pfsense 2.4.5p1 bug: arp: 172.24.0.1 moved from xx to yy on vtnet0

huamulanmushu

I don't know why this appear in our system log

Aug 31 10:14:27	kernel		arp: 172.24.0.1 moved from d8:d3:85:d7:9b:4a to 00:26:55:e4:86:69 on vtnet0
Aug 31 10:14:33	kernel		arp: 172.24.0.1 moved from 00:26:55:e4:86:69 to d8:d3:85:d7:9b:4a on vtnet0

d8:d3:85:d7:9b:4a is correct.
00:26:55:e4:86:69 is mac address of vtnet2 on our pfsense but our configuration don't use 172.24.0.1 as gateway in pfsense. The gateway is 172.24.0.16 on vtnet0.
I don't why pfsense reply arp 00:26:55:e4:86:69 for 172.24.0.1 (my local server address).

Extra infomation.
vtnet2 is a trunk link with multi vlan include vlan 1 (config on switch). I create multiple vlan on vtnet2 but I don't use vlan 1.
vtnet0 is access link (vlan 1)

stephenw10

That's almost certainly not a bug in pfSense. It's logging that because it sees arp replies showing it.

Run a packet capture on vtnet0 and see what's actually on there.

You might have something leaking broadcast packets for example.

Steve

huamulanmushu

@stephenw10 I use tcpdump and see vtnet2 return arp for 172.24.0.1. But in my pfsense config don't have any interface or VIP use this ip. That like a bug.

JKnott

@huamulanmushu

It would be elsewhere. Check the MAC address to see what device it's coming from.

stephenw10

Mmm what is vtnet2 here? A virtual interface or something passed through?

That's an HP MAC address. Something sharing it?

Steve

huamulanmushu

@stephenw10 said in pfsense 2.4.5p1 bug: arp: 172.24.0.1 moved from xx to yy on vtnet0:

hing passed through?
That's an HP MAC address. Something sharing it?

I use passed though mode. Nothing share this interface.
That happen only one or two times per hour.

JKnott

@huamulanmushu said in pfsense 2.4.5p1 bug: arp: 172.24.0.1 moved from xx to yy on vtnet0:

I use passed though mode.

What do you mean by "mode". Arp can't come from anything beyond a router, as it isn't even IP.

huamulanmushu

@JKnott I use KVM. vtnet2 is virtual interface that is directly attach to real interface using passthrough mode (KVM). And I also check MAC table on switch. This arp is come from vtnet2, not other port.