Running Pfsense Community 2.7.2 and enabled Arpwatch. I’m running a Kali Purple box in my lab which has two Nic cards. Arpwatch keeps alerting on Flip Flops between the two nic cards. Anyone know how to fix? I’ve already configured each nic card to use a specific MAC address.
Flip Flop: The ethernet address has changed from the most recently seen address to the second most recently seen address. This is most likely because it sees the one machine but the two ethernet cards. Test if disabling one fixes the issue.
You have two NICs with two MACs, but what is the IP config? Are these ports configured in some sort of passive aggregation, the kind where the OS uses tricks to allow both ports to be used for traffic without the switch it connects to being configured as an aggregate? If so then the alerts you are getting is valid - the OS is literally using both MACs with the same IP, usually by responding to some ARP requests with one MAC and some with the other.
On the Nic settings for each card I specified which Mac to use for each device.
I set NIC 1 (Wired connection 1) .255 IP address - Mac = a7:a1:59:d6:f4:df
I set NIC 2 (Wired connection 2) .224 IP address - Mac = e7:4e:06:87:31:46
The ports are just configured normally with static ip addresses, no other special configurations unless Kali Purple is doing something that I’m not aware of.
However, Arpwarch sees them as
| LAN | 192.168.0.224 | e7:4e:06:87:31:46 | EDUP INTERNATIONAL (HK) CO., LTD | Sat Apr 20 09:13:05 2024 | |
|---|---|---|---|---|---|
| LAN | 192.168.0.225 | a7:a1:59:d6:f4:df | ASRock Incorporation | Sat Apr 20 09:08:00 2024 | |
| LAN | 192.168.0.225 | e7:4e:06:87:31:46 | EDUP INTERNATIONAL (HK) CO., LTD | Sat Apr 20 09:05:33 2024 |
If I disable the .225 NIC the flip flop will stop because it is only happening on this NIC. If I disable the .224 NIC I won’t really know because Arpwatch is detecting the Mac address for both NIC cards.
I got something similar - 3 proxmox servers - HPs with onboard dual NICs - Arpwatch shows both with same IP though I’ve used seperate OpenvSwitch Bridges for each NIC each with completely different subnets - one dedicated to Corosync.
I’ve probably sorted my issue now - new Unifi switches so config still a work in progress and have assigned the Corosync NICs a separate Profile + VLAN - so Arpwatch on the pfsense box won’t see them at all.
Still the original problem was there - so Arpwatch/ARP collects an IP from MAC from ARP by asking whats the MAC address for this IP address - so the host with that IP should respond - but there’s a layer (Openvswitch Bridge for me on Proxmox) in between - so assume there’s some bug/feature which means that the host gives the wrong MAC address?
Im thinking it is a bug but in the interim, since I know what the two MAC addresses are and what Nic cards they go to so I disabled the alerts! I know security by obscurity is never a good idea but for my email sanity….