How to turn off dynamic ARP on LAN? and use static ARP table
-
Hello, pfsense gurus! 8)
I've googled some time, and I cannot find out the clear reply to the simple questions:
1. How to turn off dynamic ARP resolution on LAN?
2. How to fill and use static ARP table for LAN without DHCP server (DHCP server turned off)? -
I created the script to do it myself in the ssh, but now the question is how to tell to arp -S that I want to add arp entry to lan (rl0) interface rather than wan (re0) interface?! arp -S adds static table to WAN and, obviously, router cannot be connected with…
-
Probably "arp -i rl0 -S <options>". Derived from reading man page.
http://nixdoc.net/man-pages/FreeBSD/arp.8.html</options> -
Probably "arp -i rl0 -S <options>". Derived from reading man page.
http://nixdoc.net/man-pages/FreeBSD/arp.8.html</options>quote from man:
arp [-n] [-i interface] hostname
arp [-n] [-i interface] -alater on:
-i interface
Limit the operation scope to the ARP entries on interface.
Applicable to the display operations only.As a result: arp: -i not applicable to this operation
:-( -
What if there could be used arp -f option
-
What if there could be used arp -f option
Surely I use -f, 'cause my table has almost full /24 size - near 230 IP addresses and MACs. It doesn't matter - even from manual of original FreeBSD I cannot understand how to force arp resolution to the definite adapter. Frankly speaking, it is the very stupid situation - the current mode does working only at the desktops with ONE network card, whereas servers frequently have 2-5 interfaces, and servers really do need in static ARP…
-
Well, I checked out, it's the major flaw of FreeBSD :'(
Any Linux system has the much more configurable arp command - each operation has interface suboption. It's marvelous that FBSD grown up to 8.2 and still doesn't have it :-( Probably, pfsense could/should take this program from linux sources…. -
Why are you trying to do this manually? Static ARP is set on the DHCP server settings, and it can be controlled per-interface.
Whether or not an interface does static or dynamic arp is controlled with the ifconfig command, not the arp command. The arp command sets static arp entries for IP:MAC, and it figures out which interface that applies to on its own based on the routing table and interface config.
ifconfig rl0 staticarpWill force only static ARP on rl0
ifconfig rl0 -staticarpWill switch back to dynamic ARP on rl0.
-
What is the recommended way to protect a pfSense / FreeBSD box from classic ARP poisoning attacks?
There doesn't seem to be a tool like Linux' arptables http://linux.die.net/man/8/arptables
It doesn't seem possible to disable gratuitous ARP.Is staticarp the only way ?
-
There isn't really a standard way - that sort of thing should be handled on your switches.
There are some other tools that have come out that sound promising, but no packages have been made that I'm aware of.
This one looks to be the best bet:
http://arpon.sourceforge.net/ -
Thx jimp, I know about ArpOn and even suggested to add it to pfSense, in the thread packages-wishlist some weeks ago.
Another one I've found is http://acm.poly.edu/wiki/ARP_Counterattack
-
That one hasn't had a release in over a year, but that may or may not mean anything significant there.
It probably wouldn't be too hard to add packages for either of those, if someone with the right knowledge had a bit of time to do it.
-
The author, Boris Kochergin, seems pretty active. Doing some googling one finds that he e.g. presented the tool at a NYC BSD group a couple of months ago http://www.nycbug.org/index.php?NAV=Home;SUBM=10310
-
Yeah I try not to judge only on release time, especially given how long pfSense has historically gone between releases :-)
You might try adding a bounty to see if there is any interest in someone putting together a package there.
