Is there ANY way to limit ARP requests in MT??

Every so often I get slammed with my MT box doing thousands of ARP requests a second on my Public IP subnet.

I'm assuming this is coming from the internet, but I can't find any way to limit or firewall this behaviour in Mikrotik.

Basically I'm a sitting duck for ARP attacks, right?

in you MT firewall set input chunnel drop

>ip fir fil input
>add chain=input acction=drop

accept only mac addresses of your clients and reject all others
you can achieve that by going to the interface which the clients are connected to and set the arp to reply-only
/interface ethernet set local arp=reply-only

in this case none of the clients can replicate with your MT even you so you should add your ip and mac address in the arp list as a static entry before doing this

regards

I can't use static ARP since the customer is allowed to change their MAC.

Any other ideas??

Is there ANY way to limit ARP requests in MT??

Every so often I get slammed with my MT box doing thousands of ARP requests a second on my Public IP subnet.

I'm assuming this is coming from the internet, but I can't find any way to limit or firewall this behaviour in Mikrotik.

Basically I'm a sitting duck for ARP attacks, right?

I would like to see some of that, sounds like some bad misconfiguration somewhere. Only way RouterOS would make an ARP req is if it's trying to reach (initiate connection to) the IPs it's ARPing for. Also it would only ARP for adresses in the same subnet as it's own interfaces. No packet from outside could trigger an ARP req. If RouterOS recieves a packet from it's own subnet it already knows the MAC and wouldn't make an ARP req except maybe from spoofed IP adresses, but this you can filter in the Firewall (check http://wiki.mikrotik.com/wiki/Dmitry_on ... nity-check). If it comes from outside the WAN subnet, all RouterOS ever would ARP for is the MAC of the default GW.

Please post your config and show us some from your sniff.

Regards

Henrik