Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Multiple ARP addresses… Major Problem!

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kjemison
      last edited by

      Hello,

      I have noticed that on a 60 user network, at random times the workstations (all DHCP assigned by pfsense) will occasionally loose connectivity to the Internet.

      Upon investigation, I have found that the ARP address will change from the installed adapter on the pfsense box acting as the gateway out to the Internet.

      At first  I thought there was a rogue secondary router installed on the network by one of the employees using the same IP address (192.168.1.1)… When this happens, I disconnect the cable from the pfsense LAN port (192.168.1.1) and I cannot ping 192.168.1.1 so, I believe that there is no secondary router doing this to my network.

      Has anyone ever run across this issue? I saw somewhere on the net people talking about an "ARP Cheat"... any ideas on this...

      Thank you
      Kell

      1 Reply Last reply Reply Quote 0
      • D
        doktornotor Banned
        last edited by

        There is arpwatch package…

        1 Reply Last reply Reply Quote 0
        • K
          kjemison
          last edited by

          I will install the ARPwatch package and see if I can resolve the problem. The more I read up on this the more I believe that I may be a victim of ARP Spoofing.

          The real question is, is there a way to monitor this and stop future attacks? I am looking for a more proactive software to install as a package from pfsense to stop this vulnerability.

          Has anyone else been the victim of ARP Spoofing? If so, I would appreciate a little information on your solutions.

          Thank you
          Kell

          1 Reply Last reply Reply Quote 0
          • K
            kjemison
            last edited by

            Isolated the problem yesterday to a machine on my network with an IP address and matching MAC address that was the "spoofer" … Even though I know there is a machine on my network, I do not know where the machine is. Will be onsite going from machine to machine looking for the spoofing system.

            From what I have read over the last few days, there is really no way for pfsense to stop this type of attack. Many say that it must be done through a managed switch or to statically assign the network parameters on each workstation in the building.

            It would be nice if there was a way that pfsense could stop this from happening. Anyone ever run across this and what solution did you use?

            Thank you
            Kell

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.