arpresolve: can't allocate llinfo for 192.168.100.1

mrsunfire

Since I've upgraded my cable modem to a new one, I get this message under system logs after I receive a public IPv4 address. The old modem shortly disconnects the WAN interface after it was syncing with ISP and received a IPv4 address and everything works fine without any error logs. The new modem doesn't disable the WAN interface and gets a new IP adress instant. Then the system log is flooded with this.

I've searched everything on the net but there was no solution for me. How can I do a static ARP entry without DHCP? Because on WAN I don't have a DHCP server running. WAN is set to DHCP client mode. Anything new on this?

stephenw10

What is 192.168.100.1? The modem management IP?

Is it handing that IP to pfSense before it syncs with the provider?

You can reject leases from that if so in the DHCP client setup.

Steve

lordmundi

I know this is an old post, but I'm getting the same flood of messages in my system->general log saying "arpresolve: can't allocate llinfo for 192.168.100.1 on mvneta2". The 192.168.100.1 is my cable modem plugged into the WAN port. I can get to 192.168.100.1 from my LAN network (which is on 192.168.0.x), so it is connecting to it. How do I get this flood of messages to the general log (about 2 per second) to stop? I'm running a Netgate SG-3100 and the 2.4.5-RELEASE built on Tue Mar 24.

stephenw10

Is it the modem management IP or the main cable gateway IP? Is that address the gateway for pfSense?

That message implies it is not able to create an arp entry for it because pfSense does not have an interface in that subnet. Which would be unlikely if it;s the gateway IP.

Steve

lordmundi

no, it's the modem management IP. If I go to that IP inside my LAN it resolves and shows me the configuration and status web page for the modem.

stephenw10

Ok, well something is trying to hit it. Does pfSense have an interface configured in that subnet? Or a VIP maybe?

If not try adding one so it can add the ARP entry. It's unusual that you'd be able to reach the modem mgmt page without that though.

Steve

lordmundi

hmm... yeah, i don't recall a single thing set up on the 192.168.100.x subnet.

So, I'm not experienced with VIPs. I'll have to do some reading. Thanks.

stephenw10

https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html

Though that really only applies to PPPoE connections. Just add a VIP on the WAN for a DHCP connection.

Steve

mrsunfire

I sill have the same issue, but only if the cable modem restarts and sends via DHCP the 192.168.100.1. After it boots up and receives a public IP adress, this message appears. If I shortly unplug the modem for a second BEFORE it gets a public IP adress this message does not appear.
I'm not happy with this, because if the modem getting restartet because of DOCSIS fail, my log is flooded with this message if I'm not at home at this moment.

I have configured a firewall rule on LAN because of dual WAN so that I always use the gateway of this interface to reach the modem, even if it's DOCSIS is offline.
Don't know if this might be the problem?

I think the only solution is that this flooding is getting stopped. The log should show only one of these entries, that's it. But unfortunately I can't configure this or even disable this to be logged.

HG

I don't know which modem you have, but I read in another forum that e.g. there is a TC4400 firmware version that has exactly the bug that is doesn't respond to ARP requests on LAN side after the cable connection is established. Maybe also other modems have this bug. The proposed solution there was to add a static ARP entry for the LAN address of the cable modem. I have the TC4400 but with another firmware without this bug, so unfortunately I cannot tell how to do this with pfSense.

HG

Another thing that just came into my mind, but it's basically what stephenw10 mentioned above: With my modem, I had to add a NAT rule to be able to access the management interface after is has established the cable connection:

OPT1 is the interface with the cable modem. Ignore the WAN part, that's for the management interface of my DSL modem, I have dual WAN, too.

And I have of course a virtual IP:

chpalmer

If 192.168.100.1 is outside the LAN(s) of your pfsense router then it will happily send any request to 192.168.100.1 out the WAN port at which time the cable modem will happily answer. There is no configuration needed on pfsense to allow this or make it happen other than its default setup.

https://docs.netgate.com/pfsense/en/latest/interfaces/accessing-modem-from-inside-firewall.html states "The firewall is typically assigned a public IP, and sends all outbound traffic upstream to the ISP." This statement ignores the fact that the cable modem is listening on that address and answers locally. The cable modem will still answer on that address even if no cable is connected. Of coarse if any kind of tunnel or encapsulation is being used then you have to adjust things up a bit. A dsl modem used on an ISP that does not require PPPoe or PPPoa will generally answer without any additional setup as well though this is a rare option.

pfsense will forward any address outside of its subnets to the WAN port.

Look at these pings. One to the modem interface and one to my ISP gateway. Note that the gateway is further away than the modem.

C:\Windows\System32>ping 192.168.100.1

Pinging 192.168.100.1 with 32 bytes of data:
Reply from 192.168.100.1: bytes=32 time=2ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63
Reply from 192.168.100.1: bytes=32 time=2ms TTL=63
Reply from 192.168.100.1: bytes=32 time=1ms TTL=63

Ping statistics for 192.168.100.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 1ms, Maximum = 2ms, Average = 1ms

C:\Windows\System32>ping 24.xx.3x.1

Pinging 24.113.35.1 with 32 bytes of data:
Reply from 24.xx.3x.1: bytes=32 time=10ms TTL=63
Reply from 24.xx.3x.1: bytes=32 time=9ms TTL=63
Reply from 24.xx.3x.1: bytes=32 time=10ms TTL=63
Reply from 24.xx.3x.1: bytes=32 time=13ms TTL=63

Ping statistics for 24.xx.3x.1:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 9ms, Maximum = 13ms, Average = 10ms

I would be curious what model cable modems this is happening with?

HG

@chpalmer My experience with the Technicolor TC4400 SR70.12.33-180327 is that I can only access the management interface with the NAT and Virtual IP while it is connected to the ISP. It works without the NAT rule if there is no ISP connection. The Virtual IP was always needed, because the WAN interface gets it IP address via DHCP so it has no IP address at all without the connection to the ISP. With the connection to the ISP, the WAN interface gets its public IP via DHCP.

mrsunfire

@HG said in arpresolve: can't allocate llinfo for 192.168.100.1:

I don't know which modem you have, but I read in another forum that e.g. there is a TC4400 firmware version that has exactly the bug that is doesn't respond to ARP requests on LAN side after the cable connection is established. Maybe also other modems have this bug. The proposed solution there was to add a static ARP entry for the LAN address of the cable modem. I have the TC4400 but with another firmware without this bug, so unfortunately I cannot tell how to do this with pfSense.

I can confirm this. I have a TC4400 with .33 firmware without this issue, because the modem resets the interface after bootup. With my .41 firmware, I have this bug, because the interface doesn't get shutdown after boot.

How to set a static arp?

@HG said in arpresolve: can't allocate llinfo for 192.168.100.1:

@chpalmer My experience with the Technicolor TC4400 SR70.12.33-180327 is that I can only access the management interface with the NAT and Virtual IP while it is connected to the ISP. It works without the NAT rule if there is no ISP connection. The Virtual IP was always needed, because the WAN interface gets it IP address via DHCP so it has no IP address at all without the connection to the ISP. With the connection to the ISP, the WAN interface gets its public IP via DHCP.

In my case I don't need a virtual IP adress to access the TC4400 (with or without public IP). If it's not connected to the ISP, starts to deliver a 192.168.100.10 IP by DHCP. After this happened and the pubic IP returned, then this error shows up. If I disable to get a private IP from the modem I don't get this error but also I can't connect the WebGUI of the modem without a connection to ISP.

chpalmer

@HG said in arpresolve: can't allocate llinfo for 192.168.100.1:

My experience with the Technicolor TC4400 SR70.12.33-180327 is that I can only access the management interface with the NAT and Virtual IP while it is connected to the ISP.

That is a limitation of that particular modem model.

HG

@mrsunfire said in arpresolve: can't allocate llinfo for 192.168.100.1:

How to set a static arp?

Unfortunately, I don't know how to do it permanently, and I have no real experience with it, but you could try first manually by executing "arp -S 192.168.100.1 xx:xx:xx:xx:xx:xx" (replace xx:xx:xx:xx:xx:xx with the modem's MAC address) on the command line to see if it really helps.

mrsunfire

On DHCP server site I can configure static arp but on client site I don't think so. Maybe by command. I will give it a try next week and will update you guys. Thanks so far.

HG

@mrsunfire said in arpresolve: can't allocate llinfo for 192.168.100.1:

If it's not connected to the ISP, starts to deliver a 192.168.100.10 IP by DHCP.

Maybe I remembered incorrectly and that was probably also the case in my setup and I added the virtual IP together with the NAT.

stephenw10

Did any of you try adding a VIP on the WAN in the modem mgmt subnet?

mrsunfire

What do you mean by this? I now added a Virtual IP for WAN (192.168.100.2) and will see if this helps. Before that I didn't have any VIP or NAT only a outbound firewall rule on LAN.

stephenw10

If pfSense has a an interface in that subnet marked as local in the routing table it should be able to add ARP entries for things inside it removing the issue.
You might need to add an outbound NAT rule after doing that though since pfSense will just route to it as a local subnet and the modem will have no rout5e back.

Steve

monofox

I can confirm, that adding VIP to WAN with /32 mask and adding outbound NAT gives proper access to maintenance screen of TC4400. I cross checked through web ui as well as ssh, that its working without adding static arp (there is actually no arp entry). I'd originally defined the VIP in /24 subnet on WAN interface. In that case obviously i needed a static arp entry. But with /32 its not required.