Lots of ARP Request who-has on WAN interface



  • Hi all,

    when packet capturing on my WAN interface I recognized tons of ARP requests:

    21:29:36.766294 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.64 tell 87.102.192.1, length 46
    21:29:36.779613 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.21 tell 87.102.192.1, length 46
    21:29:36.794756 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.228 tell 87.102.192.1, length 46
    21:29:36.797331 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.242 tell 87.102.192.1, length 46
    21:29:36.799332 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.251 tell 87.102.192.1, length 46
    21:29:36.811806 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.17 tell 31.11.18.1, length 46
    21:29:36.852604 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.80 tell 87.102.192.1, length 46
    21:29:36.871536 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.195 tell 87.102.192.1, length 46
    21:29:36.929359 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.160 tell 87.102.192.1, length 46
    21:29:36.930364 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.198 tell 87.102.192.1, length 46
    21:29:36.942464 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.2 tell 87.102.192.1, length 46
    21:29:36.975301 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.21.95 tell 31.11.20.1, length 46
    21:29:36.979212 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.191 tell 87.102.192.1, length 46
    21:29:37.011842 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.22.50 tell 31.11.20.1, length 46
    21:29:37.017769 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.130 tell 87.102.192.1, length 46
    21:29:37.031550 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.23.225 tell 31.11.20.1, length 46
    21:29:37.070158 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.20 tell 87.102.192.1, length 46
    21:29:37.081544 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.222 tell 87.102.192.1, length 46
    21:29:37.111982 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.109 tell 87.102.192.1, length 46
    21:29:37.130754 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.229.158 tell 213.188.228.1, length 46
    21:29:37.142069 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.22.64 tell 31.11.20.1, length 46
    21:29:37.161576 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.3 tell 31.11.18.1, length 46
    21:29:37.171731 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.20.211 tell 31.11.20.1, length 46
    21:29:37.192167 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.163 tell 87.102.192.1, length 46
    21:29:37.219088 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.6 tell 87.102.192.1, length 46
    21:29:37.231629 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.229.106 tell 213.188.228.1, length 46
    21:29:37.249100 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.119 tell 87.102.192.1, length 46
    21:29:37.271795 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.153 tell 87.102.192.1, length 46
    21:29:37.363221 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.107 tell 87.102.192.1, length 46
    21:29:37.369659 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.54 tell 87.102.192.1, length 46
    21:29:37.409542 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.52 tell 31.11.18.1, length 46
    21:29:37.416684 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.124 tell 87.102.192.1, length 46
    21:29:37.418588 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.61 tell 31.11.18.1, length 46
    21:29:37.438712 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.99 tell 87.102.192.1, length 46
    21:29:37.451867 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.105 tell 87.102.192.1, length 46
    21:29:37.481553 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.92 tell 87.102.192.1, length 46
    21:29:37.501722 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.154 tell 87.102.192.1, length 46
    21:29:37.520630 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.77 tell 87.102.192.1, length 46
    21:29:37.531838 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.23.14 tell 31.11.20.1, length 46
    21:29:37.551812 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.72 tell 87.102.192.1, length 46
    21:29:37.567538 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.82 tell 31.11.18.1, length 46
    21:29:37.581619 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.228.17 tell 213.188.228.1, length 46
    21:29:37.611730 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.100 tell 87.102.192.1, length 46
    21:29:37.617758 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.23.213 tell 31.11.20.1, length 46
    21:29:37.630053 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.61 tell 87.102.192.1, length 46
    21:29:37.641457 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.21.233 tell 31.11.20.1, length 46
    21:29:37.671679 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.191 tell 87.102.192.1, length 46
    21:29:37.706207 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.20.9 tell 31.11.20.1, length 46
    21:29:37.724675 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.22.137 tell 31.11.20.1, length 46
    21:29:37.735029 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.93 tell 87.102.192.1, length 46
    21:29:37.735804 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.229.158 tell 213.188.228.1, length 46
    21:29:37.749960 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.243 tell 87.102.192.1, length 46
    21:29:37.758064 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.188 tell 87.102.192.1, length 46
    21:29:37.771744 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.21.86 tell 31.11.20.1, length 46
    
    

    Approx. 50 requests per second.

    I run the pfSense WAN port in DHCP mode behind a cable modem.

    The pfSense ARP table displays two entrys for my WAN interface:

    • one with my WAN port MAC address and my public IP

    • one with MAC 00:01:5c:40:50:41, the one doing the above mentioned requests, allocated to (some of my ISP's) IP 31.11.18.1

    When deleting the latter it reappears right away.

    The cable modem, which is the only device connected to the WAN port, has a different MAC and is not listed in the ARP table.

    All IP's requested do also belong to my ISP, none of them appear on the ARP table. None of them do match my public IP.

    Is someone aware what is going on there, if and what I should do about it? This could be not a wanted behaviour, right? Should I report this to my ISP or is there a misconfiguration on my pfSense box? Where should I go and check/alter settings?
    Any help - even for understanding - is much appreciated.

    Thank you in advance!



  • I run the pfSense WAN port in DHCP mode behind a cable modem.

    That is entirely normal with cable modems, at least with Hitron¹.  I see the same thing.  You are sharing a cable with many other subscribers.  Those are arp requests from the CMTS (head end) to all the subscribers on your segment.

    1. I don't recall seeing it when I had a Cisco modem.


Log in to reply