ARP 00:11:22:ab:cd:ee is using my IP address

Gertjan

@mohitsharma44 said in ARP 00:11:22cd:ee is using my IP address:

CIMSYS

I tend to say this 'thing' is build into qotom. The "owner" of 00:11:22:xxxxx isn't Google. It's Chinese.
Does the box has a BIOS ? If so, start flipping off most things related to it's NIC's.

jmbraben

@mohitsharma44
As @Gertjan has stated...it really sounds like the "CIMSYS" is living in your box...currently you're using igb3 for WAN...what if you move WAN to another interface on the box?

And (as @Gertjan already stated)...check the BIOS settings. There is no reference to a management interface on their support page.

dotdash

Why don't you try switching the WAN port to igb1 and see if the problem goes away?

mohitsharma44

Wife is working from home and is using the only monitor I have so once she is done, I will try and take a look at the network settings in BIOS.

I have tried using "all" the interfaces for WAN (on separate occasions, igb0,1,2 and finally igb3) but keep getting the same issue every time. Exact same mac address for that "CIMSYS" thing..

Btw, quick update, I have been running pfsense in VM on virtualbox for about an hour or so and I'm not seeing this CIMSYS issue yet. So yeah, I think everything is pointing towards the qotom box being the issue. I'm surprised no one else is seeing this given its popularity as a pfsense box..

mohitsharma44

Okay, had the VM running pfsense the entire afternoon, not a single CIMSYS issue. Moreover, I've been trying to filter for that CIMSYS device's mac address in my ISP-router-provided-LAN-network (10.0.0.0/24 aka the WAN in this issue's context) tshark -f "ether host 00:11:22:ab:cd:ee" but ... nothing, zip, zilch, nada !!!.

Issue is now most likely with the box.
I tried looking in the BIOS (its an American Megatrend bios) settings. I could see the 4 Intel I211 chipset based NICs and didn't find anything suspicious in their settings:
The gist is:

MAC Address: <matches what I'm seeing in pfsense. No reference to CIMSYS>
WOL: enabled
Link Speed: Auto Negotiated
Adapter PBA: ?

The only strange part was that the Adapter PBA is missing (seeing a ? next to it) but I think thats beyond this issue.

The only configurable parameter for me is the WOL and LinkSpeed. Im kind of certain it'll not help but I'll try flipping off WOL and see.

mohitsharma44

Wait wait.. Looks like I spoke too early..
Look what did I find:

❯ tshark -f "ether host 00:11:22:ab:cd:ee"
Capturing on 'Wi-Fi: en0'
    1   0.000000 CIMSYS_ab:cd:ee → Broadcast    ARP 42 Who has 10.0.0.205? Tell 3.218.96.150
    2   2.457790 CIMSYS_ab:cd:ee → Broadcast    ARP 42 Who has 10.0.0.205? Tell 3.218.96.150
    3   7.065529 CIMSYS_ab:cd:ee → Broadcast    ARP 42 Who has 10.0.0.205? Tell 3.218.96.150
    4   8.294748 CIMSYS_ab:cd:ee → Broadcast    ARP 42 Who has 10.0.0.205? Tell 3.218.96.150
    5  17.510315 CIMSYS_ab:cd:ee → Broadcast    ARP 42 Who has 10.0.0.205? Tell 3.218.96.150
    6  37.479151 CIMSYS_ab:cd:ee → Broadcast    ARP 42 Who has 10.0.0.205? Tell 3.218.96.150

Things. just. got. interesting!

Gertjan

en0 Wifi ?

mohitsharma44

Yeah, I connected my laptop to the ISP router's wifi and ran the capture on the LAN interface (which was WAN for the pfsense box) in the afternoon.

There are quite a few packets in the capture with destination IP in the ARP being some public IP addresses. It doesn't make sense. I think the issue is with the wife's laptop (at the time of capture, this IP was assigned to her laptop). She will investigate more tomorrow and I will post an update in this thread based on our findings.

But, fwiw, its "definitely" not a pfsense issue!

Gertjan

Kill de ISP router Wifi ?

mohitsharma44

I just remembered that I didn't close the loop here.

So, it turns out my wife's company uses some L2 VPN and due to a server misconfiguration, I was seeing the vpn client on her laptop misbehave. She raised a ticket with their IT and the rest is beyond our control.
As far as the issue in my network, after turning off the ISP router's wifi and putting all our devices behind pfsense box, I'm not seeing those issues any more.

Phew! The moment I was about to turn off the capture I saw the smoking gun. I was almost getting ready to call the device malicious and return it.

Thanks for helping look into this issue guys. Much appreciated!

Cheers!