Skip to content
MikroTik RouterOS Docs

ARP

ARP

Section titled “ARP”

Overview

Section titled “Overview”

ARP (Address Resolution Protocol) maps IPv4 addresses to MAC addresses on a local network segment. RouterOS implements ARP per-interface with configurable modes that control how the router participates in ARP — from standard dynamic learning to proxy ARP for cross-segment routing.

This documentation covers ARP modes, ARP table management, static entries, and gratuitous ARP behavior during VRRP failover.

ARP Modes

Section titled “ARP Modes”

RouterOS supports five ARP modes, configured per interface via the arp property. The default is enabled.

ModeDescription
enabledStandard ARP — interface learns ARP entries dynamically and responds to ARP requests for its own addresses
disabledARP is completely disabled on the interface; no ARP requests are sent or answered
proxy-arpRouter answers ARP requests on behalf of other hosts, enabling routing across L2 segments in the same IP subnet
local-proxy-arpLike proxy-arp, but restricted to traffic between hosts on the same interface; forces local hosts to route via the router
reply-onlyInterface responds to ARP requests for known entries only; no dynamic ARP learning occurs

Viewing the Current ARP Mode

Section titled “Viewing the Current ARP Mode”
/interface print detail where arp~"proxy"
/interface ethernet print detail where arp=reply-only

Proxy ARP

Section titled “Proxy ARP”

How Proxy ARP Works

Section titled “How Proxy ARP Works”

When proxy-arp is enabled on an interface, the router responds to ARP requests for IP addresses that it can route to, even when those addresses are not local to the interface. The requesting host updates its ARP cache with the router’s MAC address and sends traffic to the router, which then forwards it to the actual destination.

This is useful when hosts in the same IP subnet are physically separated by a routing boundary — for example, a wireless segment and a wired LAN sharing the same 192.168.1.0/24 subnet but on different interfaces.

Configuring Proxy ARP

Section titled “Configuring Proxy ARP”

Enable proxy ARP on an interface:

/interface ethernet set [find name=ether1] arp=proxy-arp

On a bridge interface:

/interface bridge set [find name=bridge1] arp=proxy-arp

On a wireless interface:

/interface wireless set [find name=wlan1] arp=proxy-arp

Verify the configuration:

/interface print detail where arp~"proxy"

Local Proxy ARP

Section titled “Local Proxy ARP”

local-proxy-arp is a stricter variant used when you want to force all traffic — even between hosts on the same interface — to go through the router. This is common on wireless access points where client isolation is desired while still allowing clients to reach each other via router-enforced policy.

/interface wireless set [find name=wlan1] arp=local-proxy-arp

Reply-Only Mode

Section titled “Reply-Only Mode”

How Reply-Only Works

Section titled “How Reply-Only Works”

When an interface is set to reply-only, the router responds to ARP requests only for IP-MAC pairs that already exist in the ARP table. Dynamic ARP learning is disabled — no new entries are learned from ARP traffic on that interface. The ARP table is populated exclusively from static entries or DHCP leases when add-arp=yes is configured on the DHCP server.

Security Use Case

Section titled “Security Use Case”

reply-only is commonly used to prevent unauthorized hosts from communicating on a network segment. Only hosts with a matching ARP entry can resolve their gateway, effectively blocking unknown devices.

Configuring Reply-Only with Static Entries

Section titled “Configuring Reply-Only with Static Entries”
# Set the interface to reply-only
/interface ethernet set [find name=ether2] arp=reply-only


# Add allowed hosts as static ARP entries
/ip arp add address=192.168.10.10 mac-address=AA:BB:CC:DD:EE:01 interface=ether2
/ip arp add address=192.168.10.11 mac-address=AA:BB:CC:DD:EE:02 interface=ether2

Configuring Reply-Only with DHCP

Section titled “Configuring Reply-Only with DHCP”

When a DHCP server manages the interface, enable add-arp so the server populates ARP entries automatically as leases are assigned:

# DHCP server creates ARP entries on lease assignment
/ip dhcp-server set [find name=dhcp1] add-arp=yes


# Interface only replies for entries known to the ARP table
/interface ethernet set [find name=ether2] arp=reply-only

With this configuration, only hosts that have a DHCP lease (and therefore a corresponding ARP entry) can communicate through the interface.

Static ARP Entries

Section titled “Static ARP Entries”

Static ARP entries bind a specific IP address to a specific MAC address permanently. Unlike dynamic entries, static entries do not age out and are not overwritten by ARP traffic.

Adding a Static Entry

Section titled “Adding a Static Entry”
/ip arp add address=192.168.88.10 mac-address=AA:BB:CC:DD:EE:FF interface=bridge1

Published ARP Entries

Section titled “Published ARP Entries”

A published ARP entry causes the router to respond to ARP requests for that IP address with the specified MAC — this is per-entry proxy ARP behavior. Published entries are used when you want the router to answer ARP for a specific IP without enabling proxy ARP on the entire interface.

/ip arp add address=192.168.88.20 mac-address=11:22:33:44:55:66 interface=bridge1 published=yes

The router will answer ARP requests for 192.168.88.20 with MAC 11:22:33:44:55:66, regardless of whether that host is present on the interface.

Viewing ARP Entries

Section titled “Viewing ARP Entries”
/ip arp print
/ip arp print detail

ARP Table Inspection

Section titled “ARP Table Inspection”

ARP Entry Flags

Section titled “ARP Entry Flags”

RouterOS ARP entries carry flags in the print output:

FlagMeaning
DDynamic — learned automatically from ARP traffic
CComplete — MAC address has been resolved
PPublished — router answers ARP requests for this entry
XDisabled

An entry without the D flag and without being explicitly marked as dynamic is a manually added static entry. An entry that is not yet C (complete) is in an incomplete/unresolved state, meaning the MAC address has not yet been resolved for that IP.

Filtering ARP Output

Section titled “Filtering ARP Output”
# Show all ARP entries
/ip arp print


# Detailed view with all properties
/ip arp print detail


# Filter by interface
/ip arp print where interface=bridge1


# Filter by IP address
/ip arp print where address=192.168.88.10


# Show only dynamic entries
/ip arp print where dynamic=yes


# Show only static entries
/ip arp print where dynamic=no

Flushing the ARP Cache

Section titled “Flushing the ARP Cache”

Flush all entries (including static):

/ip arp remove [find]

Flush only dynamic entries, preserving static and published entries:

/ip arp remove [find dynamic=yes]

After dynamic entries are removed, RouterOS relearns ARP mappings as traffic resumes. This is useful for troubleshooting stale ARP entries without disrupting manually configured bindings.

Gratuitous ARP and VRRP

Section titled “Gratuitous ARP and VRRP”

What is Gratuitous ARP

Section titled “What is Gratuitous ARP”

A gratuitous ARP is an unsolicited ARP announcement — a host broadcasts an ARP reply without receiving a prior ARP request. The purpose is to update the ARP caches of other devices on the network segment. Devices that receive a gratuitous ARP update their cache to associate the announced IP with the new MAC address.

Gratuitous ARP in VRRP Failover

Section titled “Gratuitous ARP in VRRP Failover”

VRRP (Virtual Router Redundancy Protocol) uses gratuitous ARP to ensure fast convergence when a failover occurs. When a Backup router transitions to Master state, RouterOS automatically sends gratuitous ARP packets announcing the virtual IP address with the virtual MAC address. LAN hosts receive this announcement and update their ARP caches to point the virtual IP to the new Master’s virtual MAC.

This is the primary Layer 2/3 convergence mechanism for IPv4 first-hop redundancy. Hosts do not need to wait for their existing ARP entries to expire.

VRRP Configuration Example

Section titled “VRRP Configuration Example”
# Router A — higher priority, preferred Master
/interface vrrp add interface=bridge1 name=vrrp1 vrid=10 priority=110 version=3
/ip address add address=192.0.2.2/24 interface=bridge1
/ip address add address=192.0.2.1/24 interface=vrrp1


# Router B — lower priority, Backup
/interface vrrp add interface=bridge1 name=vrrp1 vrid=10 priority=100 version=3
/ip address add address=192.0.2.3/24 interface=bridge1
/ip address add address=192.0.2.1/24 interface=vrrp1

Gratuitous ARP is sent automatically on Master transition — no additional configuration is required.

Notes on Convergence

Section titled “Notes on Convergence”

Some hosts or switches may retain stale ARP entries briefly after a VRRP failover despite receiving gratuitous ARP packets. This is typically caused by:

  • Operating system ARP cache policies that ignore or delay applying gratuitous ARP
  • Switch port security features that restrict MAC address updates
  • High ARP cache timeouts on client devices

If convergence is slow, verify that nothing on the network is suppressing ARP broadcasts or filtering unsolicited ARP replies.

ICMP Redirects

Section titled “ICMP Redirects”

The /ip settings set send-redirects option controls whether the router sends ICMP Redirect messages to hosts. This setting is independent of ARP behavior and does not affect whether VRRP sends gratuitous ARP during failover.

# Disable ICMP redirects (does not affect VRRP gratuitous ARP)
/ip settings set send-redirects=no