Delete a permanent ARP entry when pFSense refuses to do so.

BenKenobe

How can I force remove a 'permanent' arp entry that I did not make.

I do not use static IP except for the LAN port of the firewall, I do not use the DHCP server either.

For whatever reason pFSense has decided to permanently bind the IP address of one of my internal switches to its own MAC address - so the pFSense LAN has a fixed IP on its own MAC address as permanent but it has now also bound an internal switch IP to the same MAC address - which is totally wrong.

The ARP mapping is marked permanent and there seems to be no way to remove it - pFSense refuses no matter how many restarts or deletion attempts

LAN 10.100.255.249 00:90:27:e2:97:14 Permanent ethernet
LAN 10.100.255.254 00:90:27:e2:97:14 N36-pFSense.number36.org Permanent ethernet

Can a more experienced person point the way to teach pFSense some manners, I've scoured a backup file and there's no indication in there why it has done this. The IP on the LAN has never changed. 249 belongs to a managed switch - always has.

My next assault on this box will involve a USB key

Edit : I found the culprit - pfBlockerNG - any DNSBL Virtual IP you set will become a permanent ARP bound to the firewalls LAN MAC - even if the vitrual IP is changed the permanent ARP entry is not removed.

johnpoz

@benkenobe said in Delete a permanent ARP entry when pFSense refuses to do so.:

Edit : I found the culprit - pfBlockerNG - any DNSBL Virtual IP you set will become a permanent ARP bound to the firewalls LAN MAC - even if the vitrual IP is changed the permanent ARP entry is not removed.

Change it in pfblocker.

BenKenobe

@johnpoz Done - I really don't know why it needs that IP - it's past time some of the RFC's were revisited

johnpoz

@benkenobe You set that IP so it can set an IP to redirect clients too on a block.

What version are you running, because I think that changed to be a loopback entry.

Here when I enabled that with 10.10.10.1 address in only shows up on the lo interface

lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> metric 0 mtu 16384
        options=680003<RXCSUM,TXCSUM,LINKSTATE,RXCSUM_IPV6,TXCSUM_IPV6>
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x8
        inet 127.0.0.1 netmask 0xff000000
        inet 10.10.10.1 netmask 0xffffffff
        groups: lo
        nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>

The way it was doing the vip before was problematic..

edit: here that was changed quite some time ago
https://github.com/pfsense/FreeBSD-ports/pull/732

BenKenobe

@johnpoz whatever the latest is - I've got a bit lazy with it all to be honest and only look when stuff goes pear shaped - 2.1.4.26

johnpoz

@benkenobe pfblocker dev current is 3.1.0_1

Your not even running dev? Yeah lots of stuff not back ported to that.. I don't there really is a reason not be running the dev version.

I didn't find the exact post from @BBcan177 but I did find this statement on a quick search

https://forum.netgate.com/post/933012
Pfblockerng is abandoned in favor of pfblockerng-devel and it will be removed sooner or later

BenKenobe

@johnpoz many thanks I shall take it on the chin and update .... will see how things play after that - I guess I took the 'you're on the latest version' for granted.