Am I getting "Static ARP" wrong?

scilek · Mar 1, 2022, 7:52 PM

I am trying to assign each device its own static IP address but also prevent their users from setting the IP addresses manually. If a user sets a custom IP address for his/her device, it should not be able to communicate with pfSense at all.

I read somewhere that this is possible using what is called "static ARP". All I have to do is to assign each MAC address a static IP in the DHCP settings and tick the "Create an ARP Table Static Entry for this MAC & IP Address pair." checkbox, as shown below:

However, I manually assigned an IP address to the device and it was able to access the Internet.

Is this a bug or have I been terribly misinformed?

Is there any way I can achieve this?

johnpoz · Mar 1, 2022, 8:10 PM

@scilek did you enable the static arp

Not just have it create the arp pair?

Lets say you setup static arp, what this keeps from happening is some other device from using that IP, because say IP 192.168.1.100 can only have mac address aa:bb:cc:00:11:22

So IP 192.168.1.101 could not also point to that same mac.. or 1.100 a different mac..

scilek · Mar 1, 2022, 8:17 PM

@johnpoz

I definitely missed that in my haste to get it to work.

I ticked that checkbox and tried again. It did not work.

But then I remembered something. This LAN interface is a bridge between a Wi-Fi and an ethernet interface. Could that be cause of the problem?

scilek · Mar 1, 2022, 8:38 PM

@scilek

Oh, I think I've got the hang of it now. I missed that.

Thank you very much.

JKnott · Mar 1, 2022, 9:02 PM

@scilek

Are you sure that's what you want? You will have to set the static ARP on every device that might communicate with it. Normally, a static IP mapping is used. Also, creating a static ARP will not prevent someone from configuring an address. When that happens, the device will now respond to both addresses. To understand why this happens you have to look at the purpose of ARP. It is to match a MAC address with an IP address and all communications with the device are actually done with the MAC address and the IP address & ARP is only a means to determine that MAC address. By using a static ARP, you simply bypass the ARP request & reply.

scilek · Mar 2, 2022, 5:26 AM

@jknott said in Am I getting "Static ARP" wrong?:

Are you sure that's what you want?

Yes.

@jknott said in Am I getting "Static ARP" wrong?:

You will have to set the static ARP on every device that might communicate with it.

Someone else is going to do that.

@jknott said in Am I getting "Static ARP" wrong?:

Also, creating a static ARP will not prevent someone from configuring an address.

Yes, I know.

@jknott said in Am I getting "Static ARP" wrong?:

When that happens, the device will now respond to both addresses.

When the user configures a MAC and an IP address?

@jknott said in Am I getting "Static ARP" wrong?:

To understand why this happens you have to look at the purpose of ARP. It is to match a MAC address with an IP address and all communications with the device are actually done with the MAC address and the IP address & ARP is only a means to determine that MAC address.

I know.

@jknott said in Am I getting "Static ARP" wrong?:

By using a static ARP, you simply bypass the ARP request & reply.

I didn't know that, thanks for the information.

JKnott · Mar 2, 2022, 2:10 PM

@scilek said in Am I getting "Static ARP" wrong?:

When that happens, the device will now respond to both addresses.

When the user configures a MAC and an IP address?

Yes. Setting a static ARP on computer A has no effect on setting the address on B. It will still be able to get an address with DHCP or static config. If you set up a static mapping on the DHCP server, you will get the address you want. If a user changes to a static address, you are no worse off than you were before. Also, computers should not allow mere mortals to be changing this. A big problem with Windows is so many users run as admin, which leaves the system wide open to malware, in addition to letting users tamper with things they shouldn't. That generally doesn't happen with Linux.

johnpoz · Mar 2, 2022, 2:16 PM

@scilek running static arp on your network is a bit of overkill more often then not.. What exactly are you trying to stop or mitigate from happening exactly?

If your worried about users changing their ip to get around rules, simple solution to that is just make sure none of the rules call out specific IP. All devices on vlan X can do or can not do whatever - doesn't matter what IP they have..

If your network is setup correctly - it would be almost impossible for device to just change vlans.. They shouldn't be able to plug into any other port. They should have the creds to get on a wifi that is different vlan, etc.

scilek · Mar 2, 2022, 2:18 PM

@jknott said in Am I getting "Static ARP" wrong?:

Setting a static ARP on computer A has no effect on setting the address on B. It will still be able to get an address with DHCP or static config. If you set up a static mapping on the DHCP server, you will get the address you want. If a user changes to a static address, you are no worse off than you were before.

Yes, I am aware of the fact and I can live with that. The users will be notified that their device MAC addresses will be their signatures so they are supposed to keep them secret.

@jknott said in Am I getting "Static ARP" wrong?:

Also, computers should not allow mere mortals to be changing this. A big problem with Windows is so many users run as admin, which leaves the system wide open to malware, in addition to letting users tamper with things they shouldn't.

That is not possible. Now, even smartphones come with an option to hide their real MAC address.

@jknott said in Am I getting "Static ARP" wrong?:

That generally doesn't happen with Linux.

FreeBSD rules.

scilek · Mar 2, 2022, 2:29 PM

@johnpoz said in Am I getting "Static ARP" wrong?:

running static arp on your network is a bit of overkill more often then not.. What exactly are you trying to stop or mitigate from happening exactly?

I am trying to associate users with devices, and prevent unauthorized device access and make sure the same device gets the same IP address every time and not allow another device to use it.

@johnpoz said in Am I getting "Static ARP" wrong?:

If your network is setup correctly - it would be almost impossible for device to just change vlans.. They shouldn't be able to plug into any other port. They should have the creds to get on a wifi that is different vlan, etc.

Assigning each user a specific VLAN is not an option, since they don't have manageable switched. I must do this using DHCP, Captive Portal and FreeRADIUS alone.

JKnott · Mar 2, 2022, 2:39 PM

@scilek

It looks like you're creating more problems than you're solving. As for phones, are those personal or company owned phones? If company, then you have the situation where the owner (company) can create users that don't have full rights. At least that's the case with Android. Also, you might consider only letting personal phones on a guest WiFi, with companies phones connecting to the main LAN by logging into the domain controller. Both Android and iPhone support that.

Again, your idea of using static ARP will accomplish nothing.

JKnott · Mar 2, 2022, 2:40 PM

@scilek said in Am I getting "Static ARP" wrong?:

since they don't have manageable switched

WTF?

What sort of business doesn't have a managed switch? Even home users can have them, as they're so cheap. Avoid TP-Link though.