Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Gratituous ARP coming thru external interface

    Firewalling
    2
    14
    2829
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      eljoe
      last edited by

      Hi All! I can't figure out how come i am receiving broadcast gratuitous ARP packets on my local LAN. They are coming from an internal (?) IP that is behind my ISP router. That is why is coming in thru the external interface. But i don't understand why pfSense is not blocking that traffic.

      Below is a wireshark capture of the ARP traffic on my local LAN. Layer 2 MAC address is my pfSense internal interface. I don't have any 192.168.252 network attached to pfSense. If i traceroute 192.168.252.1 it goes thru the external interface to the other side of my ISP router.

      Any clue why pfSense is broadcasting this ARP packages?

      thanks!

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        that is not a gratuitous arp… That is direct to a specific mac.. Gratuitous are to broadcast, and where are you seeing 192.168.252 ??  Looks like 10.0.0.70 and 10.0.0.1 to me..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

        1 Reply Last reply Reply Quote 0
        • E
          eljoe
          last edited by

          @johnpoz:

          that is not a gratuitous arp… That is direct to a specific mac.. Gratuitous are to broadcast, and where are you seeing 192.168.252 ??  Looks like 10.0.0.70 and 10.0.0.1 to me..

          My bad! I posted the wrong image. It is now corrected on the original post.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            Why do you think that pfsense would relay an arp?? See the actual source mac 17:c3:40  Is a cisco..  That is who put it on the wire, not pfsense interface

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

            1 Reply Last reply Reply Quote 0
            • E
              eljoe
              last edited by

              @johnpoz:

              Why do you think that pfsense would relay an arp?? See the actual source mac 17:c3:40  Is a cisco..  That is who put it on the wire, not pfsense interface

              Thanks for following this up. As i understand, per ARP specification, the ARP source MAC is from the original sender. The reason you see a cisco MAC on layer 2 is because i am behind an internal wifi access point. Nevertheless, below is a new capture from the same local LAN but connected thru Ethernet.

              [edit post]
              Here you are a tracert from my PC to the infamous 192.168.252.1

              Tracing route to 192.168.252.1 over a maximum of 30 hops

              1    <1 ms    <1 ms    <1 ms  10.0.0.1 (pfSense internal interface - MAC 00-c0-9f-6d-69-65)
                2    6 ms    9 ms    10 ms  static.X.X.X.X.cps.com.xx [XXX.XXX.XXX.1] (my ISP gateway)
                3    5 ms    5 ms    4 ms  192.168.252.1 (some machine behind my isp router)

              Trace complete.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                If you ware seeing arps from the isp side, then you have a connection from the isp side to your lan at layer 2… Router is not going to forward ARPs.. Unless you have it setup as a bridge??  Do you have pfsense bridged? From wan to lan?

                Draw your physical connection.. Looks like you have layer 2 from your isp on your lan, or your running pfsense in bridge mode?  Routers do not forward arps..

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

                1 Reply Last reply Reply Quote 0
                • E
                  eljoe
                  last edited by

                  @johnpoz:

                  If you ware seeing arps from the isp side, then you have a connection from the isp side to your lan at layer 2… Router is not going to forward ARPs.. Unless you have it setup as a bridge??  Do you have pfsense bridged? From wan to lan?

                  Draw your physical connection.. Looks like you have layer 2 from your isp on your lan, or your running pfsense in bridge mode?  Routers do not forward arps..

                  I will verify if we have it somehow bridged, but meanwhile, i would like to check the following: As i see it, my pfSense is not forwarding the ARP package but it is creating it. I state that based on the ARP information. If it was relayed, shouldn't the source MAC of the ARP (not layer 2 info, but ARP info) be the ISP machine instead of my box?

                  What do you think?

                  thanks!

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Why would pfsense send those arps, unless it has an IP..

                    Your most likely bridged… Why don't you sniff on your wan and see what the mac of the arp is coming from if you think its coming from your isp..  And pfsense is sending it on..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

                    1 Reply Last reply Reply Quote 0
                    • E
                      eljoe
                      last edited by

                      @johnpoz:

                      Why would pfsense send those arps, unless it has an IP..

                      Yes, that is what it is baffling me. I have no interface with that IP segment.

                      @johnpoz:

                      Your most likely bridged… Why don't you sniff on your wan and see what the mac of the arp is coming from if you think its coming from your isp..  And pfsense is sending it on..

                      Sure, i will check and report back.

                      thanks!

                      1 Reply Last reply Reply Quote 0
                      • E
                        eljoe
                        last edited by

                        Still trying to figure this out without any kind of success

                        1- I sniffed (tcpdump from pfsense shell) ARP traffic on my external interface and no news of that packet.
                        2- I sniffed (tcpdump from pfsense shell) ARP traffic on my internet interface and no news of that packet but i still see it if i sniffed the internal network from any PC.
                        3- Sniffing the network from my PC, i disconnected the eth cable from pfSense external interface. ARP packet was still being seen from my PC (Wireshark).
                        4- Sniffing the network from my PC, i disconnected the eth cable from pfSense internal interface. ARP packet disappeared from my PC (Wireshark).

                        So, it seems that the packet is actually "created" by pfsense internal interface(though if you see #3 i couldn't sniff it from pfsense itself). I have no interface with network 192.168.252. But as i stated in a previous post, i can ping 192.168.252.1 and according to traceroute it is some host on the other side of my ISPs router.

                        In the end i don't get it. The host seems to be reachable by my external interface, but if i shutdown that interface the packet is still being produced by my internal interface.

                        Any clue out there?

                        thanks!

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          what is the difference between internal and external interfaces???  So you have more than 1 internet connection?

                          "192.168.252.1 and according to traceroute it is some host on the other side of my ISPs router."

                          All a traceroute does is follow the routing… To be honest that your isp sends you anywhere with that network is nonsense...  While sure you should send that out your default gateway while looking for it.. It should stop at your fist hop since that is not routable on the public internet.  Routers are stupid they just follow the rules they have.. If they don't have a route to a network, then they send it out their default..

                          What is your isp IP in that second hop??  Is it rfc1918??  10.x.x.x, 192.168.x.x, 172.16-31.x.x ??

                          If you pulled your external cables and your still seeing it, then its coming from your network.. As to why your not seeing it when sniffing on pfsense..  From that mac its coming from Quanta Computer Inc, so is your pfsense a quanta computer??

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

                          1 Reply Last reply Reply Quote 0
                          • E
                            eljoe
                            last edited by

                            @johnpoz:

                            what is the difference between internal and external interfaces???  So you have more than 1 internet connection?

                            "192.168.252.1 and according to traceroute it is some host on the other side of my ISPs router."

                            All a traceroute does is follow the routing… To be honest that your isp sends you anywhere with that network is nonsense...  While sure you should send that out your default gateway while looking for it.. It should stop at your fist hop since that is not routable on the public internet.  Routers are stupid they just follow the rules they have.. If they don't have a route to a network, then they send it out their default..

                            What is your isp IP in that second hop??  Is it rfc1918??  10.x.x.x, 192.168.x.x, 172.16-31.x.x ??

                            If you pulled your external cables and your still seeing it, then its coming from your network.. As to why your not seeing it when sniffing on pfsense..  From that mac its coming from Quanta Computer Inc, so is your pfsense a quanta computer??

                            I have one internet connection.
                            Internal interface is the nic that connect to my LAN with network 10.0.0.x
                            External is the nic that connect to my ISP router.

                            The second hop is the .1 IP of a public IP in the range of my pfsense public ip . Up to there all seems to be logical. After that, there you have that nonsense 192.168.252.1 host. But yes, if i pull the external cable i still see the gratuitous arp packets coming from pfsense's internal NIC and MAC address.

                            My pfsense box is a clone machine, but that MAC address is certainly the NIC that is attached to my local network.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              You stated you sniffed on external, and also sniffed on internet ??  That makes it sound you have 2 wan connections in pfsense.

                              1- I sniffed (tcpdump from pfsense shell) ARP traffic on my external interface
                              2- I sniffed (tcpdump from pfsense shell) ARP traffic on my internet interface

                              If you pull your internet connection and it still happens then something on your network is sending it.  Do you have any vip or vlan, or a bridge setup??

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 23.05.1 | Lab VMs CE 2.6, 2.7

                              1 Reply Last reply Reply Quote 0
                              • E
                                eljoe
                                last edited by

                                @johnpoz:

                                You stated you sniffed on external, and also sniffed on internet ??  That makes it sound you have 2 wan connections in pfsense.

                                1- I sniffed (tcpdump from pfsense shell) ARP traffic on my external interface
                                2- I sniffed (tcpdump from pfsense shell) ARP traffic on my internet interface

                                If you pull your internet connection and it still happens then something on your network is sending it.  Do you have any vip or vlan, or a bridge setup??

                                Sorry! I was meant "internal" not "internet".
                                None of that configurations.
                                This is a small network, so i may just try to rebuild everything when a i have some time and start over just in case.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post