Windows can't connect to the internet
-
Possibly Windows machines refresh their ARP table faster.
Maybe machines running other OSes are not rebooted every five minutes! ;)Still seems very odd.
Steve
-
Very true!! I believe windows would be some random time between 15 and 45 seconds unless modified
http://support.microsoft.com/kb/949589
on linux, for example ubuntu I show this
net.ipv4.neigh.eth1.gc_stale_time = 60So that should be 60 seconds?
But doesn't this come into play as well?
net.ipv4.neigh.eth1.locktime = 100One way to prevent this from happening again would be to create a static arp entry on each machine for the pfsense IP.
-
One way to prevent this from happening again would be to create a static arp entry on each machine for the pfsense IP.
And/Or create dhcp snooping protection from switches
-
Hi guys,
thanks for all your thoughts on this, and thank Johnpoz, for the interesting lecture about arp and windows. I surely don't understand why microsoft always do things different as standard rfc's mention and are able to get their own rules packed in slightly different rfc's. most of the time they create vulnerabilities, if not reboot every 5 minutes ;-)
anyway it seems I do have some studying to do the coming days to get some working measures on the network segment. I'll let you know what I will get working.the guy with the iphone had his hotspot settings enabled with indeed the same gateway address and all things hotspots need to do enabled like handing out ip addresses, and so on. he stated he wasn't aware but I think his battery should have been empty every few hours.
anyway, maybe a little bit early but I start the weekend after last week's stress and I hope the see you all again soon, bye for now, Fons
-
Hi Guys,
it happened again, last friday and this morning. but another macaddress acted as or was reached as a dhcp server. not the same macaddress from last thursday.
it seems this always starts at about 9:30, coming in time for most of the workers and it stops after 30 to 60 minutes.
this morning I was to late to start wireshark to intercept all udp traffic. I'll give it a go tomorrow.
what I do think now that this isn't a badly configured smartphone or computer but some malware capable of acting like a dhcp server to attrack others on the same network. A network virus maybe.
One problem to find it is the fact that I don't have access to all the hardware on the network. The only I provide on this network segment is connection and bandwith, the only hardware I'm responsable for is the firewall, two switches and a printer. As far as I can see there's nothing misconfigured in any of those.
So no chance to alter arp tables or add static arp for me. I can only advise themBut a question came up: on PfSense I got a floating rule on all internal segments for udp on 67 & 68, which is granted to and from any.
I had a equal rule working on my former shorewall and it always worked fine. should I narrow the functionality for this rule?
As far as I can see it would not help against an extra dhcp server on the same network segment, especially not when it is spoofing macaddresses or acting as the gateway address.any clues?
regards, Fons
-
Why do you think you even need that rule?
So is this dhcp server also having the same IP as your pfsense box?
-
Hi Johnpoz,
this dhcp server is indeed using the same ip-adres as the pfsense box
the rule is necessary because we leave all ports closed unless needed.
fons
-
I do not believe it is, since its one of those rules in the default set
http://doc.pfsense.org/index.php/How_can_I_see_the_full_PF_ruleset
So on mine if I do a pfctl -sa I see these rules which I did not create!
pass in quick on em0 inet proto udp from any port = bootpc to 255.255.255.255 port = bootps keep state label "allow access to DHCP server"
pass in quick on em0 inet proto udp from any port = bootpc to 192.168.1.253 port = bootps keep state label "allow access to DHCP server"
pass out quick on em0 inet proto udp from 192.168.1.253 port = bootps to any port = bootpc keep state label "allow access to DHCP server"So your specific rules become pointless? Since dhcp is part of the default rules.
Kind of wish the interface showed all the rules!!! And just locked the default rules like the above from delete. Kind of need them if your running a dhcp server on pfsense ;) Which sadly some users would not understand and not create the rules if not done for them, and then wonder why their dhcp server didn't work.
btw - just for clarity, I picked .253 as my pfsense lan IP, because many devices default to .1 or .254 – so you run into issues like what your seeing when you use a common IP. 192.168.2 is very common as well for many routers, and such. I personally would change your pfsense lan IP to not be on the ends and or even change your segment to be less common. 192.168.3 is not used by any devices that I recall for example.
-
Hi Johnpoz,
I wasn't aware of all the default rules on the pfsense box. apparently they come up when you activate a service. and indeed, it would be nice if default rules would be visible in the rule sets.
Used as I was to shorewall where I had to open up every specific port. That's why I call myself a newbie to pfsense, but learning as hell. ;-)I will disable the specific rule tonight and add some testing.
thanks, Fons
-
that would solve your issues if you have rouge dhcp server on the network. Just the that the rule is not required and keeps the listing cleaner. No reason for duplicate rules, etc.
