ARP moved messages in FreeNAS/pfSense explained

kernel: arp: x.x.x.x moved from xx:xx:xx:xx:xx:xx to xx:xx:xx:xx:xx:xx on em0

Ever since adding a pfSense router and a FreeNAS box to my network, I noticed quite a few ARP moved messages in my system logs, and I finally found out what causes them.

TL;DR: Nothing to worry about.

Long(ish) version

First a little background. ARP messages are excahanged in ethernet networks (even wireless ones) in order to keep track to which physical (MAC) address each IP belongs to, so especially if you have static IP addresses or static leases in your DHCP server, you shouldn’t be seeing messages like these, which indicate that a given address is now assigned to a different device, hence the change of the MAC address.

I had noticed a couple interesting things about these MAC addresses: they all belong to Apple devices (you can check by entering the first three 2-character blocks in a lookup service), and one of tham always belonged to a Mac. The other one belonged to an AirPort base station (either an Extreme or an Express), which initially made me worry that somehow my Wi-Fi network was breached and somebody was connecting to it and stealing an IP. Actually it didn’t make much sense, unless the AirPort itself was hacked and used as a sort of relay.

After some googling, I came to this post on the FreeNAS forums where they explained that this behavior is due to a feature of AirPort base stations called sleep proxy.

Basically, when a Mac goes to sleep, its Bonjour-advertiesd services would disappear, making it no longer visibile on the network. AirPort base stations understand Bonjour, and they get notified when a Mac goes to sleep, so they start broadcasting the Mac’s services (file sharing, screen sharing, SSH, etc.) and “grab” its IP. This way, when somebody tries to access one of these services, either because they already knew the sleeping Mac’s IP or because they discovered it through Bonjour, the AirPort wakes the Mac by some kind of WOL technology, maybe a simple magic packet. When the Mac comes out from sleep, it takes its IP back, thus generating a second, opposite entry in pfSense’s/FreeBSD’s system log.

3 thoughts on “ARP moved messages in FreeNAS/pfSense explained

  1. I have these messages as well but have been able to figure out what causes them. Unfortunately your explanation does not apply to my setup since I do not have any Apple devices on my network.

    I get messages like these:
    arp: 10.0.0.23 moved from 02:ff:20:00:0a:0a to 1c:98:ec:0e:c7:70 on epair5b
    arp: 10.0.0.23 moved from 02:ff:20:00:09:0a to 1c:98:ec:0e:c7:70 on epair4b
    arp: 10.0.0.23 moved from 1c:98:ec:0e:c7:70 to 02:ff:20:00:0a:0a on epair5b
    arp: 10.0.0.23 moved from 02:ff:20:00:0a:0a to 1c:98:ec:0e:c7:70 on epair5b
    arp: 10.0.0.23 moved from 1c:98:ec:0e:c7:70 to 02:ff:20:00:08:0a on epair3b
    arp: 10.0.0.23 moved from 02:ff:20:00:0a:0a to 1c:98:ec:0e:c7:70 on epair5b
    arp: 10.0.0.23 moved from 1c:98:ec:0e:c7:70 to 02:ff:20:00:0a:0a on epair5b
    arp: 10.0.0.23 moved from 02:ff:20:00:0a:0a to 1c:98:ec:0e:c7:70 on epair5b

    10.0.0.23 is the main IP of my FreeNAS server and 1c:98:ec:0e:c7:70 is the MAC of the hardware NIC. All devices on my network have static DHCP leases (including 10.0.0.23) and I have never had any problems accessing either the server or any of the jails. Not sure if this is a problem but it bugs me that I receive these log messages every day, and it is not related to rebooting the server or jails since I do not do that very often.

    • I suppressed the messages on my FreeNAS box by setting the net.link.ether.inet.log_arp_movements sysctl to 0

Leave a Reply

Your email address will not be published. Required fields are marked *