Community discussions

MikroTik App
 
jmorrisCCR1009
just joined
Topic Author
Posts: 4
Joined: Thu Jun 30, 2016 12:22 am

Proxy ARP

Wed Jan 26, 2022 5:43 am

Hello, semi-new to Mikrotik routers. I have used them for awhile as specialized devices, but am now expanding what I want to do with them, and I want to replace my linux based routers with Mikrotik.

I have used proxy ARP with linux firewalls for some time with great success, but am having difficulty reproducing the setup with Mikrotik. I am missing something (probably something simple)

Using private addresses in my example

ISP Device:
IP address 10.1.1.1/28 (giving me 14 addresses)

Mikrotik CCR2004-16G-2S+ (RouterOS 7.1.1):
Outside (public) address 10.1.1.2 on sfp-sfpplus1, connects to ISP device
Inside address 192.168.1.1/32 on ether16, connects to inside device

Inside Device (configured as if directly connected to ISP device, default route to 10.1.1.1, /28 network, etc)
Outside (public) address 10.1.1.4, connects to Mikrotik ether16

I want the inside device to appear as if directly connected to the ISP device, but I want to be able to control bandwidth, for example, on ether16.

Looking at the ARP table, I can see my inside device at 10.1.1.4 on ether16.

I enabled proxy ARP on sfp-sfpplus1 and ether16. I was hoping just that setting would do the trick. Incorrect.
I then made a static route to 10.1.1.4 via 192.168.1.1. This didn't fix the problem.

When I look at routing, I see a dynamic created route 10.1.1.0/28 to 'sfp-sfpplus1' which seems wrong, not sure.

Can someone clue me in as to where I am going wrong?

Note: I have set up a DHCP server on ether1, and set up an inside network, configured the firewall, and setup NAT, and plugged in random devices to confirm that the internet works through sfp-sfpplus1. It works correctly. I'm just stuck at proxy ARP.

Regards
 
Zacharias
Forum Guru
Forum Guru
Posts: 3459
Joined: Tue Dec 12, 2017 12:58 am
Location: Greece

Re: Proxy ARP

Wed Jan 26, 2022 10:01 am

Can you provide a network diagram ? It helps to understand your network topology better.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Proxy ARP

Thu Jan 27, 2022 4:09 pm

If I understand it correctly that you have 192.168.1.1/32 on router, you can either add route to interface:
/ip route
add dst-address=10.1.1.4/32 gateway=ether16
Or you can change the address to point to point, which will add automatic route:
/ip address
add interface=ether16 address=192.168.1.1/32 network=10.1.1.4
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Proxy ARP

Thu Jan 27, 2022 4:39 pm

Proxy arp will only reply to ARP requests for a network address for which it has a route. So indeed check if you have configured it in such a way that you have a route to 10.1.1.0/28.
Sometimes I would wish that you can limit proxy ARP to only one subnet or even only to local subnets. When you configure proxy ARP for a scnario like that you quickly arrive at the situation where it will reply to ANY IP address queried, and the hosts behind you router work even when they have no default route at all.
But then your hosts will die due to excessive ARP table size...
So, always verify that on the connected hosts you have only a small number of ARP entries (while they are passing traffic).
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Proxy ARP

Thu Jan 27, 2022 5:19 pm

You can use proxy ARP for individual addresses, instead of enabling it for whole interface, e.g. here it could be:
/ip arp
add interface=sfp-sfpplus1 address=10.1.1.4 published=yes
add interface=ether16 address=10.1.1.1 published=yes
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Proxy ARP

Thu Jan 27, 2022 5:21 pm

Also, when I use this, I don't configure internal device with subnet mask of outside subnet, but use only point to point /32. Then I have published ARP only on external interface, and it's nice and simple.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Proxy ARP

Thu Jan 27, 2022 6:49 pm

What I had in mind was the "usual" scenario of using proxy ARP where people have setup a VPN server for their local network and used the same subnet mask as the LAN and use some IPs for the VPN.
Then they need to enable Proxy ARP to allow communication between local systems and the VPN users (of course a separate VPN subnet would fix it).
What you then would like to have is a Proxy ARP on the LAN that only answers to ARP requests that are within the LAN range and for which the router knows a more specific route (in this case: to the VPN user).
But such a Proxy ARP operation mode does not exist. There is a local-proxy-arp, that sounds promising, but it does something different.
The closest you can get is to have a bridge filter that blocks ARP requests for IPs that are outside the local subnet.

The solution you provide would be somewhat usable, but it would require a script in the VPN up/down handling to add/remove those entries...
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Proxy ARP

Thu Jan 27, 2022 7:38 pm

If you have addressing plan, you can add them in advance and keep them even if they are not currently used. They still need active route, so they don't do anything before there's one.

Who is online

Users browsing this forum: achu, Ahrefs [Bot], Majestic-12 [Bot] and 74 guests