General Questions

Hi!

I'm getting this message with 4 minutes intervals..

Apr 10 21:00:13 /kernel: arplookup 1.1.1.1 failed: host is not on local network
Apr 10 20:56:13 /kernel: arplookup 1.1.1.1 failed: host is not on local network
Apr 10 20:52:13 /kernel: arplookup 1.1.1.1 failed: host is not on local network
Apr 10 20:48:13 /kernel: arplookup 1.1.1.1 failed: host is not on local network

I'm using 2 interfaces with this box, LAN is 192.168.0.1 net and static ip on the wan side. I'm using the dhcp server in m0n0wall and a few inbound NAT rules.. but what does the above actually mean?

I'm lost

Regards, Lars

is it really showing 1.1.1.1 or are you obfuscating that IP? Either way, do you have that address anywhere on your network, or is it an IP owned by your ISP?

is it really showing 1.1.1.1 or are you obfuscating that IP? Either way, do you have that address anywhere on your network, or is it an IP owned by your ISP?

Yes it shows 1.1.1.1 and I don't use that address. I don't know if my  ISP is using it though..

/L

It's likely some box, or somebody on your ISP's network doing something stupid. I wouldn't worry about it.

It's likely some box, or somebody on your ISP's network doing something stupid. I wouldn't worry about it.

Ok, but is there an easy way to be certain that it is on the WAN side something stupid is happening..
I do have a number of servers/workstations behind so there might be some misconfigured host on the lan as well... It would be "fun" to know who to blame

/L

I was going to add how to figure out where it's coming from, but figured I'd be wasting my time.

You should be able to tcpdump for ARP traffic on both the inside and the outside, and find the offender. If you need more details, reply back.

I was going to add how to figure out where it's coming from, but figured I'd be wasting my time.

You should be able to tcpdump for ARP traffic on both the inside and the outside, and find the offender. If you need more details, reply back.

Is it possible to do that from m0n0 or do I have to either setup another unix box or ethereal for windows to scan?

/L

You'll have to do it from a dedicated box. I keep a FreeBSD box with a bunch of interfaces handy for stuff like this. You shouldn't need a SPAN port or a hub in this case, since ARP traffic will reach every port on most all switches. If you have enterprise class switches with tight security configuration that might not be the case, but it's true for most networks.

If using tcpdump, I would filter for ARP only by running it like this:
tcpdump -i em0 arp

replacing em0 with whatever interface you want to use.

I think that should get you the traffic you're after, though I could be wrong since I'm not 100% sure exactly what traffic you're after. If that doesn't come up with anything, you may try replacing 'arp' with 'src or dst 1.1.1.1' to see if that IP is communicating anywhere - for this one, though, you'll need a SPAN port or a hub.

Ok, I'm going to do some testing tomorrow and post the results here. Thanks for the help so far!
At least I got an excuse to install the latest ethereal on my laptop now

Yeah, I know.. since I've been a fan of FreeBSD for a long time I should have a "box" handy with freebsd

/L

Strange this do happen... Reinstalled m0n0wall and set up a sniffer.. did a reboot of my dsl modem... and.. then the problem disappeared...? what are the odds

Must have been some arp cache on my ISP that went nuts and someone flushed it..

/L