ARP 00:11:22:ab:cd:ee is using my IP address
-
Hi!
I had initially set pfsense to10.0.0.2and got same issue.. I was like fine, I'll move my pfsense to10.0.0.10.. again the same issue (both times, I verified and double checked that there is no other device on either IP addresses).
I thought lets prioritize the issue and let CIMSYS obtain the IP it wants.. so I configured pfsense to obtain IP via DHCP so that I can let ISP router's dhcp server give pfsense a suitable IP... but still.. the same error.I have packet captures for when the IP was set to
10.0.0.10and it looks exactly the same. -
Is your pfSense WAN connected directly with the ISP box or to a switch? Can you try without or another switch?
-Rico
-
Hi Rico,
No, there is no switch between the ISP box and pfsense.
The ISP box has 2 ethernet interfaces and pfsense box is directly plugged in to one of them (and other one is not connected to anything) -
Hummm.
The qotom box : what were you using before ? If could you use another box - ancient PC - VM, what ever, the "CIMSYS" fellows goes away ?
If so, who's, except for pfSense, "living" this "qotom" box ? Who makes it ? -
I'm not sure about the qotom box tbh. It has a decent rep in home-labbers community as a quiet mini pc. The reviews on the amazon suggests quite a few people using it as their pfsense box (since its an i3 and offers AES-NI which aids in VPN especially).
I wish I could test things on a spare box. Unfortunately, I don't have another box lying around on which I can spin up a pfsense instance either virtual or on baremetal.
However, about VM, I guess I can get a bit creative and run a pfsense VM instance on my laptop and bridge the ISP connection via my laptop + a host-only network to it, then have another linux VM on that host-only network and see if it can reach the internet or if it faces a similar issue.
I'll try this experiment in about 9-10 hours and post the update here.
In the meantime, Im attaching some screenshots to aid the issue in the topic:
-
Gateway status
-
System logs
Cheers and thanks for suggestions!
-
-
@mohitsharma44 said in ARP 00:11:22
cd:ee is using my IP address:CIMSYS
I tend to say this 'thing' is build into qotom. The "owner" of 00:11:22:xxxxx isn't Google. It's Chinese.
Does the box has a BIOS ? If so, start flipping off most things related to it's NIC's. -
@mohitsharma44
As @Gertjan has stated...it really sounds like the "CIMSYS" is living in your box...currently you're using igb3 for WAN...what if you move WAN to another interface on the box?And (as @Gertjan already stated)...check the BIOS settings. There is no reference to a management interface on their support page.
-
Why don't you try switching the WAN port to igb1 and see if the problem goes away?
-
Wife is working from home and is using the only monitor I have so once she is done, I will try and take a look at the network settings in BIOS.
I have tried using "all" the interfaces for WAN (on separate occasions,
igb0,1,2and finallyigb3) but keep getting the same issue every time. Exact same mac address for that "CIMSYS" thing..Btw, quick update, I have been running pfsense in VM on virtualbox for about an hour or so and I'm not seeing this CIMSYS issue yet. So yeah, I think everything is pointing towards the qotom box being the issue. I'm surprised no one else is seeing this given its popularity as a pfsense box..
-
Okay, had the VM running pfsense the entire afternoon, not a single CIMSYS issue. Moreover, I've been trying to filter for that CIMSYS device's mac address in my ISP-router-provided-LAN-network (10.0.0.0/24 aka the WAN in this issue's context)
tshark -f "ether host 00:11:22:ab:cd:ee"but ... nothing, zip, zilch, nada !!!.Issue is now most likely with the box.
I tried looking in the BIOS (its an American Megatrend bios) settings. I could see the 4 IntelI211chipset based NICs and didn't find anything suspicious in their settings:
The gist is:MAC Address: <matches what I'm seeing in pfsense. No reference to CIMSYS> WOL: enabled Link Speed: Auto Negotiated Adapter PBA: ?The only strange part was that the
Adapter PBAis missing (seeing a ? next to it) but I think thats beyond this issue.The only configurable parameter for me is the WOL and LinkSpeed. Im kind of certain it'll not help but I'll try flipping off WOL and see.
-
Wait wait.. Looks like I spoke too early..
Look what did I find:โฏ tshark -f "ether host 00:11:22:ab:cd:ee" Capturing on 'Wi-Fi: en0' 1 0.000000 CIMSYS_ab:cd:ee โ Broadcast ARP 42 Who has 10.0.0.205? Tell 3.218.96.150 2 2.457790 CIMSYS_ab:cd:ee โ Broadcast ARP 42 Who has 10.0.0.205? Tell 3.218.96.150 3 7.065529 CIMSYS_ab:cd:ee โ Broadcast ARP 42 Who has 10.0.0.205? Tell 3.218.96.150 4 8.294748 CIMSYS_ab:cd:ee โ Broadcast ARP 42 Who has 10.0.0.205? Tell 3.218.96.150 5 17.510315 CIMSYS_ab:cd:ee โ Broadcast ARP 42 Who has 10.0.0.205? Tell 3.218.96.150 6 37.479151 CIMSYS_ab:cd:ee โ Broadcast ARP 42 Who has 10.0.0.205? Tell 3.218.96.150Things. just. got. interesting!
-
en0 Wifi ?
-
Yeah, I connected my laptop to the ISP router's wifi and ran the capture on the LAN interface (which was WAN for the pfsense box) in the afternoon.
There are quite a few packets in the capture with destination IP in the ARP being some public IP addresses. It doesn't make sense. I think the issue is with the wife's laptop (at the time of capture, this IP was assigned to her laptop). She will investigate more tomorrow and I will post an update in this thread based on our findings.
But, fwiw, its "definitely" not a pfsense issue!
-
Kill de ISP router Wifi ?
-
I just remembered that I didn't close the loop here.
So, it turns out my wife's company uses some L2 VPN and due to a server misconfiguration, I was seeing the vpn client on her laptop misbehave. She raised a ticket with their IT and the rest is beyond our control.
As far as the issue in my network, after turning off the ISP router's wifi and putting all our devices behind pfsense box, I'm not seeing those issues any more.Phew! The moment I was about to turn off the capture I saw the smoking gun. I was almost getting ready to call the device malicious and return it.
Thanks for helping look into this issue guys. Much appreciated!
Cheers!
