:37 am

Seems odd, but it doesn't appear to be arp-poisoning being done by the TV.

It looks like stale arp entries.

Have you tried logging DHCP requests? DHCP Service - Logs and Debug
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Multiple ARP entries for the same MAC

Sun Dec 04, 2022 12:53 pm

A device can have multiple IP addresses on the same interface. So an ARP table with multiple IP addresses for one MAC is probably correct.
(e.g. just add a few static IP addresses to your MT bridge or interfaces. And this also happens if DHCP client is used when the device has a (different) static IP address already.)

DHCP will want it one IP for a device MAC. But even here with only DHCP you can get multiple entries in ARP, if you are behind a L2.5 bridge, which inserts its own MAC address in the packet header.
Devices behind a "station pseudo-bridge" repeater will al have the same MAC address in the ARP table, that MAC of the pseudo-bridge, but different (their own CHADDR) MAC addresses in the DHCP lease table.
The DHCP server may get confused in sending the lease offer to the wrong MAC address, what makes DHCP fail in that case.
 
ikiji
just joined
Topic Author
Posts: 19
Joined: Tue Aug 13, 2019 9:59 pm

Re: Multiple ARP entries for the same MAC

Sun Dec 04, 2022 1:55 pm

Seems odd, but it doesn't appear to be arp-poisoning being done by the TV.

It looks like stale arp entries.

Have you tried logging DHCP requests? DHCP Service - Logs and Debug
Hi Buckeye,

I have not tried logging DHCP but certainly will later when home - thank you.
 
ikiji
just joined
Topic Author
Posts: 19
Joined: Tue Aug 13, 2019 9:59 pm

Re: Multiple ARP entries for the same MAC

Sun Dec 04, 2022 1:59 pm

A device can have multiple IP addresses on the same interface. So an ARP table with multiple IP addresses for one MAC is probably correct.
(e.g. just add a few static IP addresses to your MT bridge or interfaces. And this also happens if DHCP client is used when the device has a (different) static IP address already.)

DHCP will want it one IP for a device MAC. But even here with only DHCP you can get multiple entries in ARP, if you are behind a L2.5 bridge, which inserts its own MAC address in the packet header.
Devices behind a "station pseudo-bridge" repeater will al have the same MAC address in the ARP table, that MAC of the pseudo-bridge, but different (their own CHADDR) MAC addresses in the DHCP lease table.
The DHCP server may get confused in sending the lease offer to the wrong MAC address, what makes DHCP fail in that case.
Hi @bpwl
I have the following hardware:

2 x Unifi APs which connect into an Aruba switch
1 x HPE Aruba 24 port managed switch (handling VLANs - historical but should probably move the VLAN management to the Mtk) - One uplink from switch to ether 5 on the Mtk
1 x Mtk RB951G-2HnD

The TV is using it's Wifi NIC -> Ubnt AP > Aruba > Mtk

Does that answer the question you were asking or have I misunderstood?

Many thanks
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Multiple ARP entries for the same MAC

Sun Dec 04, 2022 3:21 pm

I have no idea how "LG Web OS TV" operates and what it can do. From my short Google session, it seems an elaborated OS, that certainly can have multiple IP addresses for one interface (MAC).
It will get one via DHCP (192.168.100.28) but may have received .25 and .27 shortly before. If these are still in the ARP cache depends on the ARP's timeout timer.
.25 and .27 may also be static addresses of the TV. There are many APPS possible in LGwebOS to be installed or activated. Those APPS may work on different IP addresses to have access to all TCP and UDP ports each.

There is nothing wrong with a device having multiple IP addresses for one MAC address.

If the DHCP address jumps around, it might be the DHCP client that proposes a different address, or the DHCP server does this, or the usage check in de DHCP DORA (discover, offer, request, ack) sequence makes the DHCP server think the previous offered address is not used.

PS: Make sure you have no competing DHCP servers in your LAN.
 
ikiji
just joined
Topic Author
Posts: 19
Joined: Tue Aug 13, 2019 9:59 pm

Re: Multiple ARP entries for the same MAC

Mon Dec 05, 2022 12:24 am

AFAIK, the TV should only have a single IP, despite the built-in apps.
The only caveat to that may be if you have both the ethernet NIC and the wireless NIC connected simultaneously.

Otherwise, the TV only shows a single IP from the settings menu.

Taking Buckeye's suggestion, was just looking at the Logs just now and can see:
2022-12-04_22-20-09.png
What I don't understand is why the TV has clearly had the .28 address, relinquished it at 17:58:50 but then 4s later, there is a complaint of a conflict on that IP, so the DHCP server hands out another one, in this case .29.

This is obviously why I'm seeing so many IPs allocated over time to the TV as it keeps thinking there is a conflict and issuing another IP.

It is only the TV that I am seeing this behaviour and wonder if there is something weird going on with it's wireless NIC.

I'll try hardwire the TV for a test to see if it behaves any differently.

Any other suggestions welcomed.

Thanks
You do not have the required permissions to view the files attached to this post.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Multiple ARP entries for the same MAC

Mon Dec 05, 2022 6:18 am

Why isn't the TV renewing its lease? What is expected is that when the lease is half up, the lease will be renewed. But you may have an extremely short lease time.

What the normal sequence is DORA (discover, offer, request, acknowledge) followed by RA RA RA as the client requests a renewal every (lease period)/2 for the same ip address it currently has.

Next step: use sniffer to capture icmp or UDP port 67 or UDP port 68 on bridge (or possibly on ether5)

MikroTik packet sniffer basics MikroTip video

Here's another video with troubleshooting tools Getting Started: MikroTik Troubleshooting (Basics to Advanced) with this offset where he starts to talk about MikroTik Packet Sniffing
Last edited by Buckeye on Mon Dec 05, 2022 12:10 pm, edited 1 time in total.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Multiple ARP entries for the same MAC

Mon Dec 05, 2022 11:32 am

Why isn't the TV renewing its lease? What is expected is that when the lease is half up, the lease will be renewed. But you may have an extremely short lease time.

What the normal sequence is DORA (discover, offer, request, acknowledge) followed by RA RA RA as the client requests a renewal every (lease period)/2 for the same ip address it currently has.

Next step: use sniffer to capture UDP port 67 or UDP port 68 on bridge (or possibly on ether5)

MikroTik packet sniffer basics MikroTip video

Here's another video with troubleshooting tools Getting Started: MikroTik Troubleshooting (Basics to Advanced) with this offset where he starts to talk about MikroTik Packet Sniffing
I see a rather normal DORA sequence , where the check fails. Question is why does the (ICMP) check fail?
If both wired and wireless are in use, I expect a different MAC address for the interfaces.
ICMP fail ? Somebody copied the TV MAC address ???
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Multiple ARP entries for the same MAC

Mon Dec 05, 2022 11:39 am

Moderator. If you can only delete posts from bottom up, can you delete in reverse until you get to the spam post? or just edit the spam post with a "spam post removed".

@bpwl edit you post, make a copy to a text file, in case your post gets deleted to delete the spam post.

I am going to copy my posts so they don't get nuked.
Last edited by Buckeye on Mon Dec 05, 2022 12:11 pm, edited 1 time in total.
 
User avatar
Buckeye
Forum Veteran
Forum Veteran
Posts: 883
Joined: Tue Sep 11, 2018 2:03 am
Location: Ohio, USA

Re: Multiple ARP entries for the same MAC

Mon Dec 05, 2022 11:54 am

I see a rather normal DORA sequence , where the check fails. Question is why does the (ICMP) check fail?
If both wired and wireless are in use, I expect a different MAC address for the interfaces.
ICMP fail ? Somebody copied the TV MAC address ???
I am not nearly as familiar with ROS as I am with EdgeOS, so I don't now exactly how things are "supposed to look" on ROS.

Here's how they look in the /var/log/dnsmasq.log on an EdgeRouter
JonEdge@HomeERX:~$ tail /var/log/dnsmasq.log
Dec  5 08:59:12 dnsmasq-dhcp[3636]: DHCPDISCOVER(switch0.101) e4:f0:42:de:ad:6c
Dec  5 08:59:12 dnsmasq-dhcp[3636]: DHCPOFFER(switch0.101) 192.168.101.55 e4:f0:42:de:ad:6c
Dec  5 08:59:12 dnsmasq-dhcp[3636]: DHCPREQUEST(switch0.101) 192.168.101.55 e4:f0:42:de:ad:6c
Dec  5 08:59:12 dnsmasq-dhcp[3636]: DHCPACK(switch0.101) 192.168.101.55 e4:f0:42:de:ad:6c Google-Home-Mini
Dec  5 09:15:07 dnsmasq-dhcp[3636]: DHCPREQUEST(switch0.101) 192.168.101.42 5c:41:be:ef:f9:3d
Dec  5 09:15:07 dnsmasq-dhcp[3636]: DHCPACK(switch0.101) 192.168.101.42 5c:41:be:ef:f9:3d
Dec  5 09:19:31 dnsmasq-dhcp[3636]: DHCPREQUEST(switch0.101) 192.168.101.87 dc:2c:6e:ca:fe:f1
Dec  5 09:19:31 dnsmasq-dhcp[3636]: DHCPACK(switch0.101) 192.168.101.87 dc:2c:6e:ca:fe:f1 MikroTik
Dec  5 09:31:17 dnsmasq-dhcp[3636]: DHCPREQUEST(switch0.101) 192.168.101.54 d0:21:f9:fa:ce:ae
Dec  5 09:31:17 dnsmasq-dhcp[3636]: DHCPACK(switch0.101) 192.168.101.54 d0:21:f9:fa:ce:ae ubnt28
JonEdge@HomeERX:~$
Looking at the output that was posted above in post #7, why was there a 75 second delay between the entry 479 and 480?

I assumed that was a lease expiration followed later by a new lease request. And that's why I asked for a packet capture, as that will leave little doubt as to what is happening.
 
User avatar
bpwl
Forum Guru
Forum Guru
Posts: 2978
Joined: Mon Apr 08, 2019 1:16 am

Re: Multiple ARP entries for the same MAC

Mon Dec 05, 2022 12:36 pm

I see a rather normal DORA sequence , where the check fails. Question is why does the (ICMP) check fail?
If both wired and wireless are in use, I expect a different MAC address for the interfaces.
ICMP fail ? Why? Somebody copied the TV MAC address ??? (eg set the MAC address in interface or bridge of MT)
Or is another device having that IP address already as static??? (DHCP server should have seen that before)
Don't know ...
 
User avatar
mkx
Forum Guru
Forum Guru
Posts: 11381
Joined: Thu Mar 03, 2016 10:23 pm

Re: Multiple ARP entries for the same MAC

Mon Dec 05, 2022 5:19 pm

Another possibility is that there's a misbehaving proxy-ARP device in network ...
 
DavidGB
newbie
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: Multiple ARP entries for the same MAC

Tue May 30, 2023 6:42 pm

Hi!
I have a similar problem since I updated the router to version 7.9.1. I have RB4011 Mikrotik. It worked perfectly before update.
I use the ARP information to communicate to a server if there is someone at home (with Wi-Fi MAC) and since I updated there are always 3 repeated macs (one of the mobile phones, 3 IPs and 1 mac) even if I am not at home. In this moment (image) this phone is outside. With my phone works correctly
Captura.jpg
Do you know why?

Thanks!
You do not have the required permissions to view the files attached to this post.
 
DavidGB
newbie
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: Multiple ARP entries for the same MAC

Thu Nov 16, 2023 5:34 pm

Hi!!

It's happening to me again with the same device. Does anyone know how it can be solved?

Thanks!
 
pe1chl
Forum Guru
Forum Guru
Posts: 10183
Joined: Mon Jun 08, 2015 12:09 pm

Re: Multiple ARP entries for the same MAC

Thu Nov 16, 2023 5:52 pm

- turn off "Conflict Detection" in the DHCP server
- make the lease for the problematic device static (click the entry in "DHCP Leases" and click "Make Static"
 
DavidGB
newbie
Posts: 45
Joined: Fri Sep 14, 2018 9:22 pm

Re: Multiple ARP entries for the same MAC

Thu Nov 16, 2023 6:12 pm

Ok Thanks! I´ll try it
 
ToTheCLI
Frequent Visitor
Frequent Visitor
Posts: 83
Joined: Mon Jan 04, 2016 3:54 am

Re: Multiple ARP entries for the same MAC

Fri Dec 22, 2023 12:39 am

I have the same issue with several mobile phones from Oneplus and Samsung this bug seems to be on mikrotiks side, Opened a ticket.
RB5009 on 7.13Stable
 
gotsprings
Forum Guru
Forum Guru
Posts: 2087
Joined: Mon May 14, 2012 9:30 pm

Re: Multiple ARP entries for the same MAC

Sun Jan 14, 2024 11:51 pm

I started seeing this on my installs with Mikrotik routers but Cambium wireless. Been trying to eliminate possible configs.

The first time I saw it the site had Cambium and UniF--k Wireless Access Points. Hardwired devices never had the error. Devices connecting to the UniF--k wireless didn't have this error.

I mitigated it by putting all the important devices on static DHCP leases. Solved the issue.

But my guest networks... I can't do that.

Who is online

Users browsing this forum: johnson73, loloski and 88 guests