ARP moved messages in FreeNAS/pfSense explained

kernel: arp: x.x.x.x moved from xx:xx:xx:xx:xx:xx to xx:xx:xx:xx:xx:xx on em0

Ever since adding a pfSense router and a FreeNAS box to my network, I noticed quite a few ARP moved messages in my system logs, and I finally found out what causes them.

TL;DR: Nothing to worry about.

Long(ish) version

First a little background. ARP messages are excahanged in ethernet networks (even wireless ones) in order to keep track to which physical (MAC) address each IP belongs to, so especially if you have static IP addresses or static leases in your DHCP server, you shouldn’t be seeing messages like these, which indicate that a given address is now assigned to a different device, hence the change of the MAC address.

I had noticed a couple interesting things about these MAC addresses: they all belong to Apple devices (you can check by entering the first three 2-character blocks in a lookup service), and one of tham always belonged to a Mac. The other one belonged to an AirPort base station (either an Extreme or an Express), which initially made me worry that somehow my Wi-Fi network was breached and somebody was connecting to it and stealing an IP. Actually it didn’t make much sense, unless the AirPort itself was hacked and used as a sort of relay.

After some googling, I came to this post on the FreeNAS forums where they explained that this behavior is due to a feature of AirPort base stations called sleep proxy.

Basically, when a Mac goes to sleep, its Bonjour-advertiesd services would disappear, making it no longer visibile on the network. AirPort base stations understand Bonjour, and they get notified when a Mac goes to sleep, so they start broadcasting the Mac’s services (file sharing, screen sharing, SSH, etc.) and “grab” its IP. This way, when somebody tries to access one of these services, either because they already knew the sleeping Mac’s IP or because they discovered it through Bonjour, the AirPort wakes the Mac by some kind of WOL technology, maybe a simple magic packet. When the Mac comes out from sleep, it takes its IP back, thus generating a second, opposite entry in pfSense’s/FreeBSD’s system log.

Connect to CrashPlan running in a FreeNAS jail using OS X

I’ve got CrashPlan running on my FreeNAS-based home server1, and it is going smoothly. It was kinda pain to get it working (java problems, CrashPlan upgrades, and stuff like that), but now it has been behaving itself for a few months.

I don't know why I feel i should make these images in every post. Sorry.

Still, every now and then I want to check on it to keep track of the upload progress, change a few settings and what not.
Since I also run CrashPlan on my Mac, it has always been a pain to reconfigure everything each time I wanted to control the instance running in the FreeNAS jail and then back to the Mac’s.
Also, a while back CrashPlan changed their daemon-GUI authentication scheme: previously you just had to connect to the proper port on the right IP, now it also needs a token that seems to change randomly. It looks like it changes whenever the backup service restarts, but I’m not really sure, as my Mac’s doesn’t seem to change nearly as often, and my Macs power cycles way more than my server, but that’s an argument for another day. Also, the port seems to be randomly changing as well, so don’t even get me started about that.

Anyway, I had to find a way to get the current token, put it in the proper CrashPlan GUI’s config file (which is /Library/Application Support/CrashPlan/.ui_info in OS X), launch the GUI, do my business, close it and the put everything back.

To accomplish that, the first thing you need to do is to enable SSHd in the jail: connect to your main FreeNAS, type jls to get a list of all the running jails, and take note of CrashPlan’s JID.

[[email protected]] ~# jls
   JID  IP Address      Hostname                      Path
     1  -               VBox                          /mnt/Archivio/jails/VBox
     2  -               couchpotato_1                 /mnt/Archivio/jails/couchpotato_1
     3  -               crashplan_2                   /mnt/Archivio/jails/crashplan_2
     4  -               plexmediaserver_1             /mnt/Archivio/jails/plexmediaserver_1
     6  -               sonarr_1                      /mnt/Archivio/jails/sonarr_1
     7  -               transmission_1                /mnt/Archivio/jails/transmission_1

As you can see, mine is 3. So let’s connect to the jail: jexec 3 csh (which means launch the csh shell on jail number 3).

Now you need to edit the jail’s /etc/rc.conf, in order to have the SSH server start with the jail. You can do so by adding the following line:

sshd_enable="YES"

(Or, if present and set to NO, just switch it to YES and save the file.)

Now just start the SSH server with service ssh start.

The next step is to add a user to the jail: we’ll be using this instead of root to connect to it. Run adduser and follow the instructions. In the rest of this post the user will be luca. Why? Well, because reasons2.

Now switch to the newly created user and create a .ssh directory in the home directory.

su luca
mkdir ~/.ssh

Now it’s a good time to copy the SSH public key of your Mac’s account, which you can find in ~/.ssh/id_rsa.pub. Copy it to the clipboard:

cat ~/.ssh/id_rsa.pub | bcopy

Back to the jail, paste it into the ~/.ssh/authorized_keys file:

echo "PASTE HERE YOUR PUBLIC KEY" >> ~/.ssh/authorized_keys

After all this hard work, we can finally test our setup. Open a new terminal window/tab and try to connect (you’ll find the jail’s IP address in the FreeNAS web UI).

ssh luca@192.168.1.78

Of course replace luca with your user and the IP with the correct one. If all worked as it should, you’ll be asked (for the first time only) to accept the server’s RSA fingerprint, and then you’ll be logged in without needing a password.

Now that we have a working SSH server, let’s get to the main part of all this madness. Here’s my script, crashplan_remote.sh.

First, adjust line 8 and 9 replacing the placeholder user and IP with the one you set earlier.

Make the script executable (chmod +x /path/to/crashplan_remote.sh) and put it somewhere in your PATH (may I suggest /usr/local/bin?).

Before launching the script, I feel I should explain what it does. First of all it makes a backup of your current local GUI settings (root privileges needed here), then it connects to the jail, retrives the current token and port to connect to the service, puts them in the .ui_info config file (again, root required), creates an SSH tunnel that is used to avoid having the CrashPlan service directly exposed to the network (by default it listens on 127.0.0.1 only). Once the tunnel is established, it launches the CrashPlan GUI, which will now communicate with the remote service. Once you close it, the tunnel will be closed as well and the local settings will be put back in place (root privileges required).

If you’ve read this far, you just have to launch crashplan_remote.sh and the script will take care of everything for you. It will even tell you what it is doing, here’s the output I get:

[luca @ MBP-Luca-eth in ~ ✅ ] $ crashplan_remote.sh
Password: (I entered my password here, required by sudo)
PORT: 4343
TOKEN: th1sC0d3-iZn0-tTh3-C0rR-3ct0N3Y0L0OO
.ui_info updated, creating SSH tunnel...
SSH tunnel established, launching CrashPlan Desktop
CrashPlan Desktop closed, terminating SSH tunnel...
Exit request sent.
Restoring local CrashPlan settings...
  1. Nothing fancy: a Pentium G2020, 8 GB of RAM and 4×4 TB WD Red’s in RAIDZ1. I know RAIDZ1/RAID–5 is dead, but thanks to ZFS I should only loose those files that happen to suffer from UREs, and the important stuff is backed up elsewhere. I only regret I didn’t go for 5×4 TB drives, it should have improved speeds.
  2. My name is Luca. My user is called luca.