Arp probe

mappe

Need some advice, we are running pfSense (2.6) virtualized in a VMWare environment.

Currently we have a WAN address by DHCP, we are about to change this to a static adress instead.

I have been given our new ip configuration from our ISP but when entering this information for the WAN interface i get no internet connection at all.

I reported this and said that there must be something wrong with the information they sent to me.
They came back to me stating that the problem was on my side.

They claimed that our equipment did not allow ARP probe packages?

Never heard of this before? What is this?

Thanks in advance for any advice on this.

/Mappe

johnpoz

@mappe A arp probe is just really an arp with the senders IP set to all zeros. I am not aware of pfsense not answering those..

Here I just did a Probe from one of my clients on one of my vlans.. There should be no reason wan wouldn't do the same, I could do it from my wan, but take a bit of manipulation to put a box on my "wan" network..

But as you can see I send an arp probe from box on my vlan to the pfsense interface IP..

root@NewUC:/home/user# arping -D 192.168.2.253
ARPING 192.168.2.253 from 0.0.0.0 ens3
Unicast reply from 192.168.2.253 [00:08:A2:0C:E6:20]  1.408ms
Sent 1 probes (1 broadcast(s))
Received 1 response(s)
root@NewUC:/home/user# 

And it answers - see the sniff

The arp prob has no sender IP set, its all zeros - but the device with that IP (pfsense in my case) answers that hey I have that IP back to the requesting mac, and target address IP set to all zeros as well..

Firewalls don't normally do filtering of arp.. Sometime later I could put a box on my wan layer 2, I run it through my switch for exactly this sort of thing (always nice to have access at layer 2 to any network for testing). So my wan from modem runs through my switch so I can access this outside pfsense, for sniffing say via a span port or this sort of thing.

But I am not aware of pfsense doing anything that would prevent a arp probe.

jrey

FWIW,
Background
If I look at a traffic graph for the WAN, there is a constant "chatter" from the ISP. so I packet captured the WAN and there is a constant ARP chatter from a Cisco switch at the ISP end that is sending the broadcasts across several subnets.

I told them it doesn't need to do this. Provides no value to their customers.

ARP is linked scoped and as such should not be "seen" for other of their subnets.
So for example I see these requests packets from their switch (likely as an L2 Cisco) for every IP, in every subnet they have.
x.x.240.x
x.x.241.x
etc

from the Cisco side that they likely have all their subnets in a VLAN or with overlapping address, or most likely transparent and therefore it is sending ARPs to everything in their range. the Cisco also provides "ways to filter or block ARP requests" when in this mode, and they likely haven't done that part.

it accounts for about 4-5k/second flow in that will of course never sees the LAN side at my end. On the WAN side the Netgate only actually answers their call when the who-has request matches the wan address I have. All the other requests do nothing.

My IP is actually in their x.x.240.x subnet, and the requests for the packet example above is from 244.1 and asking who has x.x.247.76.

ARP within my network, should not and of course does not go to them - ie "link scoped" (by default and definition of the protocol)
end background

"They claimed that our equipment did not allow ARP probe packages?"
your WAN interface will most certainly reply to the ARP request if they are requesting it "who-has", but they can't probe inside your LAN. So what are they talking about

you might want to confirm
"said that there must be something wrong with the information they sent to me"
that everyone is on the same page regarding the static address/mask/gateway etc.

if you look at your diagnostics->arp table
you see your lan (all your devices)
and two WAN entries ( one for your static IP and one for the Gateway address.)
do those match what they have provided ?

johnpoz

@jrey said in Arp probe:

the Cisco also provides "ways to filter or block ARP requests" when in this mode, and they likely haven't done that part.

Yeah my isp is lacking in the same way... See lots of arp traffic that shouldn't be seeing.. They are running multiple layer 3 on the same layer 2 for sure..

So I capture 100 arps in less than a second

09:24:01.468392
09:24:01.617920

So that is what 149 ms...

edit: btw just looked out the 100 arps, not 1 was in my actual subnet..

jrey

@johnpoz

right. but all that said the questions from the OP require some clarification from the ISP involved.

The fact that they would appear to be blaming the "no connection" on the lack of ARP response, just seems odd.
It might be helpful to know if the non-static IP and the new static IP are in the same subnet. (or start with, even the same ISP)

something doesn't add up in the "no internet connection at all." statement and then heading down the ARP path. I mean sure they might disconnect if they don't get and ARP response (if they tie to MAC address, some ISP's do this)

Log files?

type of connection?
Does the device (modem or whatever) show linked?

Address/Mask/Gateway all correct? etc.

What is in the Gateway log?

"They claimed that our equipment did not allow ARP probe packages"
most likely implies that the configuration is perhaps wrong. because unless it has been specifically turned off, ARP on the network interface would respond to the who-has request from them, if everything matches.

johnpoz

@jrey said in Arp probe:

most likely implies that the configuration is perhaps wrong.

Yeah concur, you can always do a sniff while they are sending these "probes" and see if you see them.. and if you answer..

(if they tie to MAC address, some ISP's do this)

Quite possible - but you would think they would have the mac, if the pfsense was just using dhcp before. But sure its quite possible if they are setting a up static someone fat fingered something.. Be it what IP your suppose to set, or mask or whatever and or if they are limiting it to specific mac and that info was not done correctly either on their end or you sent them wrong info if they asked for it, etc.

Jumping to your not answering arp probe would seem to me just a way to get this question out of their queue as fast as possible.

johnpoz

@mappe just to be complete. I put one of my pi's on my wan vlan so could send a arp probe to pfsense wan, just like an isp might do..

And it answers the probe for its IP just fine..

mappe

First of all, thanks for all the input in this matter.

Just to clearify a bit.

The system is currently running just fine, with a DHCP assigned address. But as soon as I switch over to the static IP my ISP has provided me with it stops working.

My first thought about that was that my ISP had sent me wrong information. But they claim their info is correct and I get no connection because of this ARP Probe thing.

If I look in the ARP table as my system is running right now, there is indeed two entries for my WAN, my IP and the gateway.

Why should there be a difference in this matter when running DHCP vs Static address?

Regards
/Mappe

mappe

@johnpoz I will try to do the same test here, but it takes a bit of work to do.

johnpoz

@mappe that would be a good test to validate your setting of the IP to static, answers when asked about that IP.

you could send the sniff to your ISP, and say look here - it answers a arp probe for the IP you gave me.