Question about static ARP or static NDP

Evolve 0 · Dec 11, 2022, 1:04 PM

Let’s assume that the option “Enable Static ARP entries” is unchecked in the DHCP server options and that neither DHCP nor DHCPv6 services are used to assign Ipv4 or Ipv6 addresses.

Let’s also assume that a static ARP entry or a static NDP entry for a specific IPv4 o IPv6 address and MAC address combination is set on the Pfsense firewall.

If a host has statically set the same specific IPv4 or IPv6 address on his/her pc interface that has a different MAC address than the one set in the firewall static ARP/NDP entries and he/she sends a packet to the firewall IPv4 or IPv6 address, does the firewall reject the packet because of the mismatch between Ipv4 or IPv6 address and MAC address?

In other words, does the firewall always inspect the ethernet frame source mac address if receiving a packet from an IP address that has a static mapping in the ARP table or in the NDP table to check if the source MAC address is the same than the one set in the ARP or NDP table?

Thanks a lot for any clarification.

JKnott · Dec 11, 2022, 1:04 PM

@evolve-0 said in Question about static ARP or static NDP:

Let’s assume that the option “Enable Static ARP entries” is unchecked in the DHCP server options and that neither DHCP nor DHCPv6 services are used to assign Ipv4 or Ipv6 addresses.
Let’s also assume that a static ARP entry or a static NDP entry for a specific IPv4 o IPv6 address and MAC address combination is set on the Pfsense firewall.

How do you have a static ARP, if you don't eneable it?

Evolve 0 · Dec 11, 2022, 1:09 PM

@jknott With the arp -S command (for IPv4) or the ndp -S command (for IPv6)

JKnott · Dec 11, 2022, 2:28 PM

@evolve-0

Those commands would be done on a computer and have nothing to do with pfSense. It would also be only on that computer and no other. That it might be mapped to a different address on pfSense is irrelevant. The conflict come when some device does an ARP request for an IP address and more than one device has that address.

johnpoz · Dec 11, 2022, 2:39 PM

@jknott said in Question about static ARP or static NDP:

Those commands would be done on a computer and have nothing to do with pfSense

Huh?

What he is asking is if pfsense has 192.168.1.100 and someIPv6 address set to be mac aa:bb:cc:00:00:01 and some device on his network set the IP 192.168.1.100, but used say mac bb:cc:aa:00:00:02 would pfsense reject the traffic.

No it would not reject the traffic but when it went to send an answer to 192.168.1.100 it would send it to aa:bb:cc:00:00:01

Evolve 0 · Dec 11, 2022, 2:54 PM

@johnpoz Thanks again.

That was exactly what I wanted to know.

Unfortunately not the answer I was hoping for, that is I hoped that the firewall rejected the packets in that scenario.

What gave me hopes was the fact that, even if related to DHCPv4 server, at Services — DHCPv4 Server | pfSense Documentation (netgate.com), about “ARP Table Static Entry” in the static mappings section, it states “If this option is used rather than using the global static ARP option, it does not prevent that MAC address from using other IP addresses, it only prevents other MAC addresses from using this IP address. In other words, it prevents another machine from using that IP to reach the firewall, but it doesn’t stop the user from changing their own IP address to something different.”

May I kindly ask you if your answer is based on some tests you’ve performed or on pure reasoning?

Thanks a lot

johnpoz · Dec 11, 2022, 3:05 PM

@evolve-0 there is nothing in the firewall that checks the mac - its a L3 firewall. Why would it look at the source mac, captive portal uses mac, and you could filter it with that.

But when pfsense went to sent a reply it would send it to the mac it has for that IP. So the forger guy wouldn't get an answer, so it can not actually talk to pfsense and hope to get a reply.

But sure would be simple enough to test..

What exactly are you looking to prevent - someone changing their IP to get around your firewall rules? If they are smart enough to do that - what would stop them from changing the mac as well?

Evolve 0 · Dec 11, 2022, 3:25 PM

@johnpoz Thanks.

Yes, I was trying to prevent exactly that.

I perfectly know that anyone could change the MAC to bypass the ARP static entry and I also know that 802.1x is the way to go for “real” port security.

That was just a naive step to give a little more security to a single Pfsense port used by only one Pc at a time, assuming to protect the best I can the allowed MAC address from being revealed.

Since the pc would be connected directly to one of the Pfsense port without having a switch in between them (that is a maximum of one client allowed in the subnet) I was afraid that, even if the reply from the Pfsense would be sent to another MAC address, the host trying to bypass the firewall rule could somehow read the reply, with a modified L2 interface stack that wouldn’t drop the packet.

johnpoz · Dec 11, 2022, 3:29 PM

@evolve-0 if he is directly connected to pfsense - why would he have to do any sort of stack manipulation. He is the only device on that port - he could just change his IP and mac to whatever pfsense thinks it suppose to be allowed.

This seems like a pretty out there scenario for what could happen in the real world ;) Why would this bad actor even have access to the pfsense port for example ;)

Evolve 0 · Dec 11, 2022, 3:35 PM

@johnpoz Yes but guessing the right MAC/IP combination is not so easy, especially for IPv6.

About having access to the Pfsense port I totally agree..

Evolve 0 · Dec 11, 2022, 3:53 PM

@johnpoz Anyway, I thank you again a lot for your help.

As soon as I will receive my Netgate device I will make the relevant tests and will post the results so that others can benefit from that...Assuming there is someone

JKnott · Dec 11, 2022, 7:57 PM

@johnpoz said in Question about static ARP or static NDP:

Huh?

Where was he trying to do static ARP? While that would work on the command line, why bother when it could be done in the GUI? So, I assumed he meant on another computer.

No it would not reject the traffic but when it went to send an answer to 192.168.1.100 it would send it to aa:bb:cc:00:00:01

When what sent an answer? Why did he say at one point that he didn't enable static ARP, but later said "if receiving a packet from an IP address that has a static mapping in the ARP table or in the NDP table"? Did he set static ARP in pfSense or not?

johnpoz · Dec 11, 2022, 11:54 PM

@jknott said in Question about static ARP or static NDP:

why bother when it could be done in the GUI?

there is another thread where he asked out to do it for ipv6 - which you can not do in the gui. But yes you can set it via ndp just like you can with arp.

I think he is out there with his security concerns - but the question was valid originally - how to set a static "arp" for IPv6 on pfsense - look at his previous posts, etc. Which pretty much exactly how you do it for ipv4, just with the ndp command vs the arp command.