Pfsense single MAC is listed with several IP’s in ARP table

I have this problem:
arp table filling up

But I am quite sure that I cannot blame Kaspersky.

Scenarie:

a user plugs his computer in.
He waits and waits but are getting no IP by DHCP.
Then he is told there is an IP conflict…
He end up assigning himself a static IP to access the net

In the ARP table of the router I see:

192.168.24.144  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.145  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.181  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.150  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.151  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.152  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.156  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.157  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.159  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.160  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.130  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.132  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.164  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.137  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.140  00:16:41:42:3c:9e   Lenovo  LAN
192.168.24.206  00:16:41:42:3c:9e   Lenovo  LAN

The last .206 is the static address he gave himself.

Several users descripe the exact same problem. It started after removing some filters in the switches, så all users are on a LAN and can see each other. Before, when filters blocked access to each others computers no one reported this kind of behavior.

UPDATE

While a client tries to connect the ARP table gets filled up. After a short while I have checked the ARP table where the multible listing has been removed again. I have also checked DHCP leases where none of the IPs were listed as active or expired. So it seems that an IP was never assigned even though there was created an ARP entry in the ARP table

UPDATE2

I ended up replacing the router and the problem has not been reported again. Thanks for all feedback

Best Answer

Can you locate that computer with that mac? It is possible that there is a virus/worm on that machine, taking over all IPs. Check the dhcp logs too. Another posibility is that someone is running some hacking/DoS tools there. Check the machine with the antivirus.

Another possibility is that this is an android tablet/phone which sends a dhcp request but never releases the old IP, and ends up using all the IPs in the dhcp range. This was a known bug on some android versions/implementations.

The third posibility is that someone is running an ARP proxy on that machine for a good/bad reason, and is responding to all ARP requests.

Before you can find and isolate that machine with that mac, we can just guess.

Best Answer

Related Solutions

Windows 2003 DHCP Server – FIlled with BAD ADDRESS Entries

Cisco – How to combine static and dynamic DHCP leases on a Cisco router

Related Topic