Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Am I getting "Static ARP" wrong?

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 3 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scilek @johnpoz
      last edited by

      @johnpoz

      I definitely missed that in my haste to get it to work.

      I ticked that checkbox and tried again. It did not work.

      But then I remembered something. This LAN interface is a bridge between a Wi-Fi and an ethernet interface. Could that be cause of the problem?

      S 1 Reply Last reply Reply Quote 0
      • S
        scilek @scilek
        last edited by scilek

        @scilek

        Oh, I think I've got the hang of it now. I missed that.

        Thank you very much.

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @scilek
          last edited by

          @scilek

          Are you sure that's what you want? You will have to set the static ARP on every device that might communicate with it. Normally, a static IP mapping is used. Also, creating a static ARP will not prevent someone from configuring an address. When that happens, the device will now respond to both addresses. To understand why this happens you have to look at the purpose of ARP. It is to match a MAC address with an IP address and all communications with the device are actually done with the MAC address and the IP address & ARP is only a means to determine that MAC address. By using a static ARP, you simply bypass the ARP request & reply.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          S 1 Reply Last reply Reply Quote 1
          • S
            scilek @JKnott
            last edited by

            @jknott said in Am I getting "Static ARP" wrong?:

            Are you sure that's what you want?

            Yes.

            @jknott said in Am I getting "Static ARP" wrong?:

            You will have to set the static ARP on every device that might communicate with it.

            Someone else is going to do that.

            @jknott said in Am I getting "Static ARP" wrong?:

            Also, creating a static ARP will not prevent someone from configuring an address.

            Yes, I know.

            @jknott said in Am I getting "Static ARP" wrong?:

            When that happens, the device will now respond to both addresses.

            When the user configures a MAC and an IP address?

            @jknott said in Am I getting "Static ARP" wrong?:

            To understand why this happens you have to look at the purpose of ARP. It is to match a MAC address with an IP address and all communications with the device are actually done with the MAC address and the IP address & ARP is only a means to determine that MAC address.

            I know.

            @jknott said in Am I getting "Static ARP" wrong?:

            By using a static ARP, you simply bypass the ARP request & reply.

            I didn't know that, thanks for the information.

            JKnottJ johnpozJ 2 Replies Last reply Reply Quote 0
            • JKnottJ
              JKnott @scilek
              last edited by

              @scilek said in Am I getting "Static ARP" wrong?:

              When that happens, the device will now respond to both addresses.

              When the user configures a MAC and an IP address?

              Yes. Setting a static ARP on computer A has no effect on setting the address on B. It will still be able to get an address with DHCP or static config. If you set up a static mapping on the DHCP server, you will get the address you want. If a user changes to a static address, you are no worse off than you were before. Also, computers should not allow mere mortals to be changing this. A big problem with Windows is so many users run as admin, which leaves the system wide open to malware, in addition to letting users tamper with things they shouldn't. That generally doesn't happen with Linux.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              S 1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator @scilek
                last edited by

                @scilek running static arp on your network is a bit of overkill more often then not.. What exactly are you trying to stop or mitigate from happening exactly?

                If your worried about users changing their ip to get around rules, simple solution to that is just make sure none of the rules call out specific IP. All devices on vlan X can do or can not do whatever - doesn't matter what IP they have..

                If your network is setup correctly - it would be almost impossible for device to just change vlans.. They shouldn't be able to plug into any other port. They should have the creds to get on a wifi that is different vlan, etc.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                S 1 Reply Last reply Reply Quote 0
                • S
                  scilek @JKnott
                  last edited by

                  @jknott said in Am I getting "Static ARP" wrong?:

                  Setting a static ARP on computer A has no effect on setting the address on B. It will still be able to get an address with DHCP or static config. If you set up a static mapping on the DHCP server, you will get the address you want. If a user changes to a static address, you are no worse off than you were before.

                  Yes, I am aware of the fact and I can live with that. The users will be notified that their device MAC addresses will be their signatures so they are supposed to keep them secret.

                  @jknott said in Am I getting "Static ARP" wrong?:

                  Also, computers should not allow mere mortals to be changing this. A big problem with Windows is so many users run as admin, which leaves the system wide open to malware, in addition to letting users tamper with things they shouldn't.

                  That is not possible. Now, even smartphones come with an option to hide their real MAC address.

                  @jknott said in Am I getting "Static ARP" wrong?:

                  That generally doesn't happen with Linux.

                  FreeBSD rules.

                  1 Reply Last reply Reply Quote 0
                  • S
                    scilek @johnpoz
                    last edited by scilek

                    @johnpoz said in Am I getting "Static ARP" wrong?:

                    running static arp on your network is a bit of overkill more often then not.. What exactly are you trying to stop or mitigate from happening exactly?

                    I am trying to associate users with devices, and prevent unauthorized device access and make sure the same device gets the same IP address every time and not allow another device to use it.

                    @johnpoz said in Am I getting "Static ARP" wrong?:

                    If your network is setup correctly - it would be almost impossible for device to just change vlans.. They shouldn't be able to plug into any other port. They should have the creds to get on a wifi that is different vlan, etc.

                    Assigning each user a specific VLAN is not an option, since they don't have manageable switched. I must do this using DHCP, Captive Portal and FreeRADIUS alone.

                    JKnottJ 2 Replies Last reply Reply Quote 0
                    • JKnottJ
                      JKnott @scilek
                      last edited by

                      @scilek

                      It looks like you're creating more problems than you're solving. As for phones, are those personal or company owned phones? If company, then you have the situation where the owner (company) can create users that don't have full rights. At least that's the case with Android. Also, you might consider only letting personal phones on a guest WiFi, with companies phones connecting to the main LAN by logging into the domain controller. Both Android and iPhone support that.

                      Again, your idea of using static ARP will accomplish nothing.

                      PfSense running on Qotom mini PC
                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                      UniFi AC-Lite access point

                      I haven't lost my mind. It's around here...somewhere...

                      1 Reply Last reply Reply Quote 0
                      • JKnottJ
                        JKnott @scilek
                        last edited by

                        @scilek said in Am I getting "Static ARP" wrong?:

                        since they don't have manageable switched

                        WTF?

                        What sort of business doesn't have a managed switch? Even home users can have them, as they're so cheap. Avoid TP-Link though.

                        PfSense running on Qotom mini PC
                        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                        UniFi AC-Lite access point

                        I haven't lost my mind. It's around here...somewhere...

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.