Community discussions

MikroTik App
 
woodych
just joined
Topic Author
Posts: 19
Joined: Fri Nov 12, 2021 7:09 pm

proxy-arp only for VPN connections?

Sat Nov 20, 2021 10:53 am

Hi Community

As I have PPTP and L2TP incoming connections to which I assign ip addresses from LAN. I have enabled proxy-arp on the LAN bridge interface so they can communicate.

I also use CAPSMAN and have roaming WLAN clients in the same LAN.

DHCP Server is an ISC DHCP Server (because of vendor related stuff for IP-Phones and IPTV).

Now I noticed that I often run low on DHCP Leases and the DHCP Server keeps complaining and abandoning ip addresses in a row because they are pingable while receiving a DISCOVER. Strangely that were ip addresses which shortly before were successfully assigned to that exact WLAN clients.

So why is the WLAN client sending a DISCOVER and not a RENEW? Turns out, those are moving clients which get out of range from one AP and get kicked by CAPSMAN because of excessive data loss. They immediately re-appear on the next AP where they do a DISCOVER.

But I guess because of proxy-arp the Mikrotik still answers on ping from the DHCP-Server on behalf of that client. So the DHCP-Server abandons that IP Address and assigns a new one to that client.

Indeed, when I disable proxy-arp, that issue disappears. But then of course VPN clients with an ip address from within the LAN, are unable to reach the LAN anymore.

Is there any option to only proxy-arp ip addresses that connect via VPN instead of ALL IP addresses in the LAN?

-Benoit-
 
mducharme
Trainer
Trainer
Posts: 1777
Joined: Tue Jul 19, 2016 6:45 pm
Location: Vancouver, BC, Canada

Re: proxy-arp only for VPN connections?

Sat Nov 20, 2021 2:05 pm

You don't *have* to use proxy-arp for VPN. Simply have your PPTP and L2TP configured to assign addresses in a range that is not in your LAN subnet and you will be able to reach the LAN devices just fine from the VPN without proxy-arp being enabled.

Ex. if your LAN subnet is 192.168.88.0/24 then have the PPTP and L2TP address pool something like 192.168.89.1-192.168.89.254 (or however large you need it).
 
Sob
Forum Guru
Forum Guru
Posts: 9188
Joined: Mon Apr 20, 2009 9:11 pm

Re: proxy-arp only for VPN connections?

Sat Nov 20, 2021 4:47 pm

I'm now also leaning to not using overlapping subnets and proxy ARP, but it does have some advantages. Well, at least one, LAN hosts see VPN clients as members of same subnet, so you can save same effort when configuring firewalls, where default ones often allow access from same subnet. Anyway, if you want it, you can have it, proxy ARP for selected addresses is possible using:
/ip arp
add address=<vpn client address 1> interface=<LAN> published=yes
add address=<vpn client address 2> interface=<LAN> published=yes
...
add address=<vpn client address x> interface=<LAN> published=yes

Who is online

Users browsing this forum: No registered users and 24 guests