How to avoid ARP Spoof on wan port ?

pedropt · May 10, 2015, 11:57 PM

Hi everyone , i have been here making some tests to my pfsense and i notice that if launch an arpspoof the my modem where firewall have connected the wan port , i can make the traffic redirect from the firewall to my laptop and then to the router !!!
i have static ip configured on the wan port and that does not stop arpspoof to have success !!!
what am i missing here ?

Harvy66 · May 11, 2015, 12:05 AM

You don't stop arp spoofing, you detect it and kick the offending device off the network. Unless you have a managed switch that can lock physical ports down to certain mac addresses, not much you can do, it's an Ethernet issue.

almabes · May 11, 2015, 12:17 AM

Keep your firewall and modem directly connected to each other and under your physical control.

pedropt · May 11, 2015, 5:22 PM

i know that i can trace when my firewall have an alternative route to the gateway , for that i just need to make a traceroute from any computer connected to the firewall to an external ip , but what i found more interesting is that i have a static ip address on the wan port , the dhcp disabled on the modem port , and even by doing that arpspoof still works !!!!
is there anyway to retrieve the mac address from the current lan port on modem where firewall is connected by executing some command on the console ?
i did not activated arp suppress option on the firewall , anyone have an idea for what that works for ?

thanks .

almabes · May 11, 2015, 5:27 PM

Diagnostics–ARP Table should tell you what your looking for. Load the NMAP package, too. That will give you manufacturer info most anywhere there's a MAC in the webConfigurator.

pedropt · May 11, 2015, 9:24 PM

thanks for the info , i got the lan mac from the modem .
In the wan configuration i looked a space to put a mac address , i thought that it could be an option to put a specific mac address to where port wan should only request and respond , but i looked further and it have nothing to do with it .
that mac address is to configure somehow an alternative spoof mac address in order for the firewall do not reveal its real mac address to the modem .
However i was unable to configure any mac address on it because it tells me that it is always a wrong mac address .

heper · May 11, 2015, 9:58 PM

that mac address is to configure somehow an alternative spoof mac address in order for the firewall do not reveal its real mac address to the modem .

what does it matter if your modem knows the "real" mac address or one you picked youself ? mac addresses are supposed to be known, for ethernet to work.

there is no way to stop arp spoofing with any firewall/router … but any mitm by arp spoofing will generate a lot of traffic.
i'm pretty sure you could use snort to detect arp storms but any real attacker would just change mac and start over and over.

this is a problem you'd have to fix on a hardware level and not on a >=L3 level

pedropt · May 11, 2015, 10:19 PM

there is a way to stop arp spoofing on routers , by enabling "client isolation" option .
I have one router that allows me to do that .
What it does is that don't allow computers to talk with each others on the same subnet , only with the router .

almabes · May 11, 2015, 11:09 PM

@heper:

this is a problem you'd have to fix on a hardware level and not on a >=L3 level

Thus, my initial, somewhat simplistic approach. If your WAN is directly plugged into your modem/router, and there is no switch or hub or other device allowing shared access, then is this an actual issue?

Harvy66 · May 11, 2015, 11:41 PM

@pedropt:

there is a way to stop arp spoofing on routers , by enabling "client isolation" option .
I have one router that allows me to do that .
What it does is that don't allow computers to talk with each others on the same subnet , only with the router .

Either they're not in the same subnet, but can still technically talk to each other, or your router is also integrated into the switch.

pedropt · May 11, 2015, 11:52 PM

Either they're not in the same subnet, but can still technically talk to each other, or your router is also integrated into the switch.

on the same subnet , i did some tests sometime ago with that option activated and it works .
However i never try if file sharing is allowed by the router with that option activated .
Anyway , it could be interesting in future upgrades of pfsense an option on wan ports for configuring mac address behind wan port .

Basically what arp spoof does is telling wan port that the gateway is at xx:xx:XX:xx:XX , if wan port gets the configuration with a specific mac address to respond and request only then it will ignore other requests from other mac addresses .
The only way that arp spoof can work with this option activated in pfsense (in future) is the attacker change its mac to the mac where wan port on firewall is listening .
I believe that starting by giving that option is a good start to avoid or to start to get rid of these attacks .

Harvy66 · May 12, 2015, 12:22 AM

The only way to stop two clients from talking is for the switch to block them. By default, clients do not communicate outside of their subnet, but there's nothing stopping them.

I see DHCP supports static ARP, but I don't see a UI options for general ARP. You could run the command manually. You'd need to make sure your script gets ran every reboot.