Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Lots of ARP Request who-has on WAN interface

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 1.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      droehn
      last edited by

      Hi all,

      when packet capturing on my WAN interface I recognized tons of ARP requests:

      21:29:36.766294 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.64 tell 87.102.192.1, length 46
21:29:36.779613 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.21 tell 87.102.192.1, length 46
21:29:36.794756 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.228 tell 87.102.192.1, length 46
21:29:36.797331 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.242 tell 87.102.192.1, length 46
21:29:36.799332 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.251 tell 87.102.192.1, length 46
21:29:36.811806 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.17 tell 31.11.18.1, length 46
21:29:36.852604 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.80 tell 87.102.192.1, length 46
21:29:36.871536 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.195 tell 87.102.192.1, length 46
21:29:36.929359 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.160 tell 87.102.192.1, length 46
21:29:36.930364 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.198 tell 87.102.192.1, length 46
21:29:36.942464 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.2 tell 87.102.192.1, length 46
21:29:36.975301 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.21.95 tell 31.11.20.1, length 46
21:29:36.979212 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.191 tell 87.102.192.1, length 46
21:29:37.011842 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.22.50 tell 31.11.20.1, length 46
21:29:37.017769 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.130 tell 87.102.192.1, length 46
21:29:37.031550 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.23.225 tell 31.11.20.1, length 46
21:29:37.070158 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.20 tell 87.102.192.1, length 46
21:29:37.081544 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.222 tell 87.102.192.1, length 46
21:29:37.111982 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.109 tell 87.102.192.1, length 46
21:29:37.130754 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.229.158 tell 213.188.228.1, length 46
21:29:37.142069 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.22.64 tell 31.11.20.1, length 46
21:29:37.161576 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.3 tell 31.11.18.1, length 46
21:29:37.171731 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.20.211 tell 31.11.20.1, length 46
21:29:37.192167 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.163 tell 87.102.192.1, length 46
21:29:37.219088 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.6 tell 87.102.192.1, length 46
21:29:37.231629 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.229.106 tell 213.188.228.1, length 46
21:29:37.249100 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.119 tell 87.102.192.1, length 46
21:29:37.271795 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.153 tell 87.102.192.1, length 46
21:29:37.363221 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.107 tell 87.102.192.1, length 46
21:29:37.369659 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.54 tell 87.102.192.1, length 46
21:29:37.409542 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.52 tell 31.11.18.1, length 46
21:29:37.416684 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.124 tell 87.102.192.1, length 46
21:29:37.418588 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.61 tell 31.11.18.1, length 46
21:29:37.438712 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.99 tell 87.102.192.1, length 46
21:29:37.451867 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.105 tell 87.102.192.1, length 46
21:29:37.481553 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.92 tell 87.102.192.1, length 46
21:29:37.501722 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.154 tell 87.102.192.1, length 46
21:29:37.520630 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.77 tell 87.102.192.1, length 46
21:29:37.531838 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.23.14 tell 31.11.20.1, length 46
21:29:37.551812 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.72 tell 87.102.192.1, length 46
21:29:37.567538 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.18.82 tell 31.11.18.1, length 46
21:29:37.581619 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.228.17 tell 213.188.228.1, length 46
21:29:37.611730 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.100 tell 87.102.192.1, length 46
21:29:37.617758 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.23.213 tell 31.11.20.1, length 46
21:29:37.630053 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.61 tell 87.102.192.1, length 46
21:29:37.641457 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.21.233 tell 31.11.20.1, length 46
21:29:37.671679 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.191 tell 87.102.192.1, length 46
21:29:37.706207 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.20.9 tell 31.11.20.1, length 46
21:29:37.724675 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.22.137 tell 31.11.20.1, length 46
21:29:37.735029 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.193.93 tell 87.102.192.1, length 46
21:29:37.735804 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 213.188.229.158 tell 213.188.228.1, length 46
21:29:37.749960 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.195.243 tell 87.102.192.1, length 46
21:29:37.758064 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 87.102.194.188 tell 87.102.192.1, length 46
21:29:37.771744 00:01:5c:40:50:41 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Ethernet (len 6), IPv4 (len 4), Request who-has 31.11.21.86 tell 31.11.20.1, length 46

      Approx. 50 requests per second.

      I run the pfSense WAN port in DHCP mode behind a cable modem.

      The pfSense ARP table displays two entrys for my WAN interface:

      • one with my WAN port MAC address and my public IP

      • one with MAC 00:01:5c:40:50:41, the one doing the above mentioned requests, allocated to (some of my ISP's) IP 31.11.18.1

      When deleting the latter it reappears right away.

      The cable modem, which is the only device connected to the WAN port, has a different MAC and is not listed in the ARP table.

      All IP's requested do also belong to my ISP, none of them appear on the ARP table. None of them do match my public IP.

      Is someone aware what is going on there, if and what I should do about it? This could be not a wanted behaviour, right? Should I report this to my ISP or is there a misconfiguration on my pfSense box? Where should I go and check/alter settings?
      Any help - even for understanding - is much appreciated.

      Thank you in advance!

      1 Reply Last reply Reply Quote 0
      • JKnottJ
        JKnott
        last edited by

        I run the pfSense WAN port in DHCP mode behind a cable modem.

        That is entirely normal with cable modems, at least with Hitron¹.  I see the same thing.  You are sharing a cable with many other subscribers.  Those are arp requests from the CMTS (head end) to all the subscribers on your segment.

        1. I don't recall seeing it when I had a Cisco modem.

        PfSense running on Qotom mini PC
        i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
        UniFi AC-Lite access point

        I haven't lost my mind. It's around here...somewhere...

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.