Who's ARPing my Camera?

TheWaterbug

I have a Blue Iris server box behind a port forward (port 81 only) from my pfsense 2.60 appliance, on a "things" subnet of my segmented network, along with my IP cameras, smart TVs, etc. All cameras have DHCP reservations:

One camera in particular, TrailDown (MAC 9c:8e:cd:2a:5f:4c, reserved at 192.168.1.51), keeps disappearing from the BI feed, and there are messages in the BI server's logs of Changed to IP 192.168.1.251 and then Changed to IP 192.168.1.51

I checked the pfsense logs, and I see repeated messages of

Oct 30 00:09:19 kernel arp: 192.168.1.251 moved from 9c:8e:cd:2f:d8:11 to **9c:8e:cd:2a:5f:4c** on igc1

I never see log entries ARPing 192.168.1.51.

Those other MAC address 9c:8e:cd:2f:d8:11 and a0:bd:1d:c4:64:2d are/were all cameras on the same subnet, some of which are active on other reserved IPs and some of which were removed from the network ages ago.

Is there any way to tell from within pfsense who/what is ARPing this camera to a different address?

Curiously, the camera interface itself has an option to allow/disallow ARP assignment, and it's disabled:

Yes, I know I can probably fix this by assigning a true static address at the camera itself, but I'd like to find out what's on my network doing this unwanted behavior!

johnpoz

@TheWaterbug nothings arping your camera - that is the mac of 192.168.1.251 changed.. Most likely you have a duplicate IP address.

https://docs.netgate.com/pfsense/en/latest/troubleshooting/logs-arp-moved.html#troubleshooting-arp-move-log-messages

What are these devices showing mac ending d8:11 or fd:87, I take it other cameras

If they were removed, had you setup a reservation for them? Or they are still on with that same IP address.. What that log entry is saying hey had this mac for this IP, and now seeing that IP on a different mac. Normally is because you have a duplicate IP on the network. where 2 devices are trying to use the same IP.

TheWaterbug

@johnpoz said in Who's ARPing my Camera?:

@TheWaterbug nothings arping your camera - that is the mac of 192.168.1.251 changed.. Most likely you have a duplicate IP address.
What that log entry is saying hey had this mac for this IP, and now seeing that IP on a different mac. Normally is because you have a duplicate IP on the network. where 2 devices are trying to use the same IP.

Thanks! So something other device is claiming to be 192.168.1.51? Or .251?

I don't have any reservations for 192.158.1.251, but I'm seeing a lot of messages in the log with 192.168.1.251 moved from 1 of 12 different MACs to another of these same set of 12 MACs.

I've checked my DHCP server reservations, and there is no other device assigned to that address.

I did check 30 days' worth of logs, and I found 12 different MACs being assigned to 1982.168.1.251, and 11 of those MACs had non-conflicting reservations for different IPs on this same subnet, and all 10 of those devices are cameras that are working properly. The 11th is a camera that I'm no longer using, and it's unplugged.

The 12th is where I did find one conflict, where I had two MACs with the same reserved IP of 192.168.1.50, which I didn't think was possible, and one of those devices is also unplugged.

I've deleted the duplicate reservation, but I'm still at a loss as to what's happening.

I sincerely appreciate the help!

johnpoz

@TheWaterbug all those 9c:8e:cd are armcrest, so cameras - you have an nvr maybe?

a0:bd:1d are Zhejiang Dahua Technology Co., Ltd., which Dahua is a known camera maker, some other makers rebrand their stuff, etc.

and 00:1f:54 is lorex, another camera maker.. I have some of those myself

Do you have multiple dhcp servers running where client gets IP .X and then gets different lease another time from different dhcp server, and now it gets .Y and these keep moving back and forth and you get conflicts where pfsense sees ip .X on mac A, and then on mac B..

What sort of nvr do you have and how do you have it connected? For example my lorex nvr poe ports, the nvr hands out its own IPs.. This IP range doesn't conflict with my normal lan.. And that L2 behind the nvr should be isolated from the rest of your network, etc. but depending on how you wired it up you have a connection between your normal lan l2 where pfsense gives out IPs, and maybe where your nvr is giving out IPs.. And you for some reason have the same IP range on both so IP is changing macs - but that L2 should be isolated from your network, and really should be on its own IP scheme.. Oh your running blue iris.. I know that is nvr software, but not sure if it can run its own dhcp server? Been many many years since I played with it..

TheWaterbug

@johnpoz

Yeah, my cameras are generally a mix of Dahua, Amcrest, and Lorex, plus a few Reolink and Wyze cams.

All the MACs that are getting reassigned are Amcrest and Lorex.

The BI computer is just a vanilla Dell PC running Win10/64, with no DHCP server. The DHCP server is running on pfsense. I don't think I have anything else on the network that could possibly be doling out IP addresses,

JonathanLee

I had the most epic camera, it was a Zosi camera with wifi hard wire, plus a hidden sd card if the system went down. It had humanoid detection it had it all smart phone app. No month service. Long story short I had to return it, to good to be true. On the firewall it was sending all the data to a cloud server in China, it was for a different region. I had to send it back. They no longer sell that model on Amazon. I loved the capabilities, however it was just sending everything 24/7 overseas. Have you ran Pcap files on the devices in question? Something is requesting its address, might be your smartphone application accessing it even.

TheWaterbug

@JonathanLee said in Who's ARPing my Camera?:

I had the most epic camera, it was a Zosi camera with wifi hard wire, plus a hidden sd card if the system went down. It had humanoid detection it had it all smart phone app. No month service. Long story short I had to return it, to good to be true. On the firewall it was sending all the data to a cloud server in China, it was for a different region. I had to send it back. They no longer sell that model on Amazon. I loved the capabilities, however it was just sending everything 24/7 overseas. Have you ran Pcap files on the devices in question? Something is requesting its address, might be your smartphone application accessing it even.

It turns out that it's a known behavior of some Amcrest/Dahua/Lorex cameras to boot up and send out traffic from 192.168.1.251 before they request a DHCP address. Then they request DHCP and go back to where they're supposed to be.

This explains why I've gotten a dozen different MACs showing up at .251, but none of them are Reolinks or any brands other than Amcrest/Dahua/Lorex, and why they all spontaneously resolve themselves.

I'm going to assign true static IPs to a handful of them and see if that mitigates the issue.

So the actual problem of my .51 dropping out from BI might be just one camera being on its last legs, and the .251 "problem" might be a complete red herring. But at least I learned something!

TheWaterbug

@JonathanLee said in Who's ARPing my Camera?:

On the firewall it was sending all the data to a cloud server in China, it was for a different region. I had to send it back. They no longer sell that model on Amazon. I loved the capabilities, however it was just sending everything 24/7 overseas.

I manage around this by giving most of my cameras a bogus default router of 192.168.1.254. So even if some outside device were to magically intrude into my network and talk to a camera, the camera can't talk back.

JonathanLee

@TheWaterbug I loved that camera the same technology requires a monthly charge if it doesn’t send data over seas. It was sad but I sent it back with notes and data on what it was doing to Amazon and they no longer sell it for the states. I had to admit most consumers do not have the ability to understand what is going on within a network at that level. This it was up to me to communicate the issues surrounding it.