Community discussions

MikroTik App
 
flop.m@usa.net
newbie
Topic Author
Posts: 25
Joined: Mon Jun 11, 2007 11:26 am

Router hijacking ARP of other network device

Sun Sep 18, 2022 7:24 pm

Hello all,

Maybe someone has seen something similar.
I'm running Mikrotik OS version 6.49.6 and sometimes I can't reach some other devices on my network from my computer.

I then checked the ARP table on my computer to discover a specific IP address had a wrongly mapped MAC address.
So I cleared the ARP table on my computer and started sniffing the ethernet packets.

I could record the following results where we can see that the router is answering (wrongly) for the ARP request made by my computer and then makes my computer unable to reach the correct device with it's IP address.
"54","14.590021","WistronI_43:d3:6a","Broadcast","ARP","42","Who has 192.168.79.210? Tell 192.168.79.112"
"55","14.590243","PCEngine_25:97:fd","WistronI_43:d3:6a","ARP","60","192.168.79.210 is at 00:0d:b9:25:97:fd"
"57","14.590465","PCEngine_58:b0:18","WistronI_43:d3:6a","ARP","60","192.168.79.210 is at 00:0d:b9:58:b0:18"
Device with MAC address 00:0d:b9:58:b0:18 has IP address 192.168.79.210, given by router via DHCP.
Router has MAC address 00:0d:b9:25:97:fd with it's ethernet port configured with
/interface ethernet set [ find default-name=ether2 ] name=LAN
 /ip address add address=192.168.79.254/24 comment=LAN interface=LAN network=192.168.79.0
So I don't understand why the router is answering for a ARP request while the IP address is not set on its ethernet port.

Any ideas?

Thank you very much
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 7:42 pm

That happens when you set the ARP mode to proxy-arp.
 
Sob
Forum Guru
Forum Guru
Posts: 9119
Joined: Mon Apr 20, 2009 9:11 pm

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 8:12 pm

Yes and no. With proxy ARP enabled, router does answer on behalf of other devices. But it seems that something changed and maybe went a little wrong. I didn't have time to test everything properly, so I don't even know when exactly it happened. But very old RouterOS for example needed specific route to destination address to answer ARP for it, while newer one doesn't care and takes even default route, so it answers ARP for any address. Also answering on behalf of devices in same subnet (as it seems to be doing here) definitely didn't happen before, but recently I saw it once too.

Edit: Quick test with latest versions (6.48.6, 6.49.6, 7.5, 7.6beta6) says that either it was before them, or I messed up. Now it seem to work as expected. Hmm.
Last edited by Sob on Mon Sep 19, 2022 3:09 am, edited 1 time in total.
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 8:23 pm

Actually the proxy-arp can operate in two different modes, proxy-arp and local-proxy-arp, both of them not what I usually would want (I would like to have e.g. local-routed-proxy-arp or remote-proxy-arp).
Indeed it needs a route to the address, but of course when the queried address is in the local subnet, it does have that.
Usually it will work without issue because the router will forward the packet when it received it even when the destination is on the same subnet. It will send a redirect as well, but often that gets ignored.
Maybe he has a strict firewall that prohibits that forward (e.g. as spoofing protection).
At work we have a large WiFi network where broadcasts and inter-user traffic are disabled in the APs (to reduce on the loading of the radios by the large amounts of chatter), and we use proxy-arp, a bridge filter and a firewall rule to allow limited traffic between clients, e.g. to facilitate pairing between a phone and a laptop.
It works.
 
flop.m@usa.net
newbie
Topic Author
Posts: 25
Joined: Mon Jun 11, 2007 11:26 am

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 9:38 pm

Thx for answering, but as you can see, I'm using default setting for the ethernet, so arp value is 'enabled', not proxy-arp or the other one. Also, the router, the device I want to contact and my computer are all 3 on the same network, all 3 connected together via Netgear switches, so the router has no need to answer this ARP request, and my computer does not need to reach the router to get to the device (no need for routing)...

Any other thought(s)?

Thx a lot
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 9:48 pm

You haven't posted an export of your configuration, but if an Ethernet interface is configured as a member port of a bridge, the arp setting of the bridge is used, not the one of the Ethernet interface.
 
flop.m@usa.net
newbie
Topic Author
Posts: 25
Joined: Mon Jun 11, 2007 11:26 am

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 9:52 pm

There is no bridge, just a pppoe client enabled on another ethernet port
[admin@router.home] /interface> export
# sep/18/2022 20:51:04 by RouterOS 6.49.6
# software id = XFVR-J1EU
#
#
#
/interface ethernet
set [ find default-name=ether2 ] name=LAN
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 keepalive-timeout=disabled max-mru=1492 max-mtu=1492 name=WAN password=xyz user=abc
 
sindy
Forum Guru
Forum Guru
Posts: 10205
Joined: Mon Dec 04, 2017 9:19 pm

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 9:57 pm

At this stage I would sniff at the ethernet port to see whether it really responds to ARP requests for other than own addresses:

/tool sniffer quick mac-protocol=arp interface=ether2

What do /interface bridge nat print and /ip arp export show?
 
flop.m@usa.net
newbie
Topic Author
Posts: 25
Joined: Mon Jun 11, 2007 11:26 am

Re: Router hijacking ARP of other network device

Sun Sep 18, 2022 10:24 pm

[admin@router.home] /tool sniffer> /interface bridge nat print
Flags: X - disabled, I - invalid, D - dynamic 
[admin@router.home] /tool sniffer> /ip arp export
# sep/18/2022 21:20:28 by RouterOS 6.49.6
# software id = XFVR-J1EU
#
#
#
/ip arp
add address=192.168.79.220 comment=KodiTV interface=LAN mac-address=40:8D:5C:B4:C9:CD


The sniffer tests indicates the router is answering the ARP requests....
LAN        105.958     27 <-  54:EE:75:43:D3:6A FF:FF:FF:FF:FF:FF        192.168.79.112: who has 192.168....                                     arp          60   0 no 
LAN        105.958     28 ->  00:0D:B9:25:97:FD 54:EE:75:43:D3:6A        192.168.79.210: at 00:0D:B9:25:9...                                     arp          42   0 no 
 
flop.m@usa.net
newbie
Topic Author
Posts: 25
Joined: Mon Jun 11, 2007 11:26 am

Re: Router hijacking ARP of other network device

Mon Oct 03, 2022 4:22 pm

If that might help anyone, it was related to the hotspot being active on the Mikrotik. I had to set it on another interface so stop 'interfering'... I think it is somewhat broken because LAN communication should not have to be intercepted by the hotspot, which is there for accessing the Internet only...
 
pe1chl
Forum Guru
Forum Guru
Posts: 10195
Joined: Mon Jun 08, 2015 12:09 pm

Re: Router hijacking ARP of other network device

Mon Oct 03, 2022 7:05 pm

Good to hear that you found it! I have zero experience with Hotspot so I do not know if it might setup a bridge with proxy-arp or similar.

Who is online

Users browsing this forum: Bing [Bot], RogerWilco and 96 guests