.png)
Authored by: Support.com Tech Pro Team
How to troubleshoot ARP Move Log Messages on Netgate Router
pfSense® log entries may appear in the system log showing something similar to the following:
pfsense kernel: arp: 192.168.1.50 moved from c4:0c:5c:69:6c:05 to 62:1e:3e:43:04:0c on em1
This indicates that the firewall saw the specified IP address move between the first MAC address and the second. This can happen for several reasons.
IP address conflict
Two hosts are configured with the same IP address
ARP poisoning
Someone on the network is ARP poisoning hosts
NIC teaming
Some NIC teaming or bonding configurations will routinely log messages such as this because of the way they function. In these cases, this message is normal.
IP address moved to a different host or NIC
If an actively used IP address is reassigned to a different device or different NIC, this message will be logged. This will only occur when an active IP is moved, for instance an expired DHCP lease that later is assigned to a different host will not trigger this as the IP must have an active ARP table entry on the firewall for this to occur.
Apple Bonjour sleep proxy
Apple’s Bonjour sleep proxy will cause these logs to appear because of its network behavior. If both of the listed MAC addresses are Apple vendor MACs, this is likely why and can be disregarded as normal behavior.
This logging can be disabled by setting the tunable net.link.ether.inet.log_arp_movements to value 0 under System > Advanced, System Tunables tab.
Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.
Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information
