Expired

VII. Router Diagnostics

Expired

ARP Address Mismatch

Products:
Vigor 2620Ln
Vigor 2760
Vigor 2762
Vigor 2763
Show all

Keywords:
ARP
ARP Spoofing
ARP accept
Block ARP
Show all

The most common mode used for WAN Ethernet interfaces on DrayTek routers is Static or Dynamic mode. This setup needs ARP protocol to communicate with directly connected networking devices, usually your ISP. If your provider's edge device is not responding to ARP requests, clients usually get an ARP reply from a different ISP's router. This can be detected by your DrayTek router and the following syslog error message is produced:
“Arp address mismatch – Source MAC address doesn’t match ARP Sender’s MAC address”.
Similar symptoms may occur when Link Aggregation or NIC teaming for a server is enabled.
When ARP spoofing is enabled, Vigor routers regard the ARP packet as illegal and drops it since its Ethernet source address does not match the MAC address of ARP sender.

This article demonstrates how network administrators can allow Vigor routers to accept illegal ARP responses. This section describes how to disable that option.
It is also possible to accept ARP reply packets if Ethernet destination address does not match the MAC address of the ARP receiver.

There are two configuration methods to accept illegal ARP responses:

Setup on GUI (available since firmware version 3.8.8 or later)

1. Go to [Firewall] > [Defense Setup], then click Spoofing Defense

kb arp address mismatch 01

2. In the ARP Spoofing Defense section

  1. Disable “Block ARP replies with inconsistent source MAC addresses” to accept illegal ARP source mac reply packets
  2. Disable “Block ARP replies with inconsistent destination MAC addresses” to accept illegal ARP destination mac reply packets
  3. Click OK

kb arp address mismatch 02

Now your Vigor router accepts illegal ARP packets.
A packet capture between router's WAN interface and the ISP can be conducted. From the image below we can see that the Sender MAC address and the Source MAC address (which replies to the router's ARP requests) are different.

kb arp address mismatch 03

Telnet command (On firmware version 3.8.7 or older)

1. Telnet into Vigor Router

2. Use the following command

ip arp accept 1


The router should respond with “Accept illegal ARP source mac REPLY packets” message.

kb arp address mismatch 04

3. Reboot the router

4. Now your Vigor router accepts illegal ARP packets.
A packet capture between router's WAN interface and the ISP can be conducted. From the image below we can see that the Sender MAC address and the Source MAC address (which replies to the router's ARP requests) are different.

kb arp address mismatch 05

How to disable accepting illegal ARP responses (enabled by default)?

To disable Vigor router from accepting those packets, use the following command

ip arp accept 0

The router should respond with “Drop illegal ARP source mac REPLY packets" message.

kb arp address mismatch 06

Accept ARP reply packets if Ethernet destination address does not match the MAC address of the ARP receiver

The ARP reply packets will be regarded as illegal when Ethernet destination address does not match the MAC address of ARP receiver. To allow Vigor router to accept those packets, use the following command

ip arp accept 3

To disallow Vigor router to accept those packets, use the this command instead

ip arp accept 2

 

kb arp address mismatch 07