Two MAC address on LAN interface

mailk · Jun 17, 2021, 9:05 AM

Hello!

My antivirus started detecting ARP poisoning attacks on my pfsense LAN ip address.
10.1.2.250 [4c:52:62:2b:57:6d];10.1.2.250 [00:00:5e:00:01:0c];

The real interface MAC address is 4c:52:62:2b:57:6d.
I dont know where the 00:00:5e:00:01:0c address is comming from.

I checked the host table of the switch that is directrly connected to the pfsense box and the switch sees this 00:00:5e:00:01:0c adress on the interface it is connected to the pfsense box.
The switch also sees the real MAC address on that interface too.

I cant find this second MAC adress anywhere in pfsense.

Any clue?
Thanks.

johnpoz · Jun 17, 2021, 10:21 AM

@mailk said in Two MAC address on LAN interface:

00:00:5e:00:01:0c

That is a carp address mac with vhid 12..

So your running pfsense in HA, or you tried to set it up? You setup a carp vip?

mailk · Jun 17, 2021, 10:37 AM

@johnpoz
Yes, its a CARP vip address, it is like that from the begining, sorry i forgot to mention it.
Now i can see in the documentation that it gets a unique MAC basd on the VHID.

The question is, why did the AV started to alert about it now?

stephenw10 · Jun 17, 2021, 12:53 PM

I assume 10.1.2.250 is the CARP IP not the interface IP?

If so that's how it has always worked. You would need to ask your antivirus vendor why it is now flagging that.

Steve

mailk · Jun 17, 2021, 1:05 PM

The problem has been resolved.
I just needed to flush the ARP table on the client computers.
Somehow the phisical interface MAC (4c:52:62:2b:57:6d) was in their table not the "CARP MAC" (00:00:5e:00:01:0c).
Thats why the AV was fustrated.

Thanks for the comments!

funtiklugin · Feb 27, 2025, 2:58 PM

This post is deleted!