ARP behavior
-
Hi all,
I just reinstalled pfSense Plus 25.03-Beta on my Netgate 2100 because of a DHCP spoofing (and possibly more) attack. No other special configuration has been made beyond the GUI wizard, not even MAC spoofing. My ISP (Spectrum) provides me with a single residential WAN.
A few things caused me to pause when I looked at the ARP table:
- I have two WANs listed
- My router's MAC address is off by the last digit
- My router's MAC address is actually assigned to my ISP's modem
I reinstalled the software because I thought this was suspicious activity. But is this all normal ARP behavior for pfSense?
Among other things going forward, I plan to enable DHCP snooping and dynamic ARP inspection on my switch, as well as, change my WAN IP address and replace the 2100 with my 4200 appliance.
Appreciate the community's insight.
-
That's all expected behaviour.
There are two permanent ARP entries, one for each of the 2100s NICs.
And one dynamic entry for ISPs gateway upstream.There should also be dynamic entries for any LAN side clients you attach.
-
@stephenw10 I tried to find documentation to understand this behavior but when I couldn't find it I reached out. Thanks for your reply.
-
The ARP table should contain everything that pfSense has talked to that's in a locally connected subnet. So that means anything connected at layer 2 to the WAN or LAN could be there.
The three things shown in your screenshot are the minimum entries I'd expect. The local WAN and LAN NIC entries are added permanently at boot. The upstream gateway is added as soon a pfSense connects to it to send anything.
-
@stephenw10 said in ARP behavior:
The ARP table should contain everything that pfSense has talked to that's in a locally connected
subnetsegment. -
Ha. Fair.
