Multiple ARP addresses… Major Problem!
-
Hello,
I have noticed that on a 60 user network, at random times the workstations (all DHCP assigned by pfsense) will occasionally loose connectivity to the Internet.
Upon investigation, I have found that the ARP address will change from the installed adapter on the pfsense box acting as the gateway out to the Internet.
At first I thought there was a rogue secondary router installed on the network by one of the employees using the same IP address (192.168.1.1)… When this happens, I disconnect the cable from the pfsense LAN port (192.168.1.1) and I cannot ping 192.168.1.1 so, I believe that there is no secondary router doing this to my network.
Has anyone ever run across this issue? I saw somewhere on the net people talking about an "ARP Cheat"... any ideas on this...
Thank you
Kell -
There is arpwatch package…
-
I will install the ARPwatch package and see if I can resolve the problem. The more I read up on this the more I believe that I may be a victim of ARP Spoofing.
The real question is, is there a way to monitor this and stop future attacks? I am looking for a more proactive software to install as a package from pfsense to stop this vulnerability.
Has anyone else been the victim of ARP Spoofing? If so, I would appreciate a little information on your solutions.
Thank you
Kell -
Isolated the problem yesterday to a machine on my network with an IP address and matching MAC address that was the "spoofer" … Even though I know there is a machine on my network, I do not know where the machine is. Will be onsite going from machine to machine looking for the spoofing system.
From what I have read over the last few days, there is really no way for pfsense to stop this type of attack. Many say that it must be done through a managed switch or to statically assign the network parameters on each workstation in the building.
It would be nice if there was a way that pfsense could stop this from happening. Anyone ever run across this and what solution did you use?
Thank you
Kell