pfsense arp who-has requests (broadcast) on LAN constantly seen in tcpdump...

dan2112

Hi,

I am seeing what I think is strange behavior when I do a tcpdump looking at arp traffic.
I see devices on my network asking who has "pfsense.home.arpa" (the hostname for my pfsense netgate box).
Pfsense eventually answers one time, but then devices keep asking again for the same IPs immediately afterwards.
This doesn't look normal to me, but I am not an network engineer. You would think the devices wouldn't constantly ask after pfsense answers?
Confused by this - can somebody let me know if this is correct or if I have a configuration issue on my home network?

Looking at the logs is it that pfsense is ignoring the broadcast and replying to the unicast only??

Thanks,
Dan

11:36:17.341090 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.104, length 46
11:36:18.081948 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.103, length 46
11:36:18.417418 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.100, length 46
11:36:20.460887 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.105, length 46
11:36:21.629099 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.161, length 46
11:36:22.585836 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.101, length 46
11:36:23.095614 ARP, Request who-has pfsense.home.arpa tell 192.168.1.135, length 46
11:36:23.095994 ARP, Reply pfsense.home.arpa is-at xx:yy:zz:12:34:56 (oui Unknown), length 46
11:36:23.371507 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.104, length 46
11:36:24.152657 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.103, length 46
11:36:24.622003 ARP, Request who-has pfsense.home.arpa (Broadcast) tell 192.168.1.100, length 46

JKnott

@dan2112

That appears to be coming from multiple IPs. Do a packet capture to find the MAC address(es). Are all those coming from the same MAC? Multiple MACs?

When you know the MAC you can determine which device it is.

johnpoz

@dan2112 we came across some weirdness with iot sort of devices in another thread.. Where some TVs where arping every 2 seconds.. My TV was not as bad, but it was doing it every 12 seconds.

Who would of thunk it, but it seems the people that create the software for many of these iot devices are completely clueless to how things should be done ;) Not only in the security aspect, but just basic networking ;)

If these are iot devices then and you have a lot of them.. Its quite possible their arping all the time.. Even for stuff they just got an answer for..

You would hope these devices could cache for like atleast 30 seconds or so the mac of some IP they want to talk too ;)

edit:
Arp is going to be broadcast, why you have some showing broadcast, and that one not? How exactly are you viewing that sniff, is that just tcpdump of pfsense like

tcpdump -i igb2 arp

With your interface of course, you could add a -n on the end to not have it resolve names.

edit: as to why some showing broadcast and other not.. Not exactly sure - I duplicate some not showing broadcast, and one showing it - but as you can see they are broadcast to all FFs hmmmm??

But this is prob why - hmm have to refresh my memory on what is the difference, I don't believe there is any.. But just difference in the client.. See how target on one that lists as broadcast is to all FFs, and other that doesn't show broadcast is to all 00s - but it is a broadcast based on the mac of all FFs

edit:
Ahh ok - But prob related to a "ARP Cache Validation".. Could be bad coding on the client? Could be just normal just validating its cache.. Prob need more amount of traffic and details of client, etc. But I wouldn't worry too much about that to be honest.. Arp is going to be to broadcat.. Ie the all FF's for the mac..

dan2112

Thanks everyone for the responses.

So if I look into the arp cache on pfsense I do see the mac addresses with timeout values are like this:
Expires in 1197 seconds

Funny thing is that 192.168.1.105 is a Unify POE Switch as are some of the others.

I assume pfsense won't answer arps again until it thinks that it should after the timeout expires. Is that true?

Dan

johnpoz

@dan2112 no that is pfsense cache, so it doesn't need to arp again - but it should answer all the time.. I am not aware off the top of my head any sort or throttle or security feature that would/should prevent an answer to an arp..

I would prob turn off the name resolution.. Could be some IP resolves to that name, but that not currently pfsense IP so why your not seeing the response? When you don't play with or get into the weeds on something for years and years its hard to recall exactly all the details.. But not seeing anything in your post that would scream to me - hey this is a problem

If you see an arp for some IP, unless it was actually for pfsense IP you wouldn't see the response - because the response would be directed to the specific mac that asked for it and not a broadcast.

And seeing a bunch of arp is not indicative of problem - its possible some device is asking for arp every like 2 seconds.. Not sure if pfsense would answer every single one of those, or if maybe there is something that says hey buddy, I just answered you like 2 seconds ago, give it at least X before going to bother answering you again..

Its quite possible there is such thing - but off the top its not coming to me of such mechanism or what its limitations or settings or timeouts might be.

But out of the box pfsense caches in arp for 20 minutes.. You should see pfsense arping for stuff in its cache until it has expired..

edit: so I took a bit of capture, and see every time something arps for pfsense IP .4.253 it does reply - those other arps are not for pfsense so you wouldn't see the response... But now I am curious exactly what those IPs are and why they are arping for other IPs ;) Off the top of my head I am not sure what specific IPs those are - but that is my psk vlan, and that is where all my lightbulbs and other iot stuff is like my alexas and stuff. And I know I put in some replacement bulbs and might not have reserved specific IPs for them as of yet.

edit: ok 77, 76, 78 etc.. those are my alexas for example - and that .91 is one of my smartplugs I used for my xmas tree.. Which is currently offline.. hehe So yeah alexa keeps looking I take it - should prob go into alexa and disable any smartplugs and such that I don't always use ;)

haha - yeah should prob disable these until I need to use them next xmas..