MikroTik's RouterOS offers a wide variety of advanced features and settings to manage networks efficiently. Among these functions, the Address Resolution Protocol (ARP) plays a fundamental role in mapping IP addresses to physical network addresses.
At the end of the article you will find a small test that will allow you assess the knowledge acquired in this reading
1. ARP Disabled
If ARP is disabled on the interface, that is, arp=disabled is used, the router does not respond to ARP requests from clients. Therefore, a static ARP entry must also be added to clients. For example, router IP and MAC addresses must be added to Windows workstations using the arp command:
C:\> arp -s 10.5.8.254 00-aa-00-62-c6-09
2. ARP Enabled
ARP Enabled is the default mode in most configurations. Allows the router to automatically update the ARP table as devices on the network communicate with each other. No manual intervention required.
A typical example could be:
/ip arp print
This command will display the dynamic ARP table, which is automatically updated as devices interact on the network.
3. Proxy ARP
It is a technique in computer networking in which one device acts as an intermediary to respond to ARP requests on behalf of other devices. In other words, the ARP Proxy device responds to ARP requests directed to IP addresses that are outside its own subnet, rather than letting devices on that subnet respond on their own. The router performs ARP proxy on the interface and sends responses to other interfaces
The main function of Proxy ARP is to allow communication between devices that are on different subnets but are connected to the same physical network. To enable ARP Proxy, use:
4. Reply Only
The interface will only respond to requests originating from matching IP address/MAC address combinations that are entered as static entries in the IP/ARP table. No dynamic entries will be automatically stored in the IP/ARP table. Therefore, for communications to be successful, a valid static entry must already exist. To make a static entry in the ARP table use the following command:
/ip arp add address=192.168.1.2 mac-address=00:11:22:33:44:55 interface=ether1
This mode is useful for situations where you need to strictly control which IP addresses can be assigned to a specific interface. To enable reply only mode use the following command:
/interface ethernet set 0 arp=reply-only
This command configures Ethernet interface 1 to respond only to ARP requests.
5. Local Proxy ARP
When this mode is enabled on the router, Proxy ARP is performed to/from this interface only, that is, for traffic that enters and leaves the same interface. In a normal LAN, the default behavior is for two network hosts to communicate directly with each other, without involving the router.
With local-proxy-arp enabled, the router will respond to all client hosts with the MAC address of the router interface instead of the MAC address of the other host. The Router performs ARP proxy on the interface and sends responses to the same interface.
Let's look at the following example:
If Host A (192.168.88.2/24) requests the MAC address of Host B (192.168.88.3/24), the router will respond with its own MAC address. In other words, if local-proxy-arp is enabled, the router will take responsibility for forwarding traffic between Host A 192.168.88.2 and Host B 192.168.88.3. All ARP cache entries on Hosts A and B will reference the MAC address of the router. In this case, the router performs local-proxy-arp for the entire 192.168.88.0/24 subnet.
An example of RouterOS local-proxy-arp could be a bridge configuration with a DHCP server and bridge ports using the isolated option where hosts on the same subnet can communicate with each other only at Layer 3 through the bridge IP .
/interface bridge
add arp=local-proxy-arp name=bridge1
/interface bridge port
add bridge=bridge1 horizon=1 interface=ether2
add bridge=bridge1 horizon=1 interface=ether3
add bridge=bridge1 horizon=1 interface=ether4
Brief knowledge quiz
What do you think of this article?
Do you dare to evaluate your learned knowledge?
Recommended book for this article
RouterOS v7 Advanced Security Book
Study material for the MTCSE Certification Course, updated to RouterOS v7
Related Posts
- Between Stateful and Stateless: Mastering the MikroTik Firewall
- MikroTik and Wireless Authentication: Understanding 'Allow Shared Key'
- MikroTik IPSec: Choose between Tunnel Mode and Transport Mode for VPN
- HSRP, VRRP, GLBP: Understanding Key Protocols for Network Redundancy
- Bandwidth Test and Speed Test Tools in MikroTik RouterOS