Default net.ipv4.conf.all.proxy_arp=1 introduces duplicate IP when OpenWrt interface is active for VLAN

Equin · June 2, 2024, 9:08pm

Team, recently I had to configure very simple switch using two ports and cpu untagged for vlan_1:

config device
option name 'eth0.1'
option type '8021q'
option ifname 'eth0'
option vid '1'

config switch_vlan
option device 'switch0'
option ports '0 1 6'
option vlan '1'

and discovered strange behavior when an OpenWrt interface created on eth0.1 (to allow OpenWrt management on this vlan) introduced duplicate IPs for all subnet, including the gateway. Figured it out with arping that returned two MAC addresses - the original non-OpenWrt switch MAC and OpenWrt one.

sysctl net.ipv4.conf.all.proxy_arp=0 did the trick, but I'd like to ask if these Luci options for device like Honor gratuitous ARP and Drop gratuitous ARP play any role here? I tried all combos of these two options but only manual sysctl net.ipv4.conf.all.proxy_arp=0 actually works.

Probably I missed something and would welcome any idea if it is manageable via Luci.

Update: finally found that it was mesh11sd daemon (needed for mesh management), see the bottom of this tread for details.

brada4 · June 2, 2024, 9:42pm

No, gratutious arp is unrelated. proxy_arp fix to not respond own mapping back was submitted upstream, if you can test if snapshot works, then next stable release also will.

Equin · June 3, 2024, 3:59am

I've just tried today's build - the issue is still there. Here is some details:

The interface configured on eth0.1 and interface autostart disabled, rebooted to get default settings with disabled interface:

# sysctl -a | grep ipv4.*proxy_arp
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.all.proxy_arp_pvlan = 1
net.ipv4.conf.br-lan.proxy_arp = 1
net.ipv4.conf.br-lan.proxy_arp_pvlan = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.default.proxy_arp_pvlan = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth0.proxy_arp_pvlan = 1
net.ipv4.conf.eth0/1.proxy_arp = 0
net.ipv4.conf.eth0/1.proxy_arp_pvlan = 0
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0

Starting the interface on eth0.1 via Luci:

# sysctl -a | grep ipv4.*proxy_arp
net.ipv4.conf.all.proxy_arp = 1
net.ipv4.conf.all.proxy_arp_pvlan = 1
net.ipv4.conf.br-lan.proxy_arp = 1
net.ipv4.conf.br-lan.proxy_arp_pvlan = 1
net.ipv4.conf.default.proxy_arp = 1
net.ipv4.conf.default.proxy_arp_pvlan = 1
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.eth0.proxy_arp_pvlan = 1
net.ipv4.conf.eth0/1.proxy_arp = 1
net.ipv4.conf.eth0/1.proxy_arp_pvlan = 1
net.ipv4.conf.lo.proxy_arp = 0
net.ipv4.conf.lo.proxy_arp_pvlan = 0

so, after start it enables proxy_arp for this interface.

But the problem is much deeper - let's disable all proxy_arp for both vlan and parent device:

# sysctl net.ipv4.conf.eth0.proxy_arp=0; sysctl net.ipv4.conf.eth0.proxy_arp_pvlan=0; sysctl net.ipv4.conf.eth0/1.proxy_arp=0; sysctl net.ipv4.conf.eth0/1.proxy_arp_pvlan=0
net.ipv4.conf.eth0.proxy_arp = 0
net.ipv4.conf.eth0.proxy_arp_pvlan = 0
net.ipv4.conf.eth0/1.proxy_arp = 0
net.ipv4.conf.eth0/1.proxy_arp_pvlan = 0

arping of interface IP still shows two MAC addresses.

Only global proxy_arp off helps to get rid of dupes:

sysctl net.ipv4.conf.all.proxy_arp=0

I remember I tried to troubleshoot this strange behavior years ago, trying to manipulate proxy_arp on interface level (no luck) and I suspect there is a kind of bug in the kernel with arp proxy logic...

brada4 · June 3, 2024, 4:44am

You can find arptables rule in the thread to block arp reflection, or wait for release with patch included:

github.com/openwrt/openwrt

Wi-Fi Proxy ARP breaks poorly implemented DHCP clients

opened 08:54PM - 31 Dec 23 UTC

Ambr051us

target/mediatek bug release/23.05 Official Image Supported Device

### Describe the bug The "Proxy ARP" feature of hostapd (tested with wpad-wolfs…sl and wpad-mbedtls) breaks DHCP duplicate address detection on some clients. DHCP clients are supposed to send out an "ARP Who Has" message with the IP address offered to them. IF this so-called "Gratuitous ARP request" gets a response, that means the offered address is already in use and the client sends a DHCPDECLINE. There are some poor implementations out there (many of which are closed-source of course), which send a DHCPACK very quickly after the gratuitous ARP request, maybe even before it. (I assume that hostapd only starts answering ARP requests on behalf of clients once it has seen a DHCPACK or some ARP packet indicating the address being in use, so the bug technically happens on the clients here). This can lead to hostapd answering the gratuitous ARP causing the client to decline the address it just ACK-ed and try again. I'm opening this because it's easier to fix hostapd than all the bad DHCP implementations that are already out in the wild. What hostapd does (sending an ARP response on behalf of a client _to the same client_) is not violating any spec strictly speaking, but it would be sane not to do. I'm not familiar with the hostapd codebase and not even sure whether it has an actively maintained upstream (Wikipedia lists 3 actively maintained implementations). I've run into the issue using OpenWRT so I came here, I hope someone knows where the "if requesting MAC address matches the proxy response's MAC address, don't send the proxy response" condition can be added to the code. ### OpenWrt version r23630-842932a63d ### OpenWrt release 23.05.2 ### OpenWrt target/subtarget mediatek/mt7622 ### Device Xiaomi Redmi Router AX6S ### Image kind Official downloaded image ### Steps to reproduce 1) Enable 'Proxy ARP' on an SSID, preferably on 2.4 GHz (I've never seen this happen on 5 GHz). Have a DHCP server running in the network somewhere (having it on a separate device from the one running the wireless AP probably increases the chance of seeing the bug) 2) Connect a client to the SSID, which has a "poor" implementation of DHCP. TP-Link Tapo cameras are a known example, possibly also iPhone 8 and older Apple products. 3) Observe the infinitely repeating DHCPDISCOVER->DHCPOFFER->DHCPACK->DHCPDECLINE cycle with a packet sniffer or in the DHCP server's log ### Actual behaviour An infinitely repeating cycle of DHCPDISCOVER -> DHCPOFFER -> DHCPACK -> Proxy_ARP response to gratuitous request -> DHCPDECLINE ### Expected behaviour Never answering ARP requests with the same address as the requester ### Additional info _No response_ ### Diffconfig _No response_ ### Terms - [X] I am reporting an issue for OpenWrt, not an unsupported fork.

Or disable (ie not enable) proxy_arp in the meantime.

Equin · June 3, 2024, 5:09am

Finally found who does the mess! It's mesh11sd package (I have mesh uplink on this node):

# grep proxy_arp /usr/sbin/mesh11sd
	echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp
	echo 1 > /proc/sys/net/ipv4/conf/default/proxy_arp
	echo 1 > /proc/sys/net/ipv4/conf/$device/proxy_arp
	echo 1 > /proc/sys/net/ipv4/conf/all/proxy_arp_pvlan
	echo 1 > /proc/sys/net/ipv4/conf/default/proxy_arp_pvlan
	echo 1 > /proc/sys/net/ipv4/conf/$device/proxy_arp_pvlan

By default all proxy_arp are off in the system after boot - how it should be. No issues with OpenWrt at all but with the mesh11sd package, that enables it "just in case".

To resolve it I just changed "1" to "0" in /usr/sbin/mesh11sd, so now it looks:

	echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp
	echo 0 > /proc/sys/net/ipv4/conf/default/proxy_arp
	echo 0 > /proc/sys/net/ipv4/conf/$device/proxy_arp
	echo 0 > /proc/sys/net/ipv4/conf/all/proxy_arp_pvlan
	echo 0 > /proc/sys/net/ipv4/conf/default/proxy_arp_pvlan
	echo 0 > /proc/sys/net/ipv4/conf/$device/proxy_arp_pvlan

system · June 13, 2024, 5:10am

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.