Static ARP entry through ui?

yswery

So I need to add a static Arp entry in my PFsense lab set up (due to some constraints)

I use the following command in CLI

arp -S 1.2.3.4 12:34:56:78:9A:BC

Now this works great and does exactly as I need, however, every time I make a change in my "interface" section on the WebUI of pfsense and click on "Apply" it removed this static entry.

Is there a way to do this static entry in the UI potentially that will get regenerated after a new network config apply or reboot?

Many thanks!

lanrat

Did you ever find a solution to this? I'd like to have the same ability.

My current hack around this is to setup a cron job to run that commend very few minutes.

jimp

Static ARP entries are managed via DHCP static mappings. Add a new mapping, enter the MAC and IP address, then check the box on the mapping to add a static ARP entry.

JKnott

@jimp

I'm not sure that's what he wants. Sometimes you need a permanent entry in the arp cache and I don't know that will do it. A few years ago, when I was setting up some Axis cameras I had to either use a static arp to access the camera before I could configure it or use the Axis app, which didn't rely on IP. If I'm not mistaken, mapping MAC to IP in the DHCP server simply reserves that IP address to that device and does nothing with the arp cache. The normal way for the arp cache to be populated is an arp request is sent out, asking for the MAC for an IP address. In this case, those cameras couldn't respond, as they didn't yet know their IP address.

johnpoz

@jknott Yeah that is exactly what he wants.

lanrat

In my specific use case I'm looking for a static arp entry on my WAN interface. So the DHCP server settings won't help.

jimp

@lanrat said in Static ARP entry through ui?:

In my specific use case I'm looking for a static arp entry on my WAN interface. So the DHCP server settings won't help.

If your WAN is static you can still do that with a static mapping entry on the WAN tab of the DHCP server without enabling DHCP there. I haven't tried that lately but IIRC that used to work.

If it's not a static WAN, or if that doesn't work, then you may need to use some other method like you have been doing.

It's highly unusual to need static ARP like that, though. Usually that "need" is more indicative of some other underlying problem that could be solved instead.

lanrat

Unfortunately my WAN is dynamic. So it looks like shellcmd is my best option.

I agree this solution is not ideal. The real problem is my ISP does not filter the WAN traffic and someone else is sending fake ARP packets on the WAN. Manually setting the ARP to my ISP's gateway fixes this.

johnpoz

@lanrat said in Static ARP entry through ui?:

someone else is sending fake ARP packets on the WAN

Seems like something I would contact the isp about.

lanrat

@johnpoz I have many times. Unfortunately they don't seem to understand or care. Its a small community ISP.

johnpoz

@lanrat so if you don't set static arp - and send traffic to this fake one.. Does it not go anywhere? Or does it actually still work? I would have to assume it someone trying to route traffic through themselves for nefarious reasons - or some sort of misconfig. If a misconfiguration, wouldn't all their other customers not smart enough to set a static arp be down?

Would you mind sharing what the correct mac is, and what you consider the bad/fake one? You sure its not just some sort of hsrp, carp or vrrp sort of thing? Where the isp has a HA pair setup?

Maybe they don't care because they think your crazy ;) And they have some sort of ha setup and your just setting static to one of the physical mac vs the vip?

JKnott

@lanrat

What type of connection do you have? Do you have a MAC address for the bogus ARP packets?

lanrat

I use a local WISP.
This affects all the users in my building.

The ISP's official solution to this is: "keep rebooting your modem until you get the correct WAN IP." I was not amused.

The OUI for the MAC being broadcast is for a netgear router. I think some user plugged their routers LAN port into the ISP's connection. And since the ISP does no filtering on the WAN, everyone gets the netgear router's DHCP leases along with the ISP's. But since the netgear router is in the building, it usually wins the race-condition. (this is my best guess giving the information I have).

I could also set the DHCP client to only accept leases from the correct DHCP server, but this would only work for IPv4 and not IPv6. (which is also being broadcast by both the ISP and random netgear router)

lanrat

To add: I have very low confidence in my ISP.

Most of their backend infrastructure is using default passwords and some is publicly exposed to the internet.

I've complained to them countless times about this but they just say they will look into it. Its been 2+ years since I first reported this to them, with no action taken. I don't expect them to change anything, and unfortunately I have no (practical) choice in ISP.

stephenw10

@lanrat said in Static ARP entry through ui?:

The ISP's official solution to this is: "keep rebooting your modem until you get the correct WAN IP." I was not amused.

Ouch.

You have any idea what the other device is? Is it giving you an IP in the same/correct subnet?

You can set the WAN to reject leases from an IP if it's just some other customers badly configured router.

Steve

johnpoz

@lanrat said in Static ARP entry through ui?:

To add: I have very low confidence in my ISP.

hehe - sorry to laugh, but man that sucks! You have any idea how many customers in the building? Maybe it would be possible to involve the building management to track down this bad netgear device?

jimp

Yikes that is ugly.

If it's that badly configured, have you tried logging into that random device with default credentials and turning off DHCP? :-)