> On 2018-09-07, Jay Hart <[email protected]> wrote:
>> I'm now running my new router. Internal network is 192.168 based. I have two
>> interfaces on my
router, one external, one internal. Motherboard is a MITAC PDP11BICC using
Realtek NICs. I'm
seeing a lot of messages in the log file regarding duplicate IP Addresses,
specifically I'm
seeing:
>> /bsd: duplicate IP address 192.168.1.1 sent from ethernet 20:c0:47:dc:27:dd
>> This translates to
a Verizon MAC. My FIOS ONT is definitely Verizon. What I struggling with is
what exactly is
causing this message, and how to stop/resolve it. When I run 'Arp -a' either
internally from
another box, or on the router itself, I'm not seeing this MAC.
>> Hoping the list can provide some additional troubleshooting ideas. Can this
>> be some sort of spoof
>> attempt???
>> Thanks,
>> Jay
> Run "tcpdump -ne -i $interface ether host 20:c0:47:dc:27:dd" on the internal
> and external
interfaces, you should at least see which interface this is being sent on, and
might get some
other clues az to what it is.
> If you have a managed switch, you may be able to see which port it's coming
> from. "ifconfig -A"
from your router would give us a clearer picture of the configuration.
I have five items below...
#1:
For the first time I managed to capture this MAC address, I got it from an
internal machine. From
the captured behavior it seems that my gateway is getting cycled back and forth
between two NICs.
The commands were issued like two minutes apart...
[xx]$ arp -a
_gateway (192.168.1.1) at 20:c0:47:dc:27:dd [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
[xx]$ arp -a
_gateway (192.168.1.1) at 00:22:4d:d1:48:d5 [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
[xx]$ arp -a
_gateway (192.168.1.1) at 20:c0:47:dc:27:dd [ether] on enp2s0
? (192.168.1.41) at 00:30:18:a5:a1:bd [ether] on enp2s0
? (192.168.1.29) at 00:80:77:e6:70:8e [ether] on enp2s0
enp2s0 is the only interface on this machine and its gateway is 192.168.1.1,
connected through a
switch. The "correct" MAC for 192.168.1.1 (internal NIC on the router) SHOULD
be
00:22:4d:d1:48:d5
#2:
-----ifconfig -A from the router------------------
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 32768
index 4 priority 0 llprio 3
groups: lo
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
re0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1476
lladdr 00:22:4d:d1:48:d4
index 1 priority 0 llprio 3
groups: egress
media: Ethernet autoselect (1000baseT full-duplex)
status: active
inet 71.163.34.30 netmask 0xffffff00 broadcast 71.163.34.255
re1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
lladdr 00:22:4d:d1:48:d5
index 2 priority 0 llprio 3
media: Ethernet autoselect (100baseTX full-duplex)
status: active
inet 192.168.1.1 netmask 0xffffff00 broadcast 192.168.1.255
enc0: flags=0<>
index 3 priority 0 llprio 3
groups: enc
status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
index 5 priority 0 llprio 3
groups: pflog
#3:
I'm attaching my pf.conf file. Maybe I messed something up, or you guys spot an
issue. I'm also
having issues with FTP-proxy, but that issue is for another thread.
[xx]$ more pf.conf
# $OpenBSD: pf.conf,v 1.54 2014/08/23 05:49:42 deraadt Exp $
#
# See pf.conf(5) and /etc/examples/pf.conf
int_if = "re1"
ext_if = "re0"
www_ad = "192.168.1.41"
proxy = "127.0.0.1"
icmp_types = "{ echoreq, unreach }"
table <martians> {127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8}
set block-policy drop
set loginterface egress
set skip on lo0
#Protection
antispoof quick for { lo $int_if }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
#filter rules and anchor for ftp-proxy
anchor "ftp-proxy/*"
#rule needed to redirect ftp connection for ftp-proxy
pass log in quick proto tcp to port ftp rdr-to $proxy port 8021
#match rules
match out on egress inet from !(egress) to any nat-to (egress:0)
block in log
pass out quick
#next rule passes http-https traffic to the web/email server
pass in on egress inet proto tcp from any to (egress) port {80 443} rdr-to
$www_ad synproxy state
#traceroute rule (for IPv4)
pass out on egress inet proto udp to port 33433 >< 33626 keep state
#next rule redirects smtp traffic to the email server
pass in on egress inet proto tcp from any to (egress) port 25 rdr-to $www_ad
#pass in certain types of ICMP traffic
pass in inet proto icmp all icmp-type $icmp_types
#pass traffic on internal network
pass in on $int_if
# By default, do not permit remote connections to X11
#block return in on ! lo0 proto tcp to port 6000:6010
---end pf.conf-----------------
#4:
tcpdump: I saw two packets from the re1 (internal INT) interface running the
command you suggested
above. How can I capture that to a file I can copy/paste into an email?
#5:
/etc/mygate file
I had this as 192.168.1.1, but since I use 'dhcp' to get an address from
Verizon, I commented out
the line. Could this be a potential source of the problem? Should I reboot the
box to see?
