Arp problem



  • Hi Everyone.

    I have problem with my pfsense. Sometimes I have this in System Logs:

    kernel: arp: 192.168.1.75 moved from 00:04:5a:49:eb:74

    to 00:50:0f:4f:c0:00 on fxp1
    kernel: arp: 192.168.1.75 moved from 00:50:0f:4f:c0:00
    to 00:04:5a:49:eb:74 on fxp1
    kernel: arp: 192.168.1.75 moved from 00:04:5a:49:eb:74
    to 00:50:0f:4f:c0:00 on fxp1
    kernel: arp: 192.168.1.75 moved from 00:50:0f:4f:c0:00
    to 00:04:5a:49:eb:74 on fxp1
    /kernel: arp: 192.168.1.75 moved from 00:04:5a:49:eb:74
    to 00:50:0f:4f:c0:00 on fxp1

    (This is example)

    fxp1 is my LAN Interface.

    And when it happens Internet Connection doesn't work on PC with this LAN IP (192.168.1.75).

    That's happened earlier with others LAN IP's.

    Thanks in advance for any help.



  • Enable System -> Advanced -> Shared Physical Network



  • @sullrich:

    Enable System -> Advanced -> Shared Physical Network

    It's already Enabled but it doesn't help.



  • You have 2 clients in your LAN that use the same IP (the mac is changing for that IP). Find the clients and set up your network properly and the problem will go away.



  • Ok - I have another problem with ARP  :-\

    In system Logs I've something like that:

    Aug 16 14:46:28  kernel: arp: 192.168.1.75 moved from b2:cc:ba:e9:cb:ae to 00:11:95:5b:6a:ae on fxp1
    Aug 16 14:45:24  kernel: arp: 192.168.1.75 moved from 00:11:95:5b:6a:ae to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:45:22  kernel: arp: 192.168.1.34 moved from b2:cc:ba:e9:cb:ae to 00:0b:6a:b7:24:9e on fxp1
    Aug 16 14:45:18  kernel: arp: 192.168.1.34 moved from 00:0b:6a:b7:24:9e to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:44:46  kernel: arp: 192.168.1.75 moved from b2:cc:ba:e9:cb:ae to 00:11:95:5b:6a:ae on fxp1
    Aug 16 14:44:09  kernel: arp: 192.168.1.75 moved from 00:11:95:5b:6a:ae to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:43:30  kernel: arp: 192.168.1.75 moved from b2:cc:ba:e9:cb:ae to 00:11:95:5b:6a:ae on fxp1
    Aug 16 14:43:16  kernel: arp: 192.168.1.75 moved from 00:11:95:5b:6a:ae to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:43:14  kernel: arp: 192.168.1.34 moved from b2:cc:ba:e9:cb:ae to 00:0b:6a:b7:24:9e on fxp1
    Aug 16 14:43:11  kernel: arp: 192.168.1.34 moved from 00:0b:6a:b7:24:9e to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:39:04  kernel: arp: 192.168.1.75 moved from b2:cc:ba:e9:cb:ae to 00:11:95:5b:6a:ae on fxp1
    Aug 16 14:38:52  kernel: arp: 192.168.1.75 moved from 00:11:95:5b:6a:ae to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:38:39  kernel: arp: 192.168.1.75 moved from b2:cc:ba:e9:cb:ae to 00:11:95:5b:6a:ae on fxp1
    Aug 16 14:38:35  kernel: arp: 192.168.1.75 moved from 00:11:95:5b:6a:ae to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:38:32  kernel: arp: 192.168.1.34 moved from b2:cc:ba:e9:cb:ae to 00:0b:6a:b7:24:9e on fxp1
    Aug 16 14:35:50  kernel: arp: 192.168.1.34 moved from 00:0b:6a:b7:24:9e to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:35:37  kernel: arp: 192.168.1.121 moved from b2:cc:ba:e9:cb:ae to 00:40:95:09:6d:3e on fxp1
    Aug 16 14:35:34  kernel: arp: 192.168.1.121 moved from 00:40:95:09:6d:3e to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:35:27  kernel: arp: 192.168.1.126 moved from b2:cc:ba:e9:cb:ae to 00:30:4f:34:3c:5a on fxp1
    Aug 16 14:35:24  kernel: arp: 192.168.1.126 moved from 00:30:4f:34:3c:5a to b2:cc:ba:e9:cb:ae on fxp1
    Aug 16 14:35:20  kernel: arp: 192.168.1.75 moved from b2:cc:ba:e9:cb:ae to 00:11:95:5b:6a:ae on fxp1
    Aug 16 14:35:16  kernel: arp: 192.168.1.75 moved from 00:11:95:5b:6a:ae to b2:cc:ba:e9:cb:ae on fxp1

    As you see, i've problem with this MAC adress -> b2:cc:ba:e9:cb:ae

    Goggle says - NetCut.

    My question is:

    How to find someone in my LAN who uses NetCut or how to prevent this ?

    Function in System -> Advanced -> Shared Physical Network is already enabled.

    Thanks in advance for any help.



  • @liopi:

    ….As you see, i've problem with this MAC adress -> b2:cc:ba:e9:cb:ae

    No.
    Something behind this network adress is using (changing) it's IP to already other used IP's on your LAN.
    The kernel gets nuts about this - and just report this to you.

    Ok - I have another problem with ARP  :-\

    No.
    You still have the same problem as mentionned above.
    Please stop this 'tool', running on the device with the b2:cc:ba:e9:cb:ae MAC and all will be fine.
    To do a quick test - locate this device - and remove the cable.

    Also: a switch you use became mad - its internal MAC tables are getting fckd up - change any used switched on your LAN to check.



  • @Gertjan:

    @liopi:

    ….As you see, i've problem with this MAC adress -> b2:cc:ba:e9:cb:ae

    No.
    Something behind this network adress is using (changing) it's IP to already other used IP's on your LAN.
    The kernel gets nuts about this - and just report this to you.

    Ok - I have another problem with ARP  :-\

    No.
    You still have the same problem as mentionned above.
    Please stop this 'tool', running on the device with the b2:cc:ba:e9:cb:ae MAC and all will be fine.
    To do a quick test - locate this device - and remove the cable.

    Also: a switch you use became mad - its internal MAC tables are getting fckd up - change any used switched on your LAN to check.

    Hmm

    I don't have any device in my LAN with that (b2:cc:ba:e9:cb:ae) MAC adress.

    Here some guy has the same problem as I –> http://www.linuxquestions.org/questions/showthread.php?t=456830

    I still waiting for any help.



  • Ok - Ok - You caught us.  You've found the special MAC address that we've hidden in pfSense just to have it randomly complain about to infuriate users, especially users that seem to demand that we fix network issues that pfSense points out…

    Or, more likely, you have a minor issue on your network and you aren't providing enough information for us to help you...

    You've stated that fxp1 is your LAN interface.  Other than the copy/paste of your System Log, that's about the only useful information you've given us about your network.

    I'm going to go out on a limb and guess that the devices you are talking about are DHCP assigned devices...  Have you tried assigning static IPs to these devices?  Or are there too many to do that for?  (Home network with 4-5 machines, or is this a business network with 50+ machines?)

    What OS do they run?  Are they connected via wireless? Do you have any other routers or bridges on this network?

    More information is more likely to result in an answer.



  • Btw, check if you have 2 DHCP servers running. In that case a client requesting a lease will randomly get one from the one or the other (the one that answers the current request faster wins). In that case you might see clients hopping between IPs too.


Locked