Gratituous ARP coming thru external interface

eljoe

Hi All! I can't figure out how come i am receiving broadcast gratuitous ARP packets on my local LAN. They are coming from an internal (?) IP that is behind my ISP router. That is why is coming in thru the external interface. But i don't understand why pfSense is not blocking that traffic.

Below is a wireshark capture of the ARP traffic on my local LAN. Layer 2 MAC address is my pfSense internal interface. I don't have any 192.168.252 network attached to pfSense. If i traceroute 192.168.252.1 it goes thru the external interface to the other side of my ISP router.

Any clue why pfSense is broadcasting this ARP packages?

thanks!

johnpoz

that is not a gratuitous arp… That is direct to a specific mac.. Gratuitous are to broadcast, and where are you seeing 192.168.252 ??  Looks like 10.0.0.70 and 10.0.0.1 to me..

eljoe

@johnpoz:

that is not a gratuitous arp… That is direct to a specific mac.. Gratuitous are to broadcast, and where are you seeing 192.168.252 ??  Looks like 10.0.0.70 and 10.0.0.1 to me..

My bad! I posted the wrong image. It is now corrected on the original post.

johnpoz

Why do you think that pfsense would relay an arp?? See the actual source mac 17:c3:40  Is a cisco..  That is who put it on the wire, not pfsense interface

eljoe

@johnpoz:

Why do you think that pfsense would relay an arp?? See the actual source mac 17:c3:40  Is a cisco..  That is who put it on the wire, not pfsense interface

Thanks for following this up. As i understand, per ARP specification, the ARP source MAC is from the original sender. The reason you see a cisco MAC on layer 2 is because i am behind an internal wifi access point. Nevertheless, below is a new capture from the same local LAN but connected thru Ethernet.

[edit post]
Here you are a tracert from my PC to the infamous 192.168.252.1

Tracing route to 192.168.252.1 over a maximum of 30 hops

1    <1 ms    <1 ms    <1 ms  10.0.0.1 (pfSense internal interface - MAC 00-c0-9f-6d-69-65)
  2    6 ms    9 ms    10 ms  static.X.X.X.X.cps.com.xx [XXX.XXX.XXX.1] (my ISP gateway)
  3    5 ms    5 ms    4 ms  192.168.252.1 (some machine behind my isp router)

Trace complete.

johnpoz

If you ware seeing arps from the isp side, then you have a connection from the isp side to your lan at layer 2… Router is not going to forward ARPs.. Unless you have it setup as a bridge??  Do you have pfsense bridged? From wan to lan?

Draw your physical connection.. Looks like you have layer 2 from your isp on your lan, or your running pfsense in bridge mode?  Routers do not forward arps..

eljoe

@johnpoz:

If you ware seeing arps from the isp side, then you have a connection from the isp side to your lan at layer 2… Router is not going to forward ARPs.. Unless you have it setup as a bridge??  Do you have pfsense bridged? From wan to lan?

Draw your physical connection.. Looks like you have layer 2 from your isp on your lan, or your running pfsense in bridge mode?  Routers do not forward arps..

I will verify if we have it somehow bridged, but meanwhile, i would like to check the following: As i see it, my pfSense is not forwarding the ARP package but it is creating it. I state that based on the ARP information. If it was relayed, shouldn't the source MAC of the ARP (not layer 2 info, but ARP info) be the ISP machine instead of my box?

What do you think?

thanks!

johnpoz

Why would pfsense send those arps, unless it has an IP..

Your most likely bridged… Why don't you sniff on your wan and see what the mac of the arp is coming from if you think its coming from your isp..  And pfsense is sending it on..

eljoe

@johnpoz:

Why would pfsense send those arps, unless it has an IP..

Yes, that is what it is baffling me. I have no interface with that IP segment.

@johnpoz:

Your most likely bridged… Why don't you sniff on your wan and see what the mac of the arp is coming from if you think its coming from your isp..  And pfsense is sending it on..

Sure, i will check and report back.

thanks!

eljoe

Still trying to figure this out without any kind of success

1- I sniffed (tcpdump from pfsense shell) ARP traffic on my external interface and no news of that packet.
2- I sniffed (tcpdump from pfsense shell) ARP traffic on my internet interface and no news of that packet but i still see it if i sniffed the internal network from any PC.
3- Sniffing the network from my PC, i disconnected the eth cable from pfSense external interface. ARP packet was still being seen from my PC (Wireshark).
4- Sniffing the network from my PC, i disconnected the eth cable from pfSense internal interface. ARP packet disappeared from my PC (Wireshark).

So, it seems that the packet is actually "created" by pfsense internal interface(though if you see #3 i couldn't sniff it from pfsense itself). I have no interface with network 192.168.252. But as i stated in a previous post, i can ping 192.168.252.1 and according to traceroute it is some host on the other side of my ISPs router.

In the end i don't get it. The host seems to be reachable by my external interface, but if i shutdown that interface the packet is still being produced by my internal interface.

Any clue out there?

thanks!

johnpoz

what is the difference between internal and external interfaces???  So you have more than 1 internet connection?

"192.168.252.1 and according to traceroute it is some host on the other side of my ISPs router."

All a traceroute does is follow the routing… To be honest that your isp sends you anywhere with that network is nonsense...  While sure you should send that out your default gateway while looking for it.. It should stop at your fist hop since that is not routable on the public internet.  Routers are stupid they just follow the rules they have.. If they don't have a route to a network, then they send it out their default..

What is your isp IP in that second hop??  Is it rfc1918??  10.x.x.x, 192.168.x.x, 172.16-31.x.x ??

If you pulled your external cables and your still seeing it, then its coming from your network.. As to why your not seeing it when sniffing on pfsense..  From that mac its coming from Quanta Computer Inc, so is your pfsense a quanta computer??

eljoe

@johnpoz:

what is the difference between internal and external interfaces???  So you have more than 1 internet connection?

"192.168.252.1 and according to traceroute it is some host on the other side of my ISPs router."

All a traceroute does is follow the routing… To be honest that your isp sends you anywhere with that network is nonsense...  While sure you should send that out your default gateway while looking for it.. It should stop at your fist hop since that is not routable on the public internet.  Routers are stupid they just follow the rules they have.. If they don't have a route to a network, then they send it out their default..

What is your isp IP in that second hop??  Is it rfc1918??  10.x.x.x, 192.168.x.x, 172.16-31.x.x ??

If you pulled your external cables and your still seeing it, then its coming from your network.. As to why your not seeing it when sniffing on pfsense..  From that mac its coming from Quanta Computer Inc, so is your pfsense a quanta computer??

I have one internet connection.
Internal interface is the nic that connect to my LAN with network 10.0.0.x
External is the nic that connect to my ISP router.

The second hop is the .1 IP of a public IP in the range of my pfsense public ip . Up to there all seems to be logical. After that, there you have that nonsense 192.168.252.1 host. But yes, if i pull the external cable i still see the gratuitous arp packets coming from pfsense's internal NIC and MAC address.

My pfsense box is a clone machine, but that MAC address is certainly the NIC that is attached to my local network.

johnpoz

You stated you sniffed on external, and also sniffed on internet ??  That makes it sound you have 2 wan connections in pfsense.

1- I sniffed (tcpdump from pfsense shell) ARP traffic on my external interface
2- I sniffed (tcpdump from pfsense shell) ARP traffic on my internet interface

If you pull your internet connection and it still happens then something on your network is sending it.  Do you have any vip or vlan, or a bridge setup??

eljoe

@johnpoz:

You stated you sniffed on external, and also sniffed on internet ??  That makes it sound you have 2 wan connections in pfsense.

1- I sniffed (tcpdump from pfsense shell) ARP traffic on my external interface
2- I sniffed (tcpdump from pfsense shell) ARP traffic on my internet interface

If you pull your internet connection and it still happens then something on your network is sending it.  Do you have any vip or vlan, or a bridge setup??

Sorry! I was meant "internal" not "internet".
None of that configurations.
This is a small network, so i may just try to rebuild everything when a i have some time and start over just in case.