Updating MAC for a reserved IP problem

johnpoz

@pfpv - look in your arp table.. for the IP..

What does it show?

Make sure you just uncheck static arp in the dhcp settings... And then look at your arp table, does it show an expire time?

You can flush the whole cache with -d -a

[23.09.1-RELEASE][root@sg4860.home.arpa]/root: arp -d -a
10.1.1.128 (10.1.1.128) deleted
10.1.1.129 (10.1.1.129) deleted
10.1.1.1 (10.1.1.1) deleted
192.168.110.110 (192.168.110.110) deleted
192.168.6.101 (192.168.6.101) deleted
192.168.4.76 (192.168.4.76) deleted
192.168.4.77 (192.168.4.77) deleted
192.168.4.78 (192.168.4.78) deleted
192.168.4.79 (192.168.4.79) deleted
192.168.4.72 (192.168.4.72) deleted
192.168.4.201 (192.168.4.201) deleted
192.168.4.73 (192.168.4.73) deleted
192.168.4.203 (192.168.4.203) deleted
192.168.4.71 (192.168.4.71) deleted
192.168.4.65 (192.168.4.65) deleted
192.168.4.61 (192.168.4.61) deleted
192.168.4.62 (192.168.4.62) deleted
192.168.4.63 (192.168.4.63) deleted
192.168.4.217 (192.168.4.217) deleted
192.168.4.57 (192.168.4.57) deleted
192.168.4.89 (192.168.4.89) deleted
192.168.4.58 (192.168.4.58) deleted
192.168.4.59 (192.168.4.59) deleted
192.168.4.53 (192.168.4.53) deleted
192.168.4.214 (192.168.4.214) deleted
192.168.4.55 (192.168.4.55) deleted
192.168.4.80 (192.168.4.80) deleted
192.168.4.209 (192.168.4.209) deleted
192.168.4.81 (192.168.4.81) deleted
192.168.4.49 (192.168.4.49) deleted
192.168.4.50 (192.168.4.50) deleted
192.168.7.10 (192.168.7.10) deleted
192.168.7.5 (192.168.7.5) deleted
192.168.7.99 (192.168.7.99) deleted
192.168.7.3 (192.168.7.3) deleted
192.168.7.98 (192.168.7.98) deleted
192.168.7.97 (192.168.7.97) deleted
192.168.7.96 (192.168.7.96) deleted
192.168.7.95 (192.168.7.95) deleted
192.168.7.94 (192.168.7.94) deleted
192.168.200.10 (192.168.200.10) deleted
192.168.3.10 (192.168.3.10) deleted
192.168.3.99 (192.168.3.99) deleted
192.168.3.32 (192.168.3.32) deleted
192.168.2.203 (192.168.2.203) deleted
192.168.2.200 (192.168.2.200) deleted
192.168.2.13 (192.168.2.13) deleted
192.168.2.2 (192.168.2.2) deleted
192.168.2.3 (192.168.2.3) deleted
192.168.2.198 (192.168.2.198) deleted
192.168.2.4 (192.168.2.4) deleted
192.168.2.221 (192.168.2.221) deleted
192.168.2.50 (192.168.2.50) deleted
209.122.48.1 (209.122.48.1) deleted
192.168.9.99 (192.168.9.99) deleted
192.168.9.98 (192.168.9.98) deleted
192.168.9.100 (192.168.9.100) deleted
192.168.9.10 (192.168.9.10) deleted
[23.09.1-RELEASE][root@sg4860.home.arpa]/root: 

Or you can delete specific IP arp, etc. But I would make sure your not using static arp via dhcp first

pfpv

@johnpoz said in Updating MAC for a reserved IP problem:

Do you want static arp? Do you know what static arp is? Do you have a need/want for them.. Most likely not.. Which is why it default to not using them.. It would be special use case where you would want/need to set those.. If you do not fully understand what they are, I would uncheck doing them..

I explained earlier why I wanted them. So, unknown devices, those with spoofed MACs and manually assigned IPs don't get access to my network.

But I suppose if I want to change NICs I need to disable static ARP. Would it be sufficient to uncheck "Create an ARP Table Static Entry for this MAC & IP Address pair" for the affected clients only and uncheck "Enable Static ARP entries" in the main DHCP server section? I think I tried that. I think I need to flash the ARP cache properly.

johnpoz

@pfpv said in Updating MAC for a reserved IP problem:

those with spoofed MACs and manually assigned IPs don't get access to my network.

taht is not how static arps work.. Did you setup dhcp to deny unknown macs? If not its just going to get an IP out of dhcp pool..

Sure that could prevent someone from using same IP as some other device - but that mostly would cause issues with duplicate IP addresses and break stuff for the other client, etc. and is normally noticed very quickly.. Who is going to be spoofing mac/IP address pairs on your network??

pfpv

@johnpoz, I did setup dhcp to deny unknown macs. But not all my devices are up all the time. And static IPs can be assigned on devices that are not reserved in my pfSense.

As to who is going to spoof MACs. I read that some IP cameras start changing their MACs trying to call home. Hopefully I don't have such cameras. I plan to wire POE cameras outside and I don't want someone unplug my camera and plug in their device instead. And last, my kids may learn how to spoof MACs in order to go around the restrictions, unlikely though.

But it's not the point. This is a good security system. I worked for a few universities and they did just that. If you want to plug a new device, give its MAC to the sysadmins. Otherwise, no access to the network. The system works in my case and the geek in me wants to use it even if I don't probably really need it.

pfpv

@johnpoz said in Updating MAC for a reserved IP problem:

Make sure you just uncheck static arp in the dhcp settings... And then look at your arp table, does it show an expire time?

It's strange. I haven't unchecked anything yet but many entries in the ARP table show "Expires in xxxx seconds" where xxxx is 1200 maximum and below. Some show "Permanent". I don't see any correlation why some would be expiring and some permanent. All should be permanent. Is there any explanation to this?

And thank you for explaining how to flush the ARP cache.

johnpoz

@pfpv said in Updating MAC for a reserved IP problem:

I read that some IP cameras start changing their MACs trying to call home.

Yeah I find that highly highly unlikely.. And would be pointless if you have your cameras on their own isolated vlan anyway, which would be best practice.. They could change their mac addresses all day long, or their ips.. not going to do them any good.

You know who does change their macs all the time - your freaking phone ;) You know protect your privacy ;)

johnpoz

@pfpv said in Updating MAC for a reserved IP problem:

I don't see any correlation why some would be expiring and some permanent.

there was a thread a while back - there is something not right with statics.. They change to dynamic or you see crazy long numbers for the expire time.. I do believe there is a redmine on it..

Thats why I had mine set as static, that was from when playing with it.. But look here 9.10 is still set to static but its currently showing as dynamic

then if I go into the reservation and hit save it goes to perm, but then expires, then perm.. And prob go to dynamic here after a while..

Let me see if I can dig up that redmine

There was a patch even at some point, but not sure if that fixed it, or then later there was a regression.. I would use static to be honest, and if you really need them, I would set them directly via arp command..

edit: here is the thread I was remembering
https://forum.netgate.com/topic/184155/static-arp-in-dhcp-overwritten

In that thread there is a link to a redmine, etc.

pfpv

@johnpoz said in Updating MAC for a reserved IP problem:

Yeah I find that highly highly unlikely.. And would be pointless if you have your cameras on their own isolated vlan anyway, which would be best practice.. They could change their mac addresses all day long, or their ips.. not going to do them any good.

https://ipcamtalk.com/threads/wifi-cameras-changing-mac-id.55347/
https://www.reddit.com/r/wyzecam/comments/gmvuc4/cameras_change_their_mac_addresses/
https://www.reddit.com/r/Ring/comments/z1uyq7/ring_stickup_elite_uses_random_mac_address/
And it doesn't seems to be intentional like in phones for "privacy". Some people think this was done in order to go around restrictions and phone home. Maybe one day I will move my cameras to a separate VLAN and block its access to the internet.

You know who does change their macs all the time - your freaking phone ;) You know protect your privacy ;)

Yes, all phones are set to use device MAC.

pfpv

@johnpoz said in Updating MAC for a reserved IP problem:

In that thread there is a link to a redmine, etc.

Thanks. I have a feeling that problem may have something to do with my struggle. The complaint is that static ARP entries become non-static but I think they continue to be static. If you reread my OP I tried everything when changing a NIC. I updated the MAC in the static mapping. I disabled static ARP, I deleted the ARP cache entry for the old NIC. I rebooted pfSense. The old MAC was nowhere in the system, yet the new card didn't get the old IP but the old one did.

The issue in that redmine never affected me. I didn't even know it was there. WOL always worked, devices were always getting the IPs they were mapped to.

I can only wait for 2.8.0 release. I moved from 23.09.1 to 2.7.2.

johnpoz

@pfpv said in Updating MAC for a reserved IP problem:

Some people think this was done in order to go around restrictions and phone home

And some people think the black helicopters hover outside their window at night as well ;) Don't mean they are ;) That 2nd thread looks like a specific issue with wyze.. And how they allocate the mac address to the device, etc.. It is not to get around "restrictions" ;)

Your 3rd link wouldn't load.

If your tinfoil hat is causing you to think that, then again put them on their own vlan and who cares what mac address they use, who cares if it changes every 2 hours, etc..

The whole concept of firerwall rules based on specific IP address and even mac filtering is on its way out.. With IPv6 and devices using temp addresses that they just pretty much just randomly create and change for outbound connections, even if you hand them a specific IP.. Makes specific firewall rules by IP pretty impossible to implement.. You also have all these devices that change macs, my phone does it (even though I have said to use devices mac) and my new apple watch has caused me grief sometimes when I notice some odd mac on my wifi network.. Trying to tack down a wifi device with an odd mac is hard, then I check my watch and its using private mac again, even though I told it not too... It think it reverts back on os update, etc.. I will check when the new watch os drops here pretty soon..

So with these sorts of shifts in tech, and how IPv6 is designed to work - your going to need to filter by network, vs allow this IP, but block that IP, etc.

Now segmenting your home network isn't just for fun any more ;)

pfpv

@johnpoz, thanks for the advice. I wasn't looking into the future (which is already now) with IPv6 like you did. And I will look into segmenting my network. For me MACs are still something hardcoded like it was a few years ago before phones started changing them and others followed. By the way, our Android phones never changed MACs once set to device MAC even after major updates. Sounds like Apple is being Apple.

Anyway, features related to static ARP and IP should work properly or should be removed from pfSense. In a few days I will do the dance of changing NICs again and will document better what will go on. I expect the same problems.

johnpoz

@pfpv said in Updating MAC for a reserved IP problem:

Sounds like Apple is being Apple.

Yeah - they just looking out for us you know ;) hehehe /s

features related to static ARP and IP should work properly

Completely agree.. there is something going on with it still.. That is clear.. I don't really have any need of them - so no horse in the race, or dog in the hunt if you will for me.. But yeah it should work..

If I did have need/want for it - I would prob just set the static with arp directly currently and not play around with the static arp in the dhcp stuff. But now that I think about.. There are really two places.. There is setting at the server setting to allow/enable them - and then there is the setting at the reservation.. I wonder if there is something going on related.. That if you don't have that set to use static arp everywhere that the setting on the specific reservation has problems?