Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    AP with onboard built in NAS abilities/multiple MAC Hardware Layer 2 addresses

    Scheduled Pinned Locked Moved Wireless
    wifimac-addressdhcpethernetstatic mapping
    39 Posts 5 Posters 3.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      michmoor LAYER 8 Rebel Alliance @JonathanLee
      last edited by

      @JonathanLee Each BSSID will get a similar MAC address with the last hex character being different. Represents each WLAN you have set up. Totally normal.

      Firewall: NetGate,Palo Alto-VM,Juniper SRX
      Routing: Juniper, Arista, Cisco
      Switching: Juniper, Arista, Cisco
      Wireless: Unifi, Aruba IAP
      JNCIP,CCNP Enterprise

      JonathanLeeJ 1 Reply Last reply Reply Quote 1
      • JonathanLeeJ
        JonathanLee @michmoor
        last edited by

        @michmoor Thanks for the reply, I understand that I am just wondering If I need to add a mac-ip pair for each of the hardware addresses on the AP if it is in bridge mode so the firewall does not have to do arp requests over and over for the devices it would already know it.

        Make sure to upvote

        M 1 Reply Last reply Reply Quote 0
        • M
          michmoor LAYER 8 Rebel Alliance @JonathanLee
          last edited by

          @JonathanLee what problem are you trying to fix?

          Firewall: NetGate,Palo Alto-VM,Juniper SRX
          Routing: Juniper, Arista, Cisco
          Switching: Juniper, Arista, Cisco
          Wireless: Unifi, Aruba IAP
          JNCIP,CCNP Enterprise

          JonathanLeeJ 1 Reply Last reply Reply Quote 0
          • JonathanLeeJ
            JonathanLee @michmoor
            last edited by JonathanLee

            @michmoor less arp requests/multicasting broadcast storms

            Make sure to upvote

            M johnpozJ 2 Replies Last reply Reply Quote 0
            • M
              michmoor LAYER 8 Rebel Alliance @JonathanLee
              last edited by

              @JonathanLee tbh thats not really a problem. arp is what makes ethernet work. So to ask the question another way, is there something negatively impacting the usability of the network because of ARP?

              Firewall: NetGate,Palo Alto-VM,Juniper SRX
              Routing: Juniper, Arista, Cisco
              Switching: Juniper, Arista, Cisco
              Wireless: Unifi, Aruba IAP
              JNCIP,CCNP Enterprise

              JonathanLeeJ 1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Yeah, are you actually seeing more than one MAC address at pfSense?

                If not then there's no point adding entries for them.

                JonathanLeeJ 1 Reply Last reply Reply Quote 1
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @JonathanLee
                  last edited by johnpoz

                  @JonathanLee said in AP unit has multiple MAC Hardware Layer 2 addresses:

                  ess arp requests/mulicasting

                  While you can trim down multicasting by some devices/OSes - or see your other thread where I block some multicast on my switch.. Arp kind of makes the whole networking thing work ;)

                  Depending on your arp cache on different devices some devices might arp for say their gateway more often then others. I think like the arp cache on windows is only like 30 seconds or some random below that.. While freebsd (pfsense) default to say a 20 min arp cache, etc.

                  But as mentioned already AP are going to normally have multiple mac address, one for the eithernet, one for each radio - and yeah if you create more SSIDs they will create a mac address for those, etc.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                  1 Reply Last reply Reply Quote 1
                  • JonathanLeeJ
                    JonathanLee @stephenw10
                    last edited by

                    @stephenw10 I have seen the 5GHz pop up once and awhile under leases again it will only list the one MAC-IP pair at a time

                    Make sure to upvote

                    1 Reply Last reply Reply Quote 0
                    • JonathanLeeJ
                      JonathanLee @michmoor
                      last edited by JonathanLee

                      @michmoor @stephenw10 @johnpoz

                      This config change actually speeds up my network drastically with noticeable speed increase on the LAN side browsing. No clue why, I assumed that the static arp table would not need it set at the firewall. Again I changed the AP to use IPv6 locally and off automatic maybe that caused the speed increase as I have no IPv6 from my ISP.

                      This is the weird part the arp table now lists hostnames for the other static mac-ip pairing like it is using both but won't list it in the GUI. It should match the correct host name right?

                      Screenshot 2023-06-27 at 3.41.20 PM.png
                      It appears to have swapped the host name and MAC mappings for what is statically assigned here. Is there anyway at all to log a BSSID mapping?

                      Make sure to upvote

                      johnpozJ 1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @JonathanLee
                        last edited by

                        @JonathanLee Your AP should not be pulling dhcp for any mac other than its management IP, which is normally on its ethernet.. Unless your doing wireless uplink, a mesh sort of AP..

                        And your AP using ipv6 for its management would have ZERO to do with clients speed that is for sure..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                        JonathanLeeJ 1 Reply Last reply Reply Quote 1
                        • JonathanLeeJ
                          JonathanLee @johnpoz
                          last edited by

                          @johnpoz Thanks for information today. I did some good researching today. I did get it to mix up the hostname/ip-mac pair in the arp table. I always wondered about the bridge mode if it needed all the mac addresses for the AP

                          Make sure to upvote

                          1 Reply Last reply Reply Quote 0
                          • JKnottJ
                            JKnott @JonathanLee
                            last edited by

                            @JonathanLee said in AP unit has multiple MAC Hardware Layer 2 addresses:

                            Does pfSense require entry for all three MAC addresses for a AP unit like this?

                            Why are you worried about the MACs on the WiFi side of the AP? You'd normally use the LAN interface when configuring it, etc..

                            I don't know how much you know about WiFi, but the frames are a bit more complex than Ethernet, in that WiFi is essentially a bridge between the WiFi device and your LAN. The AP WiFi MACs are generally not a concern. Devices on your LAN will see the MACs of the WiFi device and not the AP.

                            PfSense running on Qotom mini PC
                            i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                            UniFi AC-Lite access point

                            I haven't lost my mind. It's around here...somewhere...

                            JonathanLeeJ 2 Replies Last reply Reply Quote 1
                            • JonathanLeeJ
                              JonathanLee @JKnott
                              last edited by JonathanLee

                              @JKnott thanks for the reply I appreciate you looking at this.

                              Keep in mind I was mostly researching this today. This was my thoughts were durring this adventure until I learned form the forum that the PfSense only needs the RJ45 mapping, others said it depends on the AP also. It has an official bridge mode setting.

                              1. If my AP is in bridge mode, meaning DHCP issues come from PfSense does the Mac addresses on the AP need to be mapped onto the PfSense when devices send out Arp requests to find say the printer, example: devices on wifi sends out arp request for "who has 192.168.1.14" and the printer responded "I do here is my MAC address" again it responds to the AP MAC not what the firewall has listed for this AP. If this AP is in bridge mode does it create some kind of loop as the AP also still has a layer 3 address mapped to it for a different layer 2 address? Meaning could it do a broadcast storm as it is bridged and part of the same network. I know 100% the past I had many broadcast storms with this AP when it was plugged directly into the DSL modem a reset would fix it.

                              2. I only allow static IP addresses from the firewall, so if it's set to not allow unknown IP-MAC addresses in the static ARP table what happens when devices send out ARP requests to the AP's Wi-Fi 5GHz mapping and it has to pass that up to the firewall because it's set in bridge mode, again firewall only sees the local RJ45 connection MAC-IP mapping. It is doing static assignments.

                              3. Does the firewall see any other Arp table mappings for the other Mac addresses listed for the AP. If it's set to ignore unknown that could in theory cause weird Arp requests right? If it was not set to static addresses it would not be such a concern.

                              4. I have a NAS running on the AP that is functioning, this might be why I was thinking about the possibility of ARP storms "broadcast storms" occurring.

                              5. My AP also has timed access with Mac mappings directly on it that work.

                              This was my research today does this AP set to bridge mode need the other mappings for let's say to stop a ARP broadcast storm.

                              Thanks for your interest in this.

                              When I run arp -a on a device it sees the AP mapped to the firewalls MAC-IP pair set for the AP this is when it is facing out so that is why I started to research. If I am on a device and I run arp -a it shows the RJ-45 MAC-IP pair, the WiFi 2.5 and 5GHz macs are not listed. We know they are there because they are in use for wifi, and for when I use SMB for my NAS or for my other NAS it has to go into the WiFi to get to it not to the Firewall. The AP has the USB HDD attached.

                              The reason is for the new experimental ethernet layer 2 filtering testing.

                              Make sure to upvote

                              JKnottJ 1 Reply Last reply Reply Quote 0
                              • JonathanLeeJ
                                JonathanLee @JKnott
                                last edited by JonathanLee

                                @JKnott when I do an ARP -a it shows it mapped on the devices as the RJ-45 of the AP. I thought it would be on device side the Wi-FI MAC not the RJ-45 again, it's bridged right? Hence, why I think it could have broadcast storms looking for the WiFi or 2.4 or 5ghz MAC.

                                BSSID's would see the other MAC mappings within the perspective of the OS level. Why not track this on the firewall too? As we can do layer 2 filtering now.

                                Keep in mind I am just researching this for use with PfSense new experimentalnlayer 2 filtering

                                Do you know if pfSense can spot the BSSID that is in use in any way that you know of if it's in use on a Ethernet RJ-45 port? In Windows 10 you could swap out any device and it if had the same SSID it would connect to it didn't matter it had no BSSID lock down.

                                I did some research on this in the past with the BSSID reports and lock downs. Leading to, if pfSense is doing experimental layer 2 filtering why not start to research the BSSID's too and map them someway?

                                Ref my older research while in college:
                                https://answers.microsoft.com/en-us/windows/forum/all/lock-down-windows-10-devices-wifi-connection/1f29dfde-4508-4866-87cf-e0a330b71ace

                                https://learn.microsoft.com/en-us/answers/questions/573050/lock-down-windows-10-devices-wifi-connection-choic

                                Make sure to upvote

                                johnpozJ JKnottJ 2 Replies Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @JonathanLee
                                  last edited by johnpoz

                                  @JonathanLee if your talking about someone creating a rouge AP (evil twin) and using something like wifi-pumpkin to have users connect to their AP vs the actual AP..

                                  Your AP
                                  MySSID, psk P@55W0rd!

                                  And someone fires up another AP with the same SSID and psk - there is nothing pfsense could do to prevent a client from connecting to that AP..

                                  If you want to lock down a client to only connect to a specific BSSID, keep in mind someone setting up a evil twin AP would more then likely use the same BSSID (mac) as the official one..

                                  How do you think pfsense could have anything to do with such traffic?

                                  edit: your scenario of connecting to the wrong wifi, I had a friend that couldn't figure out why she couldn't print.. Well she was using default SSID "linksys" and was connecting to her neighbors wifi, not hers - heheh So no she couldn't print to the printer on her network ;)

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                                  1 Reply Last reply Reply Quote 1
                                  • JKnottJ
                                    JKnott @JonathanLee
                                    last edited by

                                    @JonathanLee

                                    I think you may be creating your own issues. Why are you so worried about ARP etc. If pfSense or any other device wants to access the AP for configuration, etc., it will do an ARP request and then get the MAC at that time. You can also configure the DHCP server to provide static mappings for the AP or any other device. This is what I do here. Any device I own, other than my main desktop computer and my pfSense box get their addresses that way.
                                    Where would this loop come from? Having a different L2 address for a L3 address wouldn't cause a loop. The old address would be replaced in the ARP cache by the new. Broadcast storms are typically caused by a L2 loop.
                                    As for the ARP cache, anything in it expires after a fairly short time, requiring a new ARP request.

                                    PfSense running on Qotom mini PC
                                    i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                    UniFi AC-Lite access point

                                    I haven't lost my mind. It's around here...somewhere...

                                    1 Reply Last reply Reply Quote 1
                                    • JKnottJ
                                      JKnott @JonathanLee
                                      last edited by

                                      @JonathanLee said in AP unit has multiple MAC Hardware Layer 2 addresses:

                                      when I do an ARP -a it shows it mapped on the devices as the RJ-45 of the AP. I thought it would be on device side the Wi-FI MAC not the RJ-45 again, it's bridged right? Hence, why I think it could have broadcast storms looking for the WiFi or 2.4 or 5ghz MAC.

                                      You're way overthinking this. ARP -a will only show the devices that have connected recently, that is until the cache entry expires. If you don't see something in the cache, then ping it, it will now be in the cache. Again, if you have broadcast storms, it's likely because you created a loop when connecting the various devices. BTW, please say Ethernet or wired connection, rather than "RJ-45", so that you think the way everyone else does. You will never see BSSIDs in pfSense. That's a WiFi only thing.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      JonathanLeeJ 1 Reply Last reply Reply Quote 2
                                      • JonathanLeeJ
                                        JonathanLee @JKnott
                                        last edited by JonathanLee

                                        @JKnott I thought maybe it could someway see the BSSID and the MAC as they are tied together. It could see it if I used I used a wifi card directly installed on the firewall itself I know that. I also found this on Netgate docs.

                                        Per Netgate docs for wifi card:

                                        "Due to the way wireless works in BSS mode (Basic Service Set, client mode) and IBSS mode (Independent Basic Service Set, Ad-Hoc mode), and the way bridging works, a wireless interface cannot be bridged in BSS or IBSS mode. Every device connected to a wireless card in BSS or IBSS mode must present the same MAC address. With bridging, the MAC address passed is the actual MAC of the connected device. This is normally a desirable facet of how bridging works. With wireless, the only way this can function is if all the devices behind that wireless card present the same MAC address on the wireless network."

                                        https://docs.netgate.com/pfsense/en/latest/wireless/bridges.html

                                        Scenario one: Device MAC passed to wireless AP MAC passed to AP Ethernet MAC to PfSense to manage with static mappings.

                                        Scenario two: Device arps out for the AP connected NAS Arp request goes to the AP and AP responses to the device directly again this AP it's in bridge mode so does the AP send the Arp requests up to PfSense still? If so, PfSense says that does not match for my MAC in my static IP mapping for the AP for the NAS I have the Ethernet mapped what does PfSense do with that ARP request?

                                        Scenario three: PfSense is set to dynamically assignment on DHCP. There is no static mappings they are dynamic.

                                        Good research ☺️

                                        Again, they must present the same MAC on the wireless network, so in theory when in
                                        bridge mode it should pass the actual Mac of the connected devices. Again my AP has a huge HDD that is used for my NAS for example and that is what I think use to cause the Strom and noise all the time. It's MAC is a different MAC and not the Ethernet MAC on that same device. The AP device doesn't care about it just let's users connect, it's the firewall that cares as the MAC does not match it's the Ethernet MAC for that device assigned to that IP. So when devices send ARPs out to find the NAS it's still statically assigned with a different MAC at that firewall. The firewall is hypotheticaly like "good day Mr ARP request I don't have that AP NAS mapping, hmmm but I have the Ethernet MAC mapped on this list." The AP's NAS is hypotheticaly like, "I am already past the bouncer, and traffic is flowing and IPs dancing already."

                                        Again with my set up the NAS works currently, but lots of unwanted noise.

                                        You can see above the MAC-IP host names got mix matched when I was testing this. Why would they Mis Match the hostnames?It should stay with the Ethernet hostname as that MAC is mapped to that IP and hostname.

                                        We can agree that, bridges do not break up broadcast domains only the routers do that.

                                        To quote another airport extreme AP user that spoke with Apple support help desk on this, "According to the tech (apple support) the AirPort Extreme is "unpredictable" if you attempt to use USB drives when the router(AP) is in bridge mode.."

                                        That is exactly what I have done. The AP is in bridge mode and it's using the USB drive huge HDD drive at the same time.

                                        Make sure to upvote

                                        JKnottJ 1 Reply Last reply Reply Quote 0
                                        • JKnottJ
                                          JKnott @JonathanLee
                                          last edited by

                                          @JonathanLee said in AP unit has multiple MAC Hardware Layer 2 addresses:

                                          I thought maybe it could someway see the BSSID and the MAC as they are tied together. It could see it if I used I used a wifi card directly installed on the firewall itself I know that. I also found this on Netgate docs.

                                          You appear to be using an AP and not a WiFi card. This means there's no way pfSense can see the SSID.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          JonathanLeeJ 1 Reply Last reply Reply Quote 0
                                          • JonathanLeeJ
                                            JonathanLee @JKnott
                                            last edited by JonathanLee

                                            @JKnott BSSID is what I am saying. That is the MAC mapping of that WiFi network.

                                            "SSID, BSSID, and ESSID are all descriptions of wireless networks. However, these three terms have slightly different meanings which are described here. An access point is only one of many devices that make up a wireless network and the Basic Service Set Identifier (BSSID) refers to any device in the WLAN.

                                            Basic Service Set Identifiers (BSSID) are 48-bit labels that identify which devices conform to MAC-48 conventions. These identifiers are usually linked with a wireless access points MAC address, like when the identifier is sent in an AP beacon but can not be seen without some type of signal analyzer or radio tool."

                                            That's the MAC tied to my NAS usb drive within the airport extreme itself.

                                            Ref: https://internetspeedtest.world/wiki/bssid

                                            There for the reason for the mixed host name with multiple Mac IP mappings, and why I have configured pfSense this way it's for my airport extreme with NAS running in bridge mode. It just works better for me. Under normal non NAS APs, just one MAC would be needed here. However I need two layer 2 addresses because of the NAS for ARP requests to work for it.

                                            Bridges work on the data link layer. This will send everything to the firewall even the ARP request to find the NAS.

                                            Make sure to upvote

                                            JKnottJ 1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.