Multiple ARP addresses… Major Problem!



  • Hello,

    I have noticed that on a 60 user network, at random times the workstations (all DHCP assigned by pfsense) will occasionally loose connectivity to the Internet.

    Upon investigation, I have found that the ARP address will change from the installed adapter on the pfsense box acting as the gateway out to the Internet.

    At first  I thought there was a rogue secondary router installed on the network by one of the employees using the same IP address (192.168.1.1)… When this happens, I disconnect the cable from the pfsense LAN port (192.168.1.1) and I cannot ping 192.168.1.1 so, I believe that there is no secondary router doing this to my network.

    Has anyone ever run across this issue? I saw somewhere on the net people talking about an "ARP Cheat"... any ideas on this...

    Thank you
    Kell


  • Banned

    There is arpwatch package…



  • I will install the ARPwatch package and see if I can resolve the problem. The more I read up on this the more I believe that I may be a victim of ARP Spoofing.

    The real question is, is there a way to monitor this and stop future attacks? I am looking for a more proactive software to install as a package from pfsense to stop this vulnerability.

    Has anyone else been the victim of ARP Spoofing? If so, I would appreciate a little information on your solutions.

    Thank you
    Kell



  • Isolated the problem yesterday to a machine on my network with an IP address and matching MAC address that was the "spoofer" … Even though I know there is a machine on my network, I do not know where the machine is. Will be onsite going from machine to machine looking for the spoofing system.

    From what I have read over the last few days, there is really no way for pfsense to stop this type of attack. Many say that it must be done through a managed switch or to statically assign the network parameters on each workstation in the building.

    It would be nice if there was a way that pfsense could stop this from happening. Anyone ever run across this and what solution did you use?

    Thank you
    Kell


Log in to reply