• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Static ARP entry through ui?

Scheduled Pinned Locked Moved General pfSense Questions
17 Posts 6 Posters 2.3k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • Y
    yswery
    last edited by Mar 10, 2021, 8:45 PM

    So I need to add a static Arp entry in my PFsense lab set up (due to some constraints)

    I use the following command in CLI

    arp -S 1.2.3.4 12:34:56:78:9A:BC
    

    Now this works great and does exactly as I need, however, every time I make a change in my "interface" section on the WebUI of pfsense and click on "Apply" it removed this static entry.

    Is there a way to do this static entry in the UI potentially that will get regenerated after a new network config apply or reboot?

    Many thanks!

    1 Reply Last reply Reply Quote 0
    • L
      lanrat
      last edited by Sep 21, 2021, 8:55 PM

      Did you ever find a solution to this? I'd like to have the same ability.

      My current hack around this is to setup a cron job to run that commend very few minutes.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Sep 22, 2021, 12:37 PM

        Static ARP entries are managed via DHCP static mappings. Add a new mapping, enter the MAC and IP address, then check the box on the mapping to add a static ARP entry.

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        J 1 Reply Last reply Sep 22, 2021, 2:35 PM Reply Quote 0
        • J
          JKnott @jimp
          last edited by Sep 22, 2021, 2:35 PM

          @jimp

          I'm not sure that's what he wants. Sometimes you need a permanent entry in the arp cache and I don't know that will do it. A few years ago, when I was setting up some Axis cameras I had to either use a static arp to access the camera before I could configure it or use the Axis app, which didn't rely on IP. If I'm not mistaken, mapping MAC to IP in the DHCP server simply reserves that IP address to that device and does nothing with the arp cache. The normal way for the arp cache to be populated is an arp request is sent out, asking for the MAC for an IP address. In this case, those cameras couldn't respond, as they didn't yet know their IP address.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          J 1 Reply Last reply Sep 22, 2021, 2:41 PM Reply Quote 0
          • J
            johnpoz LAYER 8 Global Moderator @JKnott
            last edited by Sep 22, 2021, 2:41 PM

            @jknott Yeah that is exactly what he wants.

            arp.jpg

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • L
              lanrat
              last edited by Sep 22, 2021, 2:44 PM

              In my specific use case I'm looking for a static arp entry on my WAN interface. So the DHCP server settings won't help.

              J 1 Reply Last reply Sep 22, 2021, 3:34 PM Reply Quote 0
              • J
                jimp Rebel Alliance Developer Netgate @lanrat
                last edited by Sep 22, 2021, 3:34 PM

                @lanrat said in Static ARP entry through ui?:

                In my specific use case I'm looking for a static arp entry on my WAN interface. So the DHCP server settings won't help.

                If your WAN is static you can still do that with a static mapping entry on the WAN tab of the DHCP server without enabling DHCP there. I haven't tried that lately but IIRC that used to work.

                If it's not a static WAN, or if that doesn't work, then you may need to use some other method like you have been doing.

                It's highly unusual to need static ARP like that, though. Usually that "need" is more indicative of some other underlying problem that could be solved instead.

                Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                L 1 Reply Last reply Sep 22, 2021, 6:03 PM Reply Quote 0
                • L
                  lanrat @jimp
                  last edited by Sep 22, 2021, 6:03 PM

                  Unfortunately my WAN is dynamic. So it looks like shellcmd is my best option.

                  I agree this solution is not ideal. The real problem is my ISP does not filter the WAN traffic and someone else is sending fake ARP packets on the WAN. Manually setting the ARP to my ISP's gateway fixes this.

                  J J 2 Replies Last reply Sep 22, 2021, 6:05 PM Reply Quote 0
                  • J
                    johnpoz LAYER 8 Global Moderator @lanrat
                    last edited by Sep 22, 2021, 6:05 PM

                    @lanrat said in Static ARP entry through ui?:

                    someone else is sending fake ARP packets on the WAN

                    Seems like something I would contact the isp about.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    L 1 Reply Last reply Sep 22, 2021, 6:37 PM Reply Quote 0
                    • L
                      lanrat @johnpoz
                      last edited by Sep 22, 2021, 6:37 PM

                      @johnpoz I have many times. Unfortunately they don't seem to understand or care. Its a small community ISP.

                      J 1 Reply Last reply Sep 22, 2021, 7:00 PM Reply Quote 0
                      • J
                        johnpoz LAYER 8 Global Moderator @lanrat
                        last edited by johnpoz Sep 22, 2021, 7:10 PM Sep 22, 2021, 7:00 PM

                        @lanrat so if you don't set static arp - and send traffic to this fake one.. Does it not go anywhere? Or does it actually still work? I would have to assume it someone trying to route traffic through themselves for nefarious reasons - or some sort of misconfig. If a misconfiguration, wouldn't all their other customers not smart enough to set a static arp be down?

                        Would you mind sharing what the correct mac is, and what you consider the bad/fake one? You sure its not just some sort of hsrp, carp or vrrp sort of thing? Where the isp has a HA pair setup?

                        Maybe they don't care because they think your crazy ;) And they have some sort of ha setup and your just setting static to one of the physical mac vs the vip?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • J
                          JKnott @lanrat
                          last edited by Sep 22, 2021, 7:33 PM

                          @lanrat

                          What type of connection do you have? Do you have a MAC address for the bogus ARP packets?

                          PfSense running on Qotom mini PC
                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                          UniFi AC-Lite access point

                          I haven't lost my mind. It's around here...somewhere...

                          1 Reply Last reply Reply Quote 0
                          • L
                            lanrat
                            last edited by Sep 22, 2021, 8:55 PM

                            I use a local WISP.
                            This affects all the users in my building.

                            The ISP's official solution to this is: "keep rebooting your modem until you get the correct WAN IP." I was not amused.

                            The OUI for the MAC being broadcast is for a netgear router. I think some user plugged their routers LAN port into the ISP's connection. And since the ISP does no filtering on the WAN, everyone gets the netgear router's DHCP leases along with the ISP's. But since the netgear router is in the building, it usually wins the race-condition. (this is my best guess giving the information I have).

                            I could also set the DHCP client to only accept leases from the correct DHCP server, but this would only work for IPv4 and not IPv6. (which is also being broadcast by both the ISP and random netgear router)

                            stephenw10S 1 Reply Last reply Sep 22, 2021, 11:13 PM Reply Quote 0
                            • L
                              lanrat
                              last edited by lanrat Sep 22, 2021, 8:59 PM Sep 22, 2021, 8:59 PM

                              To add: I have very low confidence in my ISP.

                              Most of their backend infrastructure is using default passwords and some is publicly exposed to the internet.

                              I've complained to them countless times about this but they just say they will look into it. Its been 2+ years since I first reported this to them, with no action taken. I don't expect them to change anything, and unfortunately I have no (practical) choice in ISP.

                              J 1 Reply Last reply Sep 23, 2021, 5:20 AM Reply Quote 0
                              • stephenw10S
                                stephenw10 Netgate Administrator @lanrat
                                last edited by Sep 22, 2021, 11:13 PM

                                @lanrat said in Static ARP entry through ui?:

                                The ISP's official solution to this is: "keep rebooting your modem until you get the correct WAN IP." I was not amused.

                                Ouch. 🙄

                                You have any idea what the other device is? Is it giving you an IP in the same/correct subnet?

                                You can set the WAN to reject leases from an IP if it's just some other customers badly configured router.

                                Steve

                                1 Reply Last reply Reply Quote 0
                                • J
                                  johnpoz LAYER 8 Global Moderator @lanrat
                                  last edited by Sep 23, 2021, 5:20 AM

                                  @lanrat said in Static ARP entry through ui?:

                                  To add: I have very low confidence in my ISP.

                                  hehe - sorry to laugh, but man that sucks! You have any idea how many customers in the building? Maybe it would be possible to involve the building management to track down this bad netgear device?

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • J
                                    jimp Rebel Alliance Developer Netgate
                                    last edited by Sep 23, 2021, 12:05 PM

                                    Yikes that is ugly.

                                    If it's that badly configured, have you tried logging into that random device with default credentials and turning off DHCP? :-)

                                    Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                                    Need help fast? Netgate Global Support!

                                    Do not Chat/PM for help!

                                    1 Reply Last reply Reply Quote 1
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                      This community forum collects and processes your personal information.
                                      consent.not_received