ARP Entries learnt from multiple interfaces across zerotier network, creating large arp table


We have started using zerotier as a management network overlay to connect to our mgmt LANs of our CPE’s and I must first say it’s fantastic how good this works.

I noticed by accident when looking at the arp table for one of our routers, they seem to be learning all of the interfaces of each mikrotik, so zerotier, the lan interfaces and then public interfaces.

And our ARP table is over 480 entires with only around 18 members, this could become excessive as we deploy more into the network.

Is there a way for us to limit what interfaces send data through ZT go through zerotier?

For example our WAN IP is being sent through ZT to create an ARP entry in the other members ARP table, we do not want this to happen.

I imagine this is either flow rules in ZT or firewall rules on the Mikrotik, I’m just struggling to find articles to help.

We use the below rules regarding our ZT interface, I expect its something simple but currently can’t see the wood from the trees.

/ip firewall filter
add action=accept chain=forward in-interface=zerotier1
add action=accept chain=input in-interface=zerotier1
add action=accept chain=output dst-address=OFFICE-SUBNET/23 out-interface=zerotier1 src-address=LAN GATEWAY
add action=drop chain=output dst-address=OFFICE-SUBNET/23 out-interface=zerotier1 src-address=LAN SUBNET/24
add action=drop chain=output dst-address=LAN SUBNET/9 out-interface=zerotier1 src-address=LAN SUBNET/24

Any help would be greatly appreciated.

Our ZT flow rules are default, although we have just added in the client isolation rules.

Many Thanks

So update,

If anyone has this issue in future, you just need to change the interfaces zerotier has access to via the instance on the Mikrotik.

This then stops the MAC address bleed.

By default it creates itself on all interfaces, so just change it to be the specific ones you need and your WAN interface.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.