Forums

Resolved
0 votes
Hi all,

I get some chaotic arpwatch flipflop.
Sometimes very few 4 a day some time huge amount 100 or 200 a day.

Each time I get them by 2 copies :
hostname: <unknown>
ip address: 0.0.0.0
ethernet address: f0:82:61:86:25:5c
ethernet vendor: <unknown>
old ethernet address: 34:f3:9a:d6:74:5f
old ethernet vendor: <unknown>
timestamp: Tuesday, June 4, 2019 8:54:31 +0200
previous timestamp: Tuesday, June 4, 2019 8:54:00 +0200
delta: 31 seconds

Or when server's MAC address is involved I've got :
hostname: xxx.xxxxxxxxxxx.xxx
ip address: 10.0.0.137
ethernet address: 0c:c4:7a:33:07:8a
ethernet vendor: <unknown>
old ethernet address: 0c:c4:7a:33:07:8b
old ethernet vendor: <unknown>
timestamp: Tuesday, March 26, 2019 20:27:52 +0100
previous timestamp: Tuesday, March 26, 2019 20:27:51 +0100
delta: 1 second

and
hostname: xxx.xxxxxxxxxxx.xxx
ip address: 10.0.0.137
ethernet address: 0c:c4:7a:33:07:8b
ethernet vendor: <unknown>
old ethernet address: 0c:c4:7a:33:07:8a
old ethernet vendor: <unknown>
timestamp: Tuesday, March 26, 2019 20:27:27 +0100
previous timestamp: Tuesday, March 26, 2019 20:27:27 +0100
delta: 0 seconds

I get only this on the External IP address
that raise some alert on my ISP router :
NIC 0c:c4:7a:33:07:8b and 0c:c4:7a:33:07:8a use the same IP address 10.0.0.142
But in this message this is the LAN IP that is involved

I've got 2 NIC :
enp4s0 External Static 10.0.0.137

MAC Address 0c:c4:7a:33:07:8b
Vendor Intel Corporation
Device 82574L Gigabit Network Connection
Bus PCI
Link Yes
Speed 1000 Mb/s
Interface enp4s0
Role External
onnection Type Static
IP Address 10.0.0.137
Netmask 255.255.255.252
Gateway 10.0.0.138
DHCP disabled

enp3s0 LAN Static 10.0.0.142

MAC Address 0c:c4:7a:33:07:8a
Vendor Intel Corporation
Device 82574L Gigabit Network Connection
Bus PCI
Link Yes
Speed 1000 Mb/s
Interface enp3s0
Role LAN
Connection Type Static
IP Address 10.0.0.142
Netmask 255.255.255.0
DHCP ENABLED


The strange thing is that the mac adress in the arpwatch alert email could be anything :
<ul>
from the 2 server NIC MAC address
2 other equipement MAC Address
</ul>
In the exemple this is my ISP router MAC Address and my laptop and then my ISP router and my PC

I need my network to work with or without the ClearOS server on. I do not use firwall feature of the Clear OS.

Any idea of the reason for that ?
Tuesday, June 04 2019, 07:47 AM
Share this post:
Responses (10)
  • Accepted Answer

    Tuesday, June 04 2019, 01:51 PM - #Permalink
    Resolved
    0 votes
    Thanks I'll think of that...
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 01:00 PM - #Permalink
    Resolved
    0 votes
    Unless you are forwarding everything from your router or putting ClearOS in a DMZ those ports will be safe to open to the ClearOS WAN. If you just do a selective port forward from your router, ClearOS can run in Standalone - No Firewall mode.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 12:37 PM - #Permalink
    Resolved
    0 votes
    No, I mean that the service is open only on LAN IP and not on External IP. like SSH or FTP
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 11:13 AM - #Permalink
    Resolved
    0 votes
    Which services are not available in standalone mode especially "Standalone - no firewall"? I have seen some checking in different places to see if ClearOS was in gateway or standalone mode and it would then adjust its settings, but I can't remember offhand which apps that applied to.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 11:08 AM - #Permalink
    Resolved
    0 votes
    Is there a reason you can't just use one NIC and put ClearOS in standalone mode?

    All service are not available from external IP. Some are exclusively accessible from LAN IP.
    With one IP I can no longer do that.

    If ClearOS goes down, how does your LAN continue to run without DNS/DHCP?

    I need to connect to ISP router to enable DHCP that use router's DNS
    I need Clear OS DNS in order to assign logical name to my LAN equipements (thing I can't do with ISP's router).

    if you don't have a DHCP server, how will dynamically configured devices work when powered on and trying to obtain a DHCP lease.

    DHCP server is done by Clear OS. When Clear OS is down, I need to activate ISP's router DHCP.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 10:26 AM - #Permalink
    Resolved
    0 votes
    This could be the cause of your flip/flop as you have a routing loop and the packets will appear on both interfaces. Is there a reason you can't just use one NIC and put ClearOS in standalone mode? If can still run DNS and DHCP. If ClearOS goes down, how does your LAN continue to run without DNS/DHCP? I can see that statically configured devices can keep going as long as they have an alternative DNS configuration which allows other DNS servers as well as or in place of ClearOS, but if you don't have a DHCP server, how will dynamically configured devices work when powered on and trying to obtain a DHCP lease.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 10:15 AM - #Permalink
    Resolved
    0 votes
    your WAN subnet is part of your LAN subnet?


    Yes Overlap
    External
    IP Address 10.0.0.137
    Netmask 255.255.255.252
    Gateway 10.0.0.138


    LAN
    IP Address 10.0.0.142
    Netmask 255.255.255.0


    As my LAN should work with or without Clear OS I need to be able to access 10.0.0.138.
    I need ClearOS DNS and DHCP as my ISP's router doesn't have all required features...
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 09:59 AM - #Permalink
    Resolved
    0 votes
    Looking at your first post, aren't your two NIC's on the same subnet, or at least your WAN subnet is part of your LAN subnet? This is not the normal configuration where the subnets should be different and non-overlapping.
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 09:28 AM - #Permalink
    Resolved
    0 votes
    [root@home ~]# ps aux | grep arpwatch | grep -v grep
    arpwatch 9286 0.0 0.0 11880 3664 ? S Jun03 0:24 /usr/sbin/arpwatch -u arpwatch -N -e root -s root (Arpwatch) -i enp3s0 -f /var/lib/arpwatch/arp_enp3s0.dat
    arpwatch 9296 0.0 0.0 11880 3660 ? S Jun03 0:22 /usr/sbin/arpwatch -u arpwatch -N -e root -s root (Arpwatch) -i enp4s0 -f /var/lib/arpwatch/arp_enp4s0.dat


    .dat files contains such lines :
    f0:82:61:86:25:5c       0.0.0.0 1559640996
    d8:cb:8a:cb:1a:6f 0.0.0.0 1559631290
    34:f3:9a:d6:74:5f 0.0.0.0 1559631240
    00:26:73:b1:f6:86 0.0.0.0 1559578660


    And
    0c:c4:7a:33:07:8b       10.0.0.137      1559640995      home
    0c:c4:7a:33:07:8a 10.0.0.137 1558460905 home
    0c:c4:7a:33:07:8a 10.0.0.142 1559624903 home
    0c:c4:7a:33:07:8b 10.0.0.142 1558688376 home


    which might be the reason of the confusion for arpwatch...

    Recieveing this arpwatch message is not an issue.
    The reason I recieve it is what I'm looking for
    The reply is currently minimized Show
  • Accepted Answer

    Tuesday, June 04 2019, 08:20 AM - #Permalink
    Resolved
    0 votes
    To be honest I don't particularly see the point of arpwatch. It is used by the Network Map app, but I have no idea beyond that. Out of curiosity, what is the result of:
    ps aux | grep arpwatch | grep -v grep
    It should only be watching the LAN interfaces.

    To stop the e-mail messages you can edit /etc/sysconfig/arpwatch and change:
    -e root -s 'root (Arpwatch)'
    to
    -e -


    To restart arpwatch you need to do it for each interface you see from the "ps aux" command with something like:
    systemctl restart arpwatch@LAN_interface1
    systemctl restart arpwatch@LAN_interface2
    etc
    The reply is currently minimized Show
Your Reply