ARP Table Management

ARP Table Management

RouterOS Version

Primary Version: 7.16 | Minimum: 6.0 | Difficulty: Intermediate | Time: 15 minutes

TL;DR (Quick Start)

Lock a critical device to its MAC address to prevent ARP spoofing:

/ip arp add address=192.168.1.10 mac-address=AA:BB:CC:DD:EE:FF interface=ether2

Enable proxy ARP for VPN clients on the same subnet as LAN:

/interface ethernet set ether2 arp=proxy-arp

Overview

The Address Resolution Protocol (ARP) maps Layer 3 IP addresses to Layer 2 MAC addresses, a fundamental process for local network communication. While RouterOS handles ARP automatically by default, manual management allows for enhanced security, specific network topologies, and troubleshooting.

Managing the ARP table is critical for:

• Security: Preventing ARP spoofing by locking MAC addresses to IPs (Static ARP).
• Connectivity: Enabling communication between disjoint network segments (Proxy ARP).
• Isolation: Forcing traffic through the router for inspection on the same subnet (Local Proxy ARP).

The following diagram illustrates how Proxy ARP allows a router to answer ARP requests on behalf of another device:

@startuml
skinparam backgroundColor white
skinparam componentStyle rectangle

package "LAN Segment" {
    [Host A\n192.168.1.10] as HostA
}

package "Remote/VPN Segment" {
    [Client B\n192.168.1.50] as ClientB
}

node "RouterOS" as R1 {
    [ether2\n192.168.1.1\nproxy-arp] as Eth2
}

note bottom of HostA
  Who has 192.168.1.50?
end note

note right of Eth2
  I do! (Using Router MAC)
end note

HostA -> Eth2 : ARP Request (Who is .50?)
Eth2 .> HostA : ARP Reply (I am .50)
Eth2 <-> ClientB : Routed Traffic
@enduml

Prerequisites

• Access to a RouterOS device (v7.x recommended).
• An active interface (e.g., ether2) configured with an IP address.
• For Proxy ARP: A secondary network or VPN pool that overlaps with the LAN subnet.

Configuration Steps

Step 1: Creating Static ARP Entries

Static entries permanently map an IP to a specific MAC address. This prevents ARP poisoning attacks where an attacker tries to intercept traffic by spoofing the gateway’s MAC address.

1. Identify the target device’s MAC address.
2. Add the static entry.

/ip arp add address=192.168.1.10 mac-address=AA:BB:CC:DD:EE:FF interface=ether2 comment="Critical Server"

Parameters:

• address: The IP address of the device.
• mac-address: The physical hardware address.
• interface: The interface where this device resides.

Step 2: Enabling Reply-Only Mode (High Security)

For maximum security on a specific interface, you can disable dynamic ARP learning. The router will only communicate with devices that have static ARP entries.

Warning: Ensure you have added static entries for all legitimate hosts (including your management PC) before enabling this, or you will lose connectivity.

/interface ethernet set ether2 arp=reply-only

If a device is not in the static ARP table, the router will ignore its traffic.

Step 3: Configuring Proxy ARP

Proxy ARP is useful when you have dial-in clients (VPN) or split subnets that need to communicate as if they were on the same Layer 2 segment. The router answers ARP requests for the “remote” IPs with its own MAC address.

/interface ethernet set ether2 arp=proxy-arp

With this enabled, if a LAN host asks “Who has 192.168.1.50?” (a VPN client), the router replies “I do,” and then routes the packet to the VPN tunnel.

Step 4: Configuring Local Proxy ARP

Use local-proxy-arp on bridge interfaces where ports are isolated (e.g., horizon set) but client-to-client communication is still required via Layer 3 routing.

/interface bridge set bridge1 arp=local-proxy-arp

This forces devices on the same subnet to communicate through the router rather than directly, allowing for firewall filtering between them.

Verification

Confirm your configuration is working:

Check 1: Verify Static Entries

Ensure your static mappings are active and permanent.

/ip arp print where !dynamic

Expected Output:

Flags: D - DYNAMIC; C - COMPLETE; P - PUBLISHED
Columns: ADDRESS, MAC-ADDRESS, INTERFACE
 #    ADDRESS       MAC-ADDRESS        INTERFACE
 0  C 192.168.1.10  AA:BB:CC:DD:EE:FF  ether2

Note the absence of the ‘D’ (Dynamic) flag.

Check 2: Verify Interface ARP Mode

Check the operational mode of your interfaces.

/interface ethernet print detail where name=ether2

Expected Output:

 1 R  name="ether2" ... arp=reply-only ...

Troubleshooting

Problem: Devices lose connectivity in reply-only mode

Symptoms: After changing ARP mode to reply-only, specific hosts cannot ping the router or access the internet.

Cause: The router cannot learn the MAC address of the host dynamically, and no static entry exists.

Solution: Temporarily revert to enabled mode to learn the MAC, or manually add the static entry.

# Revert to learn MAC
/interface ethernet set ether2 arp=enabled

# Add the missing entry
/ip arp add address=192.168.1.X mac-address=XX:XX:XX:XX:XX:XX interface=ether2

# Re-enable security
/interface ethernet set ether2 arp=reply-only

Problem: Proxy ARP not working for VPN clients

Symptoms: LAN hosts cannot ping VPN clients that are on the same subnet.

Cause:

1. Proxy ARP is not enabled on the LAN interface.
2. The router does not have an active route to the VPN client’s IP.

Solution: Ensure proxy-arp is set on the LAN interface (where the requests come from), not just the VPN interface. Verify routing:

/ip route print where dst-address~"192.168.1"

Problem: DHCP clients lose connectivity intermittently with reply-only mode

Symptoms: Clients assigned via DHCP randomly lose connectivity, even though the DHCP lease is still valid.

Cause: The default ARP timeout (controlled by /ip settings arp-timeout) is shorter than the DHCP lease time. ARP entries expire before the DHCP lease renews, breaking connectivity.

Solution: Synchronize ARP timeout with DHCP lease duration:

# Option 1: Reduce DHCP lease to match ARP timeout
/ip dhcp-server set [find] lease-time=4h

# Option 2: Increase ARP timeout to match DHCP lease
/ip settings set arp-timeout=1d

Problem: ARP Table fills with “Incomplete” entries

Symptoms: The ARP table is full of entries showing incomplete, potentially causing valid entries to be dropped.

Cause: This often indicates a network scan or DoS attack. RouterOS keeps incomplete entries until the table reaches a specific threshold (1/4 of max-neighbor-entries).

Solution: Increase the maximum neighbor limit if you have sufficient RAM, or investigate the source of the scan.

/ip settings set max-neighbor-entries=8192

Advanced Configuration

Global ARP Timeouts

The default ARP timeout is 30 seconds. The actual validity time is randomized within the range [timeout/2, timeout*3/2] (15s–45s with default setting) to prevent synchronization storms where all devices refresh ARP at once. For stable networks, you might increase this to reduce broadcast traffic.

/ip settings set arp-timeout=5m

Note: With arp-timeout=5m, actual entry validity will be 2.5–7.5 minutes.

Published ARP (Manual Proxy)

If you need the router to proxy ARP for a single specific IP rather than a whole interface, use a Published ARP entry.

/ip arp add address=192.168.2.50 mac-address=00:00:00:00:00:00 interface=ether2 published=yes

Note: The mac-address is ignored; the router uses its own interface MAC.

Related Topics

• DHCP Server: Can automatically create ARP entries for leases with add-arp=yes
• Bridge Configuration: Required for local-proxy-arp with port isolation using horizon
• VPN Configuration: PPPoE/PPTP/L2TP servers often need proxy-arp when using same subnet as LAN
• Firewall: ARP-related filtering available in /ip firewall filter with arp-* matchers

References

• Official MikroTik ARP Documentation
• IP Settings & Tuning