ARP Table showed 2 entries for each IP on LAN and OPT2 - Why?
I only looked at this because my new android phone kept disconnecting from a home wifi with a message that it thought there was ARP spoofing (from the built in Verizon security and protection app, so I don't know more details on how it works). I did not happen to see a previous post that described this, so it may be just education that I need to understand how ARP works in relation to pfSense on multiple LAN segments.
The pfSense setup was:
WAN - cable modem
LAN - direct connection to a FreeNAS
OPT1 - consumer grade switch (only wired connections)
OPT2 - consumer-grade home router (only use LAN ports/WiFi)
On the ARP table, there were several IP/MAC addresses listed on both LAN and OPT2. I don't think there was any arp spoofing, as these were identical MAC/IP pairs, and are all known devices.
I manually deleted the arp entries (first via GUI, then via command line window "arp -d [etc]…") and they immediately came back under both interfaces.
As part of troubleshooting, I swapped cables between LAN and OPT2 (note - this is a home network, in which there is no security difference, and no firewall rules distinguishing between LAN, OPT1, and OPT2). After the ARP cache cleared out, it looks like the MAC/IP pairs are all on the correct interface, with no duplicates.
For additional configuration, LAN has an IP address, but OPT1 and OPT2 do not. LAN runs the DHCP server.
My initial though is that it may have something to do with interfaces that do not have IP addresses (e.g. OPT2), but I don't know exactly how that affects ARP.
You have LAN bridged with OPT1 and OPT2?
If so you will get broadcast traffic and layer 2 traffic crossing between them unless it's specifically blocked.
Thanks - Yes - Bridge0 = LAN, OPT1, OPT2.
I was not certain how the bridge and the ARP list interacted, but it sounds like it is just making it act like a L2 switch, and sending out to all on the bridge, so ARP is just showing what that means on the bridged network.
On this network, there are no firewall rules to block any traffic on the bridged connections.
Ok Phil that sounds like what's expected then. Bridging those interface adds them to the same layer 2.
It's usually best in that sort of setup to assign the bridge interface and put the IP and dhcp server etc on that. Leave all the member interfaces with type 'none'.
Doing that makes all the members logically equal which helps in troubleshooting. It also means that if you disconnect the LAN it doesn't take down the whole bridge.
Better option would be to just use a switch ;) And use the interface as actual interface for other network/vlan vs wasting them to be macgyver switch with poor performance compared what even a 30$ switch could do.
^That is true. If you're not filtering at all between the interfaces then a real switch will work better.
However if you need to filter between them at any point using a bridge like that is reasonable. Or if you have spare ports and nothing better to do with them. ;)
While agree if you need to filter it might be option..
" have spare ports and nothing better to do with them."
This not going to ever agree with, ever.. ;) Sorry you don't use interfaces on your firewall/router as switch port just because you don't have actual need of interface port..
Ha, I hear ya. :)
I confess I've done that in the past where a real switch would be much more appropriate. Good to know it can be done if needed even though mostly it shouldn't.