Recurring Security Message

[adrianwi]

I keep getting a security e-mail from my FreeNAS box that looks like the MAC address on one of my MacBook's is changing, but it's only connecting via WiFi and only has one Airport card in it so I'm not sure how it can be?

Output looks like this, so any ideas?

freenas.local kernel log messages:

arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on bge0
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on epair1b
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on bge0
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on epair1b
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on bge0
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on epair1b
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on bge0
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on epair1b
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on bge0
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on epair1b
arp: 192.168.168.52 moved from 90:72:40:03:5d:5b to 10:9a:dd:a7:73:62 on bge0
arp: 192.168.168.52 moved from 90:72:40:03:5d:5b to 10:9a:dd:a7:73:62 on epair1b
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on bge0
arp: 192.168.168.52 moved from 10:9a:dd:a7:73:62 to 90:72:40:03:5d:5b on epair1b​

 

[Michael Wulff Nielsen]

You don't by accident have another 192.168.168.52 on your network? Seems like your box is confused about which mac address to use for that particular ip.

 

[rm-r]

could be one of your plugins - make sure you set the IP range to the high end - eg i have 192.168.2.x for my lan - i tell the plugins to start at 192.168.2.200 so they are away from the other dhcp allocations

 

[rm-r]

are those 2 mac addresses - one is the freenas box and another the plex / owncloud plugin? epairs are normally associated with a plugin

 

[fracai]

I saw this behavior on my system as well and determined that it is a feature of the Apple products on my network. If you check the MAC addresses that are listed, they're probably your MacBook (as you state) and an AppleTV or Airport.

Basically, when the MacBook sleeps, the other device takes over as a proxy for Bonjour messages. If the proxy gets a message meant for the sleeping device, it can send a magic packet to the sleeper and then drop the proxy. Here's a thread on ArsTechnica and a Wikipedia article. And here's a FreeBSD thread that details how you can set a sysctl to disable the message.

Code:

net.link.ether.inet.log_arp_movements=0

 

[fracai]

Then again, it's also possible that you have a duplicated IP somewhere. I note that the MAC starting with 10 is an Apple product, but the other MAC is unknown (probably a jail?).

 

[adrianwi]

Thanks for all the suggestions. Did some further investigation and no devices using the same IP address (all internal devices are assigned a fixed IP in a given range, and no clashes with plugins that are fixed but in a different range)

I've identified the MAC addresses as one of my MacBooks (10) which is assigned a fixed IP address of 192.168.168.52 and my Airport Extreme (90) which is actually the device assigning the DHCP IP address!

I'll have a look at the links above and try to disable the message, but don't want to loose any genuine security alerts.

Thanks!

 

[Buzz]

I'm experiencing the same thing with my system. My logs show the same message as the OP's, but the MAC addresses are for my wife's iMac (WiFi) and my Airport Extreme (WiFi). The messages occur at seemingly random times, even when the iMac is asleep. My Airport doesn't handle DHCP; it's in bridge mode. I can't imagine why FreeNAS cares to log it but I haven't had any trouble. The message is just annoying, and I'd like to know how to suppress it.

 

[rm-r]

there is a "zerconf" setting that uses the bonjour service so perhaps its keeping an eye on that...

 

[fracai]

The message is just annoying, and I'd like to know how to suppress it.

Create a sysctl like:

Code:

net.link.ether.inet.log_arp_movements=0

 

[Buzz]

I also wondered if the Airport Extreme's dual-band operation has something to do with the messages; It's used as our primary WiFi hotspot and we have both 2.4GHz and 5GHz WiFi operating simultaneously to service a variety of wireless devices in various areas of the house. I've seen devices shift from one radio to the other, and back as conditions change, and my wife's iMac is set to use either.

Thanks for the sysctl info! I want to try limiting the iMac to a single WiFi first. If that stops the messages, then I'll know that was the source. If not, I'll try adding the sysctl.

 

[fracai]

I doubt the wifi has anything to do with it. There's still only one MAC for the two bands.

I also have a similar setup and still saw the message when the Macs were set to only use the 5Ghz band.

 

[xaibex]

I got this from accidentally unchecking "v-image" under jails.

Then the physical interface switches between the physical IP an the Jails IP when rebooting, starting or stopping the nas or the jail.