Kernel arp w.x.y.z moved from aa:bb:cc:dd:ee:ff to gg:hh:ii:jj:kk:ll on igb0



  • Hello,

    I noticed some odd repeating messages in the System logs of a recently installed system. Screenshot:

    Details:

    • pfSense running on an official SG-8860 1U appliance from the pfSense Store, running 2.2.4
    • The network is "flat": there is a single LAN interface assigned, connected to a stack of Netgear switches. No VLANs at this time.
    • We have 6 WAPs here (Ubiquiti) providing WiFi, they are also bridged into the same LAN via a dedicated Unifi PoE switch.

    Came here to ask if anyone thinks this is indicative of an actual problem or if it's just informational. Anyone seen these or have any idea what they mean?


  • Banned



  • Nice - sorry, I apologize for not searching the docs first.  :-[
    I will double check that there are no statically assigned hosts there as that seems the most likely cause at this point.



  • Looks like Bonjour sleep proxy, at least a couple of those are moving between Apple MACs. I added another entry here explaining.
    https://doc.pfsense.org/index.php/ARP_moved_log_messages



  • That could definitely be it. Some of the devices in question here are AppleTVs. Thanks Chris - learned something new - I had not heard of that Bonjour Sleep Proxy before!



  • So after looking through the logs at this site for the last 24 hrs I have confirmed that one of the two MAC addresses involved in these arp swaps is always an Apple-TV device (there are 3 at this location). After reading more about that mysterious Bonjour Sleep Proxy I assume they are all hosting said service. I read that switching the AppleTV's from Ethernet to WiFi "fixes" this harmless issue. But it appears it may actually be useful to some.

    My next question: is there any way to suppress these messages so they don't clutter the logs? Some sort of System Tunable I can set?



  • Added another bit to that wiki page on how to disable (just set tunable net.link.ether.inet.log_arp_movements=0). Though you might not want to do that unless it's just too spammy to deal with. Could hide legit problems, though if it's happening a lot it'll probably just become log noise you'll ignore anyway.



  • Wow that's awesome- exactly what I was looking for. I agree, burying your head in the sand isn't usually best practice. But in this case it was the lesser of 2 evils so I won't miss other important messages. Thanks Chris


Log in to reply