Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    ARP behavior

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 3 Posters 223 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      uuette
      last edited by

      Hi all,

      I just reinstalled pfSense Plus 25.03-Beta on my Netgate 2100 because of a DHCP spoofing (and possibly more) attack. No other special configuration has been made beyond the GUI wizard, not even MAC spoofing. My ISP (Spectrum) provides me with a single residential WAN.

      A few things caused me to pause when I looked at the ARP table:

      1. I have two WANs listed
      2. My router's MAC address is off by the last digit
      3. My router's MAC address is actually assigned to my ISP's modem

      I reinstalled the software because I thought this was suspicious activity. But is this all normal ARP behavior for pfSense?

      Among other things going forward, I plan to enable DHCP snooping and dynamic ARP inspection on my switch, as well as, change my WAN IP address and replace the 2100 with my 4200 appliance.

      Appreciate the community's insight.

      Screenshot from 2025-04-18 16-49-42.png

      1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by

        That's all expected behaviour.

        There are two permanent ARP entries, one for each of the 2100s NICs.
        And one dynamic entry for ISPs gateway upstream.

        There should also be dynamic entries for any LAN side clients you attach.

        U 1 Reply Last reply Reply Quote 0
        • U
          uuette @stephenw10
          last edited by

          @stephenw10 I tried to find documentation to understand this behavior but when I couldn't find it I reached out. Thanks for your reply.

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            The ARP table should contain everything that pfSense has talked to that's in a locally connected subnet. So that means anything connected at layer 2 to the WAN or LAN could be there.

            The three things shown in your screenshot are the minimum entries I'd expect. The local WAN and LAN NIC entries are added permanently at boot. The upstream gateway is added as soon a pfSense connects to it to send anything.

            tinfoilmattT 1 Reply Last reply Reply Quote 0
            • tinfoilmattT
              tinfoilmatt @stephenw10
              last edited by

              @stephenw10 said in ARP behavior:

              The ARP table should contain everything that pfSense has talked to that's in a locally connected subnet segment.

              1 Reply Last reply Reply Quote 0
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                Ha. Fair. 😉

                1 Reply Last reply Reply Quote 1
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.