https://knightoftheinter.net/blog/{20181023,pfsense-arpwatch}{,.xhtml,.odt}

 There’s many things that make a good LAN. One of the more important features is to be managed by someone who’s attentive to it. To be attentive to it, you need to know what’s on it. You need to be notified about new connections or disconnections. One of the last things you want to have happen is for your roommate to connect their malware-laden Android and let it infest other devices that you had hoped were more secure behind your firewall.

 I heartily recommend pfSense as your firewall, by the way.

        pfSense has several packages which you can install. One of them is “arpwatch”. It monitors selected NICs on the firewall for ARP messages and sends emails when it sees new MACs or IPv4s. At the minimum, it’s handy to keep a separate table (in the form of a dedicated email inbox) of what devices have what addresses. It’s also handy to be notified when someone connected a new device without asking first.

        And since it sends an email you can write your own scripts to monitor that. I wonder what use you might have, as a developer or administrator, to have a list of all MAC addresses that might be on your network. Automatic defenses, mayhaps?

        What if you have some asshole who decided to root their device and spam garbage on the network, such as ARP requests with forged IPs and MACs? At the minimum you’ll end up with junk in your inbox from all those new (fake) objects that were spotted. That can cause its own problems. But it can hide more nefarious things happening now during the spam and/or later after the inbox is full and denies new messages.

 I imagine the answer lies in VLANs (802.1q) and authentication (802.1x). I’m not 100% sure though. So that’s what I’ll look at next-ish.

Cheers,

inetknght

blogspam@knightoftheinter.net