Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]
-
I know that this is probably not in the right category but I did not see a better one to choose.
Hello, I have been trying to figure out how to set a static Arp entry for the gateway that my pfSense router connects to (WAN GW).
The reason I am wanting to do this is because I am currently living in a dormitory while at college and have been wanting to use pfSense over here in place of my current DD-WRT router. The problem is that the dorm network is 192.168.0.0/16 which is basically what every other home router on the market is defaulted to (192.168.0.0/24 but you get my point).
The problem is that there is another router that has been plugged in incorrectly on this network which causes havoc in terms of two devices having the default gateway IP address, one is the real one and the other is not. How I got around this was by using the command "arp -s 192.168.0.1 7C:5A:1C:4C:00:C0" on my DD-WRT router so it would always connect to the right gateway and not the fake one that doesn't work.
I have tried looking at many different forum articles but they all seem to revolve around the LAN and the DHCP server which is not applicable in this case. I then tried following some FreeBSD guides about setting a static Arp entry but then found out that many of those files are not in use on pfSense. Any help would be greatly appreciated as I love using pfSense at home and would like to do the same while I am at college.
Thanks
-
Seems like it could be $5 wrench time!
But that aside. The only real facility for doing that in pfSense is via the DHCP static leases which obviously doesn't apply here.
I assume that if you run
arp -S 192.168.0.1 7C:5A:1C:4C:00:C0at the command line it works and the gateway is then seen as a permenant entry in the ARP table?You can run that command at each boot using a shellcmd:
https://docs.netgate.com/pfsense/en/latest/development/executing-commands-at-boot-time.htmlThe only issue you might have is if you disconnect the WAN without rebooting it may lose the static entry.
Steve
-
@sgtkilgore406 said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
I am currently living in a dormitory while at college
Do you have permission from the college IT dept to plug in a natting device... Pretty much every college forbids use of such devices... More then likely for the very reason you mention where some idiot plugs it in the wrong way... But that they use 192.168.0.1 as their routers IP is beyond stupid as well ;)
I would get with your schools IT department to track down the bad 192.168.0.1 and get with them for permission to connect a router to their network.
-
@stephenw10 said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
I assume that if you run
arp -S 192.168.0.1 7C:5A:1C:4C:00:C0at the command line it works and the gateway is then seen as a permenant entry in the ARP table?That is the command that I can run on DD-WRT and will work. Unfortunately when I try to run that command on pfSense, it returns the errors shown below. Is there a command equivalent to "arp -S 192.168.0.1 7C:5A:1C:4C:00:C0" for pfSense?
@johnpoz said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
Do you have permission from the college IT dept to plug in a natting device...
Yes, the college is perfectly fine with us having our own routers connected to the network. They provide us with Ethernet jacks in our rooms so that we can have our own WiFi (the only WiFi they provide is their throttled public guest).
Unfortunately, the guys running the IT department are kind of stupid (hints the use of the Arp command, bypass the problem myself) and that statement is reinforced by my IT instructors (who have real world experiences are are actually certified).
-
Hmm, that IP is in the ARP table?
Most common cause of that error appears to be a subnet mismatch somewhere.
Steve
-
@sgtkilgore406 said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
They provide us with Ethernet jacks in our rooms
Yeah most university do that - but require registration of any device to even talk on the network... So this school has like no IT dept it sounds... Its a no brainer for a school to fire up a NAC and prevent unauthorized devices from connecting to the network..
While you can for sure add a static arp entry to pfsense.. That is NOT the correct fix here... The correct fix would be to track down the offender and remove the device from the network.. Or have them use a valid IP ;)
I would then have your IT guys look into something as simple and free as packetfense ;)
If the IP is already in your arp table you would need to clear it before adding a static..
Lets see the bad arp entry..
arp -aCurious the mac of this bad device - we should atleast be able to figure out what make of device it is from the first part of the mac.
-
If said bad device is connected wrong you can probably just connect to it and see exactly what it is.
It probably has the default login still. Try not to be too evil!
Steve
-
That your school IT would tell you to set as static arp just blows my mind... Why would they not just track the port down to where the idiot is stomping on their IP and disable it.. if its causing you grief its got to be causing issues for everyone on the same network.
Not like they even have to get out of their chair ;)
Unless this school network is made up of soho dumb switches??
-
@stephenw10 said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
Hmm, that IP is in the ARP table?
Most common cause of that error appears to be a subnet mismatch somewhere.
I am not sure where the subnet mismatch would be as their network is 192.168.0.0/16 and my LAN is 10.0.0.0/24.
@stephenw10 said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
If said bad device is connected wrong you can probably just connect to it and see exactly what it is.
I tried looking into it but I cannot get any sign of a web interface or an SSH connection.
@johnpoz said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
Curious the mac of this bad device - we should atleast be able to figure out what make of device it is from the first part of the mac.
The device is a Netgear (08:02:8E:7A:13:52) and is still active on the network to even now. I just got through doing another Wireshark capture and what the device mainly seems to do is send and receive ARP and SSDP messages so it doesn't seem to be playing a big role in the network other than screwing up the occasional ARP request.
@johnpoz said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
That your school IT would tell you to set as static arp just blows my mind...
The IT department didn't tell me. Another IT student (also in the dorms) and myself came up with the idea for using a static ARP entry.
@johnpoz said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
if its causing you grief its got to be causing issues for everyone on the same network.
Oh, this is a good one. It does cause others grief as well and at one point they had housing send out an email saying they were going to go door to door to find the culprit. However we never heard anything back about whether culprit was found or not. I guess that since the device is still on the network then they have not found it (or it might be hiding in their own backyard...).
@johnpoz said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
While you can for sure add a static arp entry to pfsense.. That is NOT the correct fix here...
I am aware that setting a static ARP entry is not the correct solution. However, as previously alluded, the IT department here is full of idiots and is not worth the time to talk to about the issue because they will simply ignore you. Other students and myself have tried and it leads nowhere.
What I would like to know is what command or page do I need to use to set a static ARP entry (that does not reside within my LAN and is not associated with my DHCP server)? I like pfSense but I would still consider myself a noob with it so you may have to explain in more detail (it doesn't help that is is built off FreeBSD as I am more accustom to Debian).
-
You need to delete the bad entry then add a good entry with your arp command..
Use the big S vs the little s
Here I just overwrote my printers arp entry with mac of your Bad Guy.
[2.4.4-RELEASE][root@sg4860.local.lan]/root: arp -a | grep 192.168.2.50 BRN30055C116AD9.local (192.168.2.50) at 30:05:5c:11:6a:d9 on igb2 expires in 1023 seconds [ethernet] [2.4.4-RELEASE][root@sg4860.local.lan]/root: arp -S 192.168.2.50 08:02:8E:7A:13:52 192.168.2.50 (192.168.2.50) deleted [2.4.4-RELEASE][root@sg4860.local.lan]/root: arp -a | grep 192.168.2.50 BRN30055C116AD9.local (192.168.2.50) at 08:02:8e:7a:13:52 on igb2 permanent [ethernet] [2.4.4-RELEASE][root@sg4860.local.lan]/root:Now I deleted it, and its back to normal
[2.4.4-RELEASE][root@sg4860.local.lan]/root: arp -d 192.168.2.50 192.168.2.50 (192.168.2.50) deleted [2.4.4-RELEASE][root@sg4860.local.lan]/root: ping 192.168.2.50 PING 192.168.2.50 (192.168.2.50): 56 data bytes 64 bytes from 192.168.2.50: icmp_seq=0 ttl=255 time=2.049 ms 64 bytes from 192.168.2.50: icmp_seq=1 ttl=255 time=1.333 ms ^C --- 192.168.2.50 ping statistics --- 2 packets transmitted, 2 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 1.333/1.691/2.049/0.358 ms [2.4.4-RELEASE][root@sg4860.local.lan]/root: arp -a | grep 192.168.2.50 BRN30055C116AD9.local (192.168.2.50) at 30:05:5c:11:6a:d9 on igb2 expires in 1193 seconds [ethernet] [2.4.4-RELEASE][root@sg4860.local.lan]/root:Why would they go door to door, they are using dumb switches?? OMG!!! ;) The cheapest of cheapest "smart" switches would allow them from their desks to track down the bad mac port connection and then just turn off the port..
Oh you did you -S, Ah!!! your not root your admin... You would need to be root on your pfsense to do that command.. Why does your cmd line say admin vs root? If you ssh in with admin you get root..
Odd... But lets see your ifconfig... You shouldn't be getting that error if your actually connected to that 192.168 network.
See just tried creating arp entry for network not attached too.
[2.4.4-RELEASE][root@sg4860.local.lan]/root: arp -S 192.168.20.50 08:02:8E:7A:13:52 arp: writing to routing socket: No such file or directory arp: cannot intuit interface index and type for 192.168.20.50 [2.4.4-RELEASE][root@sg4860.local.lan]/root:I don't have a 192.168.20 network.
Also what version of pfsense are you on - you should be getting the same error, etc. it says are you 2.4.4p2? Not sure why yours would not given you the exact info like mine did about non network and sad something about process..
If you ssh in as admin you get root prompt as well - so why/how are you seeing admin prompt?
-
Mmm, I tested that as admin before and it works OK. And still works for me:
[2.4.5-DEVELOPMENT][admin@2220.stevew.lan]/root: arp -S 172.21.16.48 30:05:5c:11:6a:d9 172.21.16.48 (172.21.16.48) deletedThe error you're seeing seemed mostly due to a subnet mash error on an interface. Can we see the output of
ifconfig -a?Steve
-
@stephenw10 how exactly are you getting admin prompt vs root prompt? If I ssh to pfsense as "admin" I still end up at root prompt, etc.
-
Not sure why you're seeing that. I always see admin@ if I login as admin@.
Admin and root are pretty much the same thing in pfSense anyway though. I wouldn't expect it to make a difference here.
The only time that applies is when connecting via sftp where root is required to avoid the menu AFAIK.
Steve
-
Nevermind - I wasn't looking at the prompt after I changed the name in securecrt, just the dir - DOH! ;)
When I change account to admin, the account is admin - just the home dir is /root
[2.4.4-RELEASE][admin@sg4860.local.lan]/root:But yeah agree the same account really.
Yeah like to see the ifconfig output to see what the mask is on his 192.168 address - but if he wan is 192.168.0.x not sure how mask could be wrong that he could not create a static arp for a 192.168.0.1 address? Maybe he is at something like 192.168.X and thinks it in a 192.168.0/16?? When its really not at that mask??
-
Hmm, not sure exactly what happened but I was able to run the arp command and this time it took.
As of now I am typing this using my pfSense box for my connection to this forum. At this point what I am going to attempt to do now is configure that ARP command to automatically run at boot.
@stephenw10 said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
The only issue you might have is if you disconnect the WAN without rebooting it may lose the static entry.
Steve
So if I happen to lose the upstream link then the static entry could disappear? I have the pfSense box connected to my 1500VA UPS but I know the college doesn't have their switch on a UPS.
Would it be possible to have the ARP command dynamically run if the link is lost and come back with a script?
-
Lets go over this again.. Setting static arp for because some dickhead is stepping on your gateway is NOT the correct fix..
That your IT support is so pathetic that they can not even stop some idiot from stepping on their IP on the "their" network is beyond laughable!!! Please point them to thread I would love to talk to this freaking idiots that should be flipping burgers vs saying they are in the tech field. ;)
Is this some school where they teach you how to basket weave or how you "feel" when billy calls you stupid.. Or maybe its a schools about "god"??
They clearly can not even run the most basic of networks.. I feel your pain I do.. But that you give such a school even a 1$ when they can not even do the most basic of networking maint.. WTF!!!
-
Again, I am fully aware that doing this "fix" is not what you should do. They are idiots, not worth my breath to argue with, and I am about to graduate this year so it isn't important enough to push it for me.
Yes, they are pathetic. Guess what? They didn't even build their own network, it was done by a 3rd party contractor. Guess what, they don't even have spanning tree enabled so loops are more common than they should be. Their DNS servers are jacked up so that you can't reach their own hosted sites without VPNing out [ask me how I know that one ;)]. The WiFi drops outs, and beyond the IT degree program faculty who actually know way more, everyone else at the college is oblivious.
It is a small tribal community college about an hour from my home so they are not really focused about technology per say. I am the only senior in the IT program and the classes below me are all >10 students. There are larger colleges and universities nearby but I did not want to pay the exorbitant cost that they would demand. It's hard to describe but I do like being here, if anything because my instructors are awesome and know what they are talking about.
@johnpoz said in Set Static Arp Entry [NOTHING TO DO WITH LAN OR DHCP SERVER]:
Is this some school where they teach you how to basket weave or how you "feel" when billy calls you stupid..
Yeah, you could say that. :D
-
hahaha dude that is great!
But if you set static arp - it should survive reboot.. So you should be good.. I have not personally tested it on freebsd/pfsense since have not ever needed to set a static like your doing..
But over the years that has been common.. once you set static, its set..
But sure you could use a cron or something to set it..
Before you leave can we F with these idiots!!! Please oh Please bring them into this thread!!!
edit: See my PM.. Dude that has got to be one of the best responses around here in years.. Love it!!! Please stick around.. you seem like the kind of people I love to help!!!
edit2: Lets hook up this school with some training from pfsense???? Seems like they could use some real help!! I will reach out to the guys here... Maybe we can "fix" this school tech... I think it might be a huge PR thing for netgate.. Will ask about it on private channels.
edit3: Keep in mind that is just me talking (I do not in anyway speak for netgate/pfsense)... But I like the idea...I would volunteer my time if this school was close to chicagoland on a weekend..
-
If you do need to apply that command at boot you can do so with a shellcmd:
https://docs.netgate.com/pfsense/en/latest/development/executing-commands-at-boot-time.htmlAnd actually now I think about it if you use the 'afterfilerchnages' type there it will be applied if the WAN goes down and comes back up. That might be all you need there.
Steve
