Loosing WAN every 15 minutes [SOLVED, ntopng Network Discovery...]

Started by iorx, August 11, 2024, 10:06:05 AM

Previous topic - Next topic
Print
Go Down Pages 1 2
User actions
August 15, 2024, 11:59:06 AM #15
Sure, DM or franco@opnsense.org


Thanks,
Franco
August 15, 2024, 12:08:02 PM #16
Quote from: iorx on August 15, 2024, 11:54:55 AM
Yeah, know there are some sceptical thought about the vm, hyper-v, thingy here  :o :). But the problem was introduced recently. The ISP claims no changes in their side. And the change I've made is upgrade to 24.7, and had no problem like this before.

Not sure what you have configured there... Hyper-V has features like this:

Quote
ARP/ND Poisoning (spoofing) protection: Provides protection against a malicious VM using Address Resolution Protocol (ARP) spoofing to steal IP addresses from other VMs. Provides protection against attacks that can be launched for IPv6 using Neighbor Discovery (ND) spoofing.

https://learn.microsoft.com/en-us/windows-server/virtualization/hyper-v-virtual-switch/hyper-v-virtual-switch

Look at the Hyper-V switch logs, maybe there's something there. Also, any Windows update can break/change things.
August 15, 2024, 12:50:43 PM #17
Quote from: franco on August 15, 2024, 11:59:06 AM
Sure, DM or franco@opnsense.org


Thanks,
Franco

Mailed. Didn't figure out how to dm a file attachment.
August 15, 2024, 12:58:05 PM #18
Quote from: doktornotor on August 15, 2024, 12:08:02 PM
Look at the Hyper-V switch logs, maybe there's something there. Also, any Windows update can break/change things.

Logs, lots of information entries but nothing related to ARP or this as I can see. Looks good.

I've scrutinized the the vm and vm host config thoroughly and can't see any problem with it. As I run multiple installations like this which works as they should, the config of the vm and vm-host isn't my #1 suspect  :)

For what it's worth and reference, attached the vm-switch and vm-nic config here.

And want to give you both a BIG thank you for assisting me here. KUDOS!
August 15, 2024, 01:02:24 PM #19
Did you run a tcpdump on the WAN interface to watch if these ARP requests really reach your OPNsense and if they match your IP address etc?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 15, 2024, 01:35:50 PM #20
Quote from: Patrick M. Hausen on August 15, 2024, 01:02:24 PM
Did you run a tcpdump on the WAN interface to watch if these ARP requests really reach your OPNsense and if they match your IP address etc?

I used the function within opnsense and used the WAN, hn1 in my case, with promiscuous mode enabled. The filtered output is in the first post. The .220 is the static IP on the interface and .194 is the ISP gateway.
I hope I understand your question right here.
August 15, 2024, 02:09:45 PM #21
I don't see requests coming in from your ISP gateway - these would (if I understood the topology correctly) end in "Tell xxx.yyy.zzz.194". There isn't any.

So possibly they are not passing your Hyper-V infrastructure to arrive at OPNsense ...

HTH,
Patrick
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 15, 2024, 07:00:09 PM #22
Quote from: Patrick M. Hausen on August 15, 2024, 02:09:45 PM
I don't see requests coming in from your ISP gateway - these would (if I understood the topology correctly) end in "Tell xxx.yyy.zzz.194". There isn't any.

So possibly they are not passing your Hyper-V infrastructure to arrive at OPNsense ...

HTH,
Patrick

I captured new data.

Code Select

442 18:30:00,848027 Nokia_04:10:01 Microsoft_01:99:01 ARP 60 Who has x.y.z.220? (ARP Probe)
443 18:30:00,848162 Microsoft_01:99:01 Nokia_04:10:01 ARP 42 x.y.z.220 is at 00:15:5d:01:99:01
445 18:30:00,854956 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.193? Tell x.y.z.220
446 18:30:00,855650 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.193 is at 00:00:5e:00:01:5a
447 18:30:00,856682 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.194? Tell x.y.z.220


Is it this we're looking for? Or should I see a timestamp and the MAC-address of the gateway .194 telling where stuff is?

At this capture I lost the connection exactly at 18:30:00.
Started it at 18:29:36, stopped 18:30:50.
August 15, 2024, 07:06:15 PM #23
Code Select

442 18:30:00,848027 Nokia_04:10:01 Microsoft_01:99:01 ARP 60 Who has x.y.z.220? (ARP Probe)
443 18:30:00,848162 Microsoft_01:99:01 Nokia_04:10:01 ARP 42 x.y.z.220 is at 00:15:5d:01:99:01


That looks like someone asking for your WAN IP address, so far so good.

But according to your earlier ARP cache output:
Code Select

? (xxx.yyy.zzz.220) at 00:15:5d:01:99:01 on hn1 permanent [ethernet]
? (xxx.yyy.zzz.194) at 00:00:5e:00:01:5a on hn1 expires in 122 seconds [ethernet]


Your ISP router should have 00:00:5e:00:01:5a, not Nokia_04:10:01. So that ARP request is coming from a different device.

The MAC address for your WAN interface seems to match.

Are you doing the packet capture in OPNsense? Can you do a packet capture on the Hyper-V host instead?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 15, 2024, 08:09:13 PM #24 Last Edit: August 15, 2024, 08:47:39 PM by iorx
Tell me if this just confuses things or doesn't add anything to what we're trying to figure out here.
I saw your question about packet capture directly on the host, I'll try that.

I got a 24.1 up and running on .222 MAC .05. Purpose to check if this runs without the drops. 

It passed the magic 15-minutes with grace at 19:30. No drops there what I can see or notice.
And... so did .220 MAC .01 ... This doesn't compute for me. If I got .221 MAC .02, Then Windows Server active then the problem doesn't occur either. Now that I got a 24.1 up and active on .222 it looks like that also removes the problem.
I'm going to try to shutdown .220 and leave 24.1 .222 alone on the connection to see what happens a little later.

From health/quality-table:
Code Select

1174 Thu Aug 15 2024 19:29:00 GMT+0200 (Central European Summer Time) 0 0.0033447549139 0.0090265367696
1175 Thu Aug 15 2024 19:30:00 GMT+0200 (Central European Summer Time) 0 0.0032935987318 0.0083365416628
1176 Thu Aug 15 2024 19:31:00 GMT+0200 (Central European Summer Time) 0 0.0030030055 0.0070101717976


And a capture from it, from opnsense.
Code Select

65 19:29:16,733268 Nokia_04:10:01 Microsoft_01:99:05 ARP 60 Who has x.y.z.222? (ARP Probe)
66 19:29:16,733300 Microsoft_01:99:05 Nokia_04:10:01 ARP 42 x.y.z.222 is at 00:15:5d:01:99:05
158 19:30:00,921438 0.0.0.0 255.255.255.255 DHCP 300 DHCP Discover - Transaction ID 0x183bbe66
159 19:30:00,921602 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.193? Tell x.y.z.220
160 19:30:00,938709 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.194? Tell x.y.z.220
161 19:30:00,968540 98.128.185.1 255.255.255.255 DHCP 342 DHCP Offer    - Transaction ID 0x183bbe66
162 19:30:00,999219 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.195? Tell x.y.z.220
163 19:30:01,027739 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.196? Tell x.y.z.220
164 19:30:01,044457 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.197? Tell x.y.z.220
165 19:30:01,063539 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.198? Tell x.y.z.220
166 19:30:01,103015 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.199? Tell x.y.z.220
169 19:30:01,153908 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.200? Tell x.y.z.220
170 19:30:01,157526 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.201? Tell x.y.z.220
171 19:30:01,160328 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.202? Tell x.y.z.220
172 19:30:01,160337 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.203? Tell x.y.z.220
173 19:30:01,164485 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.204? Tell x.y.z.220
174 19:30:01,180454 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.205? Tell x.y.z.220
175 19:30:01,180863 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.206? Tell x.y.z.220
176 19:30:01,183609 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.207? Tell x.y.z.220
177 19:30:01,185303 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.208? Tell x.y.z.220
178 19:30:01,186712 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.209? Tell x.y.z.220
179 19:30:01,189308 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.210? Tell x.y.z.220
180 19:30:01,196864 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.211? Tell x.y.z.220
181 19:30:01,199604 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.212? Tell x.y.z.220
182 19:30:01,205890 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.213? Tell x.y.z.220
183 19:30:01,207915 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.214? Tell x.y.z.220
184 19:30:01,210309 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.215? Tell x.y.z.220
185 19:30:01,215307 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.216? Tell x.y.z.220
186 19:30:01,220582 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.217? Tell x.y.z.220
187 19:30:01,220940 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.218? Tell x.y.z.220
188 19:30:01,222711 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.219? Tell x.y.z.220
189 19:30:01,225082 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.221? Tell x.y.z.220
190 19:30:01,227078 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.222? Tell x.y.z.220
191 19:30:01,227092 Microsoft_01:99:05 Microsoft_01:99:01 ARP 42 x.y.z.222 is at 00:15:5d:01:99:05
192 19:30:01,228320 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.223? Tell x.y.z.220
193 19:30:01,230588 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.224? Tell x.y.z.220
194 19:30:01,232601 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.225? Tell x.y.z.220
195 19:30:01,234976 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.226? Tell x.y.z.220
196 19:30:01,235982 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.227? Tell x.y.z.220
197 19:30:01,244101 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.228? Tell x.y.z.220
198 19:30:01,244813 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.229? Tell x.y.z.220
199 19:30:01,251516 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.230? Tell x.y.z.220
200 19:30:01,253659 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.231? Tell x.y.z.220
201 19:30:01,254716 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.232? Tell x.y.z.220
202 19:30:01,256263 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.233? Tell x.y.z.220
203 19:30:01,258683 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.234? Tell x.y.z.220
204 19:30:01,259470 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.235? Tell x.y.z.220
205 19:30:01,261136 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.236? Tell x.y.z.220
206 19:30:01,262765 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.237? Tell x.y.z.220
207 19:30:01,265289 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.238? Tell x.y.z.220
208 19:30:01,265915 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.239? Tell x.y.z.220
209 19:30:01,267558 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.240? Tell x.y.z.220
210 19:30:01,269361 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.241? Tell x.y.z.220
211 19:30:01,271337 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.242? Tell x.y.z.220
212 19:30:01,272633 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.243? Tell x.y.z.220
213 19:30:01,274181 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.244? Tell x.y.z.220
214 19:30:01,275722 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.245? Tell x.y.z.220
215 19:30:01,277365 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.246? Tell x.y.z.220
216 19:30:01,279124 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.247? Tell x.y.z.220
217 19:30:01,280955 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.248? Tell x.y.z.220
218 19:30:01,282467 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.249? Tell x.y.z.220
219 19:30:01,284136 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.250? Tell x.y.z.220
220 19:30:01,285674 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.251? Tell x.y.z.220
221 19:30:01,287268 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.252? Tell x.y.z.220
222 19:30:01,288898 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.253? Tell x.y.z.220
223 19:30:01,290537 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.193? Tell x.y.z.220
224 19:30:01,292184 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.194? Tell x.y.z.220
225 19:30:01,293804 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.195? Tell x.y.z.220
226 19:30:01,295709 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.196? Tell x.y.z.220
227 19:30:01,297364 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.197? Tell x.y.z.220
228 19:30:01,300538 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.198? Tell x.y.z.220
229 19:30:01,301910 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.199? Tell x.y.z.220
230 19:30:01,305279 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.200? Tell x.y.z.220
231 19:30:01,306553 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.201? Tell x.y.z.220
232 19:30:01,308214 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.202? Tell x.y.z.220
233 19:30:01,309830 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.203? Tell x.y.z.220
234 19:30:01,311486 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.204? Tell x.y.z.220
235 19:30:01,313113 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.205? Tell x.y.z.220
236 19:30:01,314752 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.206? Tell x.y.z.220
237 19:30:01,316423 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.207? Tell x.y.z.220
238 19:30:01,318075 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.208? Tell x.y.z.220
239 19:30:01,319729 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.209? Tell x.y.z.220
240 19:30:01,321350 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.210? Tell x.y.z.220
241 19:30:01,322925 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.211? Tell x.y.z.220
242 19:30:01,324547 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.212? Tell x.y.z.220
243 19:30:01,326178 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.213? Tell x.y.z.220
244 19:30:01,327801 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.214? Tell x.y.z.220
245 19:30:01,329416 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.215? Tell x.y.z.220
246 19:30:01,331094 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.216? Tell x.y.z.220
247 19:30:01,332748 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.217? Tell x.y.z.220
248 19:30:01,334419 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.218? Tell x.y.z.220
249 19:30:01,336063 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.219? Tell x.y.z.220
250 19:30:01,337715 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.221? Tell x.y.z.220
251 19:30:01,339362 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.222? Tell x.y.z.220
252 19:30:01,339378 Microsoft_01:99:05 Microsoft_01:99:01 ARP 42 x.y.z.222 is at 00:15:5d:01:99:05
253 19:30:01,341008 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.223? Tell x.y.z.220
254 19:30:01,342653 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.224? Tell x.y.z.220
255 19:30:01,344309 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.225? Tell x.y.z.220
256 19:30:01,345959 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.226? Tell x.y.z.220
257 19:30:01,348137 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.227? Tell x.y.z.220
258 19:30:01,349343 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.228? Tell x.y.z.220
259 19:30:01,350871 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.229? Tell x.y.z.220
260 19:30:01,352534 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.230? Tell x.y.z.220
261 19:30:01,354196 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.231? Tell x.y.z.220
262 19:30:01,355830 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.232? Tell x.y.z.220
263 19:30:01,357505 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.233? Tell x.y.z.220
264 19:30:01,359169 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.234? Tell x.y.z.220
265 19:30:01,360786 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.235? Tell x.y.z.220
266 19:30:01,362464 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.236? Tell x.y.z.220
267 19:30:01,364124 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.237? Tell x.y.z.220
268 19:30:01,365746 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.238? Tell x.y.z.220
269 19:30:01,367468 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.239? Tell x.y.z.220
270 19:30:01,369059 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.240? Tell x.y.z.220
271 19:30:01,370683 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.241? Tell x.y.z.220
272 19:30:01,372324 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.242? Tell x.y.z.220
273 19:30:01,373960 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.243? Tell x.y.z.220
274 19:30:01,375581 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.244? Tell x.y.z.220
275 19:30:01,377208 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.245? Tell x.y.z.220
276 19:30:01,378851 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.246? Tell x.y.z.220
277 19:30:01,380497 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.247? Tell x.y.z.220
278 19:30:01,382138 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.248? Tell x.y.z.220
279 19:30:01,383768 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.249? Tell x.y.z.220
280 19:30:01,385430 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.250? Tell x.y.z.220
281 19:30:01,387103 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.251? Tell x.y.z.220
282 19:30:01,388751 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.252? Tell x.y.z.220
283 19:30:01,390451 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.253? Tell x.y.z.220
August 15, 2024, 08:41:26 PM #25
And here is a capture on the Hyper-V host. The physical machines interface were the ISP is connected.
I got a drop at 20:30:13. Only had the .220 MAC .01 running.

Code Select

822 20:29:50,664547 Nokia_04:10:01 Microsoft_01:99:05 ARP 60 Who has x.y.z.222? (ARP Probe)
3225 20:30:13,538023 0.0.0.0 255.255.255.255 DHCP 300 DHCP Discover - Transaction ID 0x3549be66
3226 20:30:13,538023 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.193? Tell x.y.z.220
3227 20:30:13,538528 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.193 is at 00:00:5e:00:01:5a
3228 20:30:13,539679 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.194? Tell x.y.z.220
3229 20:30:13,540182 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.194 is at 00:00:5e:00:01:5a
3230 20:30:13,541332 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.195? Tell x.y.z.220
3231 20:30:13,541829 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.195 is at 00:00:5e:00:01:5a
3232 20:30:13,543068 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.196? Tell x.y.z.220
3233 20:30:13,543558 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.196 is at 00:00:5e:00:01:5a
3234 20:30:13,544692 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.197? Tell x.y.z.220
3235 20:30:13,545179 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.197 is at 00:00:5e:00:01:5a
3236 20:30:13,546346 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.198? Tell x.y.z.220
3237 20:30:13,546845 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.198 is at 00:00:5e:00:01:5a
3238 20:30:13,548032 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.199? Tell x.y.z.220
3239 20:30:13,548540 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.199 is at 00:00:5e:00:01:5a
3240 20:30:13,549707 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.200? Tell x.y.z.220
3241 20:30:13,550201 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.200 is at 00:00:5e:00:01:5a
3242 20:30:13,551393 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.201? Tell x.y.z.220
3243 20:30:13,551910 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.201 is at 00:00:5e:00:01:5a
3244 20:30:13,553090 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.202? Tell x.y.z.220
3245 20:30:13,553667 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.202 is at 00:00:5e:00:01:5a
3246 20:30:13,554790 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.203? Tell x.y.z.220
3247 20:30:13,555293 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.203 is at 00:00:5e:00:01:5a
3248 20:30:13,556470 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.204? Tell x.y.z.220
3249 20:30:13,557122 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.204 is at 00:00:5e:00:01:5a
3250 20:30:13,558281 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.205? Tell x.y.z.220
3251 20:30:13,558796 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.205 is at 00:00:5e:00:01:5a
3252 20:30:13,559899 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.206? Tell x.y.z.220
3253 20:30:13,560560 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.206 is at 00:00:5e:00:01:5a
3254 20:30:13,561582 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.207? Tell x.y.z.220
3255 20:30:13,562081 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.207 is at 00:00:5e:00:01:5a
3256 20:30:13,563313 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.208? Tell x.y.z.220
3257 20:30:13,563813 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.208 is at 00:00:5e:00:01:5a
3258 20:30:13,564963 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.209? Tell x.y.z.220
3259 20:30:13,565460 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.209 is at 00:00:5e:00:01:5a
3260 20:30:13,566648 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.210? Tell x.y.z.220
3261 20:30:13,567147 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.210 is at 00:00:5e:00:01:5a
3262 20:30:13,568324 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.211? Tell x.y.z.220
3263 20:30:13,568881 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.211 is at 00:00:5e:00:01:5a
3264 20:30:13,570056 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.212? Tell x.y.z.220
3265 20:30:13,570542 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.212 is at 00:00:5e:00:01:5a
3266 20:30:13,571717 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.213? Tell x.y.z.220
3267 20:30:13,572226 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.213 is at 00:00:5e:00:01:5a
3268 20:30:13,573444 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.214? Tell x.y.z.220
3269 20:30:13,574829 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.214 is at 00:00:5e:00:01:5a
3270 20:30:13,575197 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.215? Tell x.y.z.220
3271 20:30:13,575698 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.215 is at 00:00:5e:00:01:5a
3272 20:30:13,577143 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.216? Tell x.y.z.220
3273 20:30:13,577678 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.216 is at 00:00:5e:00:01:5a
3274 20:30:13,578651 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.217? Tell x.y.z.220
3275 20:30:13,579129 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.217 is at 00:00:5e:00:01:5a
3276 20:30:13,580354 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.218? Tell x.y.z.220
3277 20:30:13,580869 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.218 is at 00:00:5e:00:01:5a
3278 20:30:13,582078 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.219? Tell x.y.z.220
3279 20:30:13,582603 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.219 is at 00:00:5e:00:01:5a
3280 20:30:13,583862 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.221? Tell x.y.z.220
3281 20:30:13,584657 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.221 is at 00:00:5e:00:01:5a
3282 20:30:13,585529 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.222? Tell x.y.z.220
3283 20:30:13,586011 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.222 is at 00:00:5e:00:01:5a
3284 20:30:13,587253 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.223? Tell x.y.z.220
3285 20:30:13,587740 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.223 is at 00:00:5e:00:01:5a
3286 20:30:13,589067 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.224? Tell x.y.z.220
3287 20:30:13,589638 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.224 is at 00:00:5e:00:01:5a
3288 20:30:13,590729 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.225? Tell x.y.z.220
3289 20:30:13,591236 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.225 is at 00:00:5e:00:01:5a
3290 20:30:13,591473 155.4.83.1 255.255.255.255 DHCP 342 DHCP Offer    - Transaction ID 0x3549be66
3291 20:30:13,592468 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.226? Tell x.y.z.220
3292 20:30:13,592955 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.226 is at 00:00:5e:00:01:5a
3293 20:30:13,594215 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.227? Tell x.y.z.220
3294 20:30:13,594803 IETF-VRRP-VRID_5a Microsoft_01:99:01 ARP 60 x.y.z.227 is at 00:00:5e:00:01:5a
3295 20:30:13,595927 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.228? Tell x.y.z.220
3296 20:30:13,597640 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.229? Tell x.y.z.220
3297 20:30:13,599367 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.230? Tell x.y.z.220
3298 20:30:13,601147 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.231? Tell x.y.z.220
3299 20:30:13,602861 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.232? Tell x.y.z.220
3300 20:30:13,604528 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.233? Tell x.y.z.220
3301 20:30:13,606208 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.234? Tell x.y.z.220
3302 20:30:13,607837 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.235? Tell x.y.z.220
3303 20:30:13,609500 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.236? Tell x.y.z.220
3304 20:30:13,611327 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.237? Tell x.y.z.220
3305 20:30:13,612834 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.238? Tell x.y.z.220
3306 20:30:13,614482 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.239? Tell x.y.z.220
3308 20:30:13,616098 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.240? Tell x.y.z.220
3309 20:30:13,617714 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.241? Tell x.y.z.220
3310 20:30:13,619329 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.242? Tell x.y.z.220
3311 20:30:13,620966 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.243? Tell x.y.z.220
3312 20:30:13,622608 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.244? Tell x.y.z.220
3313 20:30:13,624223 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.245? Tell x.y.z.220
3314 20:30:13,625902 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.246? Tell x.y.z.220
3315 20:30:13,627572 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.247? Tell x.y.z.220
3316 20:30:13,629205 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.248? Tell x.y.z.220
3317 20:30:13,630943 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.249? Tell x.y.z.220
3318 20:30:13,632603 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.250? Tell x.y.z.220
3319 20:30:13,634277 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.251? Tell x.y.z.220
3320 20:30:13,635951 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.252? Tell x.y.z.220
3321 20:30:13,637597 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.253? Tell x.y.z.220
3322 20:30:13,639255 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.193? Tell x.y.z.220
3323 20:30:13,640916 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.194? Tell x.y.z.220
3324 20:30:13,642638 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.195? Tell x.y.z.220
3325 20:30:13,644305 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.196? Tell x.y.z.220
3326 20:30:13,645927 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.197? Tell x.y.z.220
3327 20:30:13,647581 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.198? Tell x.y.z.220
3328 20:30:13,649264 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.199? Tell x.y.z.220
3329 20:30:13,651008 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.200? Tell x.y.z.220
3330 20:30:13,652712 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.201? Tell x.y.z.220
3332 20:30:13,654479 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.202? Tell x.y.z.220
3333 20:30:13,656123 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.203? Tell x.y.z.220
3334 20:30:13,657819 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.204? Tell x.y.z.220
3335 20:30:13,659512 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.205? Tell x.y.z.220
3336 20:30:13,661171 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.206? Tell x.y.z.220
3337 20:30:13,662817 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.207? Tell x.y.z.220
3338 20:30:13,664448 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.208? Tell x.y.z.220
3339 20:30:13,666211 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.209? Tell x.y.z.220
3341 20:30:13,667806 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.210? Tell x.y.z.220
3343 20:30:13,669412 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.211? Tell x.y.z.220
3344 20:30:13,671126 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.212? Tell x.y.z.220
3345 20:30:13,672789 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.213? Tell x.y.z.220
3346 20:30:13,674442 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.214? Tell x.y.z.220
3347 20:30:13,676103 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.215? Tell x.y.z.220
3348 20:30:13,677798 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.216? Tell x.y.z.220
3349 20:30:13,679491 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.217? Tell x.y.z.220
3350 20:30:13,681284 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.218? Tell x.y.z.220
3351 20:30:13,682905 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.219? Tell x.y.z.220
3352 20:30:13,684543 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.221? Tell x.y.z.220
3353 20:30:13,686222 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.222? Tell x.y.z.220
3354 20:30:13,687897 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.223? Tell x.y.z.220
3355 20:30:13,689616 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.224? Tell x.y.z.220
3356 20:30:13,691299 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.225? Tell x.y.z.220
3357 20:30:13,693056 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.226? Tell x.y.z.220
3358 20:30:13,694709 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.227? Tell x.y.z.220
3359 20:30:13,696418 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.228? Tell x.y.z.220
3360 20:30:13,698217 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.229? Tell x.y.z.220
3361 20:30:13,700069 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.230? Tell x.y.z.220
3362 20:30:13,701770 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.231? Tell x.y.z.220
3363 20:30:13,703477 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.232? Tell x.y.z.220
3364 20:30:13,705176 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.233? Tell x.y.z.220
3365 20:30:13,706879 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.234? Tell x.y.z.220
3366 20:30:13,708710 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.235? Tell x.y.z.220
3367 20:30:13,710423 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.236? Tell x.y.z.220
3368 20:30:13,712185 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.237? Tell x.y.z.220
3369 20:30:13,714910 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.238? Tell x.y.z.220
3371 20:30:13,715607 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.239? Tell x.y.z.220
3372 20:30:13,717378 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.240? Tell x.y.z.220
3373 20:30:13,718935 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.241? Tell x.y.z.220
3374 20:30:13,720670 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.242? Tell x.y.z.220
3375 20:30:13,722224 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.243? Tell x.y.z.220
3376 20:30:13,723889 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.244? Tell x.y.z.220
3377 20:30:13,725531 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.245? Tell x.y.z.220
3378 20:30:13,727169 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.246? Tell x.y.z.220
3379 20:30:13,728827 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.247? Tell x.y.z.220
3380 20:30:13,730460 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.248? Tell x.y.z.220
3381 20:30:13,732084 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.249? Tell x.y.z.220
3382 20:30:13,733710 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.250? Tell x.y.z.220
3383 20:30:13,735335 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.251? Tell x.y.z.220
3384 20:30:13,736983 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.252? Tell x.y.z.220
3385 20:30:13,738631 Microsoft_01:99:01 Broadcast ARP 42 Who has x.y.z.253? Tell x.y.z.220
August 15, 2024, 09:23:58 PM #26
So I see OPNsense trying to contact hosts from .193 to .253 but nowhere do I see your ISP (.194, right?) trying to contact OPNsense (.220, right?)

Any idea why your OPNsense is trying to contact all these hosts?
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
August 16, 2024, 09:02:37 AM #27
Thank you for the clue.
If this is the cause for my trouble I'm greatly embarrassed for not sharing the whole config here. I got ntopng running on .220 and it's networks discovery is set to run every 15 minutes...

Found this: https://github.com/ntop/ntopng/issues/4861
If it is this, still odd though:
I got ntopng running on multiple other sites installations, haven't seen this anywhere else.
When I have another host active on one of their other assigned static IPs there is not a problem.

And... it looks like it may have been the culprit. I now passed two 15 minutes interval with only .220 running and Network Discovery disabled in ntopng.
Print
Go Up Pages 1 2
User actions