Why create a static entry in the Arp table?

madivad

When setting a static IP address for hosts on the network, there is an option for "Create an ARP Table Static Entry for this MAC & IP Address pair", sometimes I have checked it, sometimes I haven't. But I have never known whether it's best to check or not check it.

Searching the forums and interwebs isn't telling me anything about why having pfsense create this static list is a good thing or not. What, if at some point I need to change the static definition of that host? I am assuming the table would be updated.

In short, what are the benefits to choosing this option?

JKnott

@madivad said in Why create a static entry in the Arp table?:

When setting a static IP address for hosts on the network, there is an option for "Create an ARP Table Static Entry for this MAC & IP Address pair", sometimes I have checked it, sometimes I haven't. But I have never known whether it's best to check or not check it.

Searching the forums and interwebs isn't telling me anything about why having pfsense create this static list is a good thing or not. What, if at some point I need to change the static definition of that host? I am assuming the table would be updated.

In short, what are the benefits to choosing this option?

The only time I had to set up static arp was to configure some security cameras. Until the initial configuration was set up, it was necessary to use a static arp to map to the IP address to be used.

bgroper

@madivad said in Why create a static entry in the Arp table?:

In short, what are the benefits to choosing this option?

Google found some info at https://www.juniper.net/documentation/en_US/junos/topics/concept/arp-static-qfx-series-understanding.html

But yes, what are the pros and cons of having/not having static ARP table entries ??

johnpoz

Can be used as a security measure. Can prevent spoofing and or poisoning, can allow for WOL (wake on lan), can shave a ms or so off from having to arp for the IP every 20 minutes or so - whatever your cache is set for. If your whole network is setup with static arps - would lower the amount of arp traffic on that L2 network.

Generally speaking the typical user would have no reason to set static arp entries up..

Can be used to limit who can talk to pfsense, via only allowing to talk to IPs that have static arp entries.

Con's would be that IP is locked to that mac - another device would not be able to use that IP, or that device would not be able to use a different IP.. Arp spoofing can be used for legitimate reasons - so if you have static arp set, you would not be able to do that.

But again most uses are outside the scope of day to day operation for a typical home network to be honest.. Its pretty safe to say if you don't understand its use case, you wouldn't have use of it ;)

bgroper

@johnpoz

Thanks for the good explanation.
Oh, please any chance of a thumbs up ? I'm hoping to reach 5 so I can add a signature. ;-)

johnpoz

What would you like in your signature? I can edit it until you reach 5.. With only 2 posts, and no help to others I wouldn't count on hitting 5 all that quickly ;)

Gertjan

@bgroper said in Why create a static entry in the Arp table?:

what are the pros and cons of having/not having static ARP table entries ??

Back, in the old days, when 10 Mbits / sec half duplex was a pure luxury, the collections of ARP packets on a big network segment wouldn't be zero.
Remember, there were no switches, just hubs ...
Setting static settings, ARP, IP (think of DHCP) etc would really help.

johnpoz

Yup back in the day this was very true!

The most likely use case for your typical small network today would prob be for WOL support... You need to be able to send that magic packet to the correct mac.. If you don't know what the mac is then you can not send it.. So a static setting comes in handy there..

JKnott

@johnpoz

????

I have used WoL and didn't need to use static ARP for it. I knew the MAC, so I used it. How would not knowing the MAC address help you set up a static ARP? The sole purpose of static ARP is to map an IP address to a MAC, without going through the ARP request & reply. As I mentioned earlier, the only time I had to use static ARP was so that I could configure security cameras. Even then, there was an app for doing that, without IP addresses assigned.

Also, one thing a lot of people don't realize is that ARP predates IP and was used because it already provided a needed function of mapping some name to the MAC.

johnpoz

@JKnott said in Why create a static entry in the Arp table?:

I have used WoL and didn't need to use static ARP for it. I knew the MAC

Very true!! Just saying this is one use case ;) Where having static would come in handy... If you know the mac you don't need a static entry in your arp table

JKnott

@johnpoz said in Why create a static entry in the Arp table?:

If you know the mac you don't need a static entry in your arp table

How could you create the entry, if you didn't know the MAC?

johnpoz

hehehe - well dude you would have to have some pre-thought there ;) duh - hehehe!

But if the entry is in your arp table you could send the magic packet via just the IP address.

bgroper

@johnpoz
Yes, its been a quiet 5 years since I signed up for this forum, ;-)
My usual signature is :
"I'm not a complete idiot. There's still a few pieces missing."
TIA's