ARPwatch flip-flops on WAN interface

deanfourie

So arpwatch is reporting flip-flops on the WAN interface, changing MACs.

This is a little strange as there is NOTHING other then pfSense connected to the WAN router or upstream router.

What can I do to troubleshoot this?

Thanks

stephenw10

Which IP is shown as changing, the WAN address or the gateway? Or something else?

deanfourie

@stephenw10 The pfSense WAN interface.

johnpoz

@deanfourie your saying the mac address of your own physical interface is changing?

stephenw10

Or something else is using WAN IP. Though if that were the case I'd expect to see log entries complaining about it in the main system log.

Steve

deanfourie

@stephenw10 yes, that's what Arpwatch is reporting.

It's actually the IP address of the upstream gateway changing, not pfSense which in my case is a Huawawei 4G router.

            hostname: <unknown>
          ip address: 192.168.1.1
    ethernet address: 82:49:99:43:53:92
     ethernet vendor: <unknown>
old ethernet address: cc:e8:ac:92:53:43
old ethernet vendor: <unknown>
           timestamp: Thursday, February 23, 2023 8:27:41 +0000
  previous timestamp: Thursday, February 23, 2023 8:27:28 +0000
               delta: 13 seconds

stephenw10

Your WAN IP address is 192.168.1.1? Not the gateway? That's unlikely.

deanfourie

@stephenw10 no, my WAN upstream gateway.

deanfourie

@deanfourie I have a 4G router which is my incoming internet connect to pfSense via ethernet which is setup as a WAN upstream gateway. Public IP address is on the 4G router, pfSense obtains a private IP address as its WAN address from the 4G router.

johnpoz

@deanfourie so your 4g device which is at 192.168.1.1, and pfsense gets some IP 192.168.1.X (not 1) and .1 mac address changes. or there is something else on this same network.

You have a cable that plugs from this device to pfsense wan? There is no switch between with other devices, or switch ports on this device your plugging pfsense into.

If there are multiple devices that say their IP is 192.168.1.1 - ie your seeing 2 macs for this same IP. Not sure what pfsense is suppose to do about it. Pfsense is just reporting that the mac for this IP is changing..

That 82:49 mac I can not find what maker that is.. that cc:e8 mac shows as..

Company
    SOYEA Technology Co.,Ltd.
Address
    hangzhou zhejiang 310007
    Jiaogong Rd.No.1
    CHINA
Range
    CC:E8:AC:00:00:00 - CC:E8:AC:FF:FF:FF
Type
    IEEE MA-L 

deanfourie

@johnpoz yes this is an isolated network, no switch in between and no way someone could connect on the 1 network unless they physically plugged into the 4g router and set a static IP of 1.1.

This is strange

johnpoz

@deanfourie so it has more ports.. Does it have wifi.. What is the specific make and model of this device?

If it has multiple lan switch ports - did you try plugging into a different port.

stephenw10

Run a packet capture, see if you can get any traffic from the alternative MAC to find out what it is.

If the 4G router is doing any sort of bridging it might have more than one MAC.

deanfourie

@stephenw10 yea the WAN 4G router should no be doing any bridging as it is not in bridged mode.

I'll run a cap next time, I might have actually grabbed a cap I'll check