# AT&T Uverse - ARP Broadcasts



## Ruler2112 (Mar 28, 2014)

Our local DSL provider lost the ability to provide us with static IPs, so I migrated to AT&T uverse.  They installed it and I was able to work with one of their techs to get IP passthrough mode working on the Motorola NVG510 router/gateway and all the ports unblocked on their system.  My mail server (running BSD) has a static IP and things are working well.  However, I've noticed that I get messages in /var/log/messages every 5 minutes or so.


```
Mar 28 16:09:22 graffdeals kernel: arplookup 192.168.1.254 failed: host is not on local network
```

Loading up a packet sniffer revealed what's going on:


```
16:14:22.996111 arp who-has 192.168.1.253 (Broadcast) tell 192.168.1.254  
0x0000:  0001 0800 0604 0001 3060 2362 6ad0 c0a8  ........0`#bj...
0x0010:  01fe ffff ffff ffff c0a8 01fd 696e 6720  ............ing.
0x0020:  0000 0001 0000 0000 0000 5a37 199b       ..........Z7..        
16:14:23.016878 arp who-has 162-xxx-yyy-113.lightspeed.cityname.sbcglobal.net (Broadcast) tell 192.168.1.254
0x0000:  0001 0800 0604 0001 3060 2362 6ad0 c0a8  ........0`#bj...
0x0010:  01fe ffff ffff ffff a2ed 5c71 0000 0000  ..........\q....
0x0020:  0000 0001 0000 0000 0000 4462 4716       ..........DbG.
16:14:23.016966 arp who-has 162-xxx-yyy-114.lightspeed.cityname.sbcglobal.net (Broadcast) tell 192.168.1.254
0x0000:  0001 0800 0604 0001 3060 2362 6ad0 c0a8  ........0`#bj...       
0x0010:  01fe ffff ffff ffff a2ed 5c72 7363 616e  ..........\rscan  
0x0020:  0000 0001 0000 0000 0000 6ab5 5893       ..........j.X.
```

Basically, the AT&T router is doing an ARP broadcast on every private IPs in the subnet and every public IP in the subnet every 5 minutes.  I'd say that there's a flaw in the firmware of the router, as the IP it requests the public IPs tell is in the private range and therefore inaccessible.  I've dug through the AT&T router settings and there's no option I've been able to find to shut these off.

Does anyone know of a way to make the router stop doing ARP broadcasts every few minutes, if only to certain IPs?  What about changing the IP it asks the public IPs report to be the public IP of the modem so it won't fill my logs?  Barring both of these options, is there a way for me to tell BSD to simply not log such messages?


----------



## ralphbsz (Mar 30, 2014)

No idea how to tell the AT&T router to stop doing this nonsense.

Suggestion for a completely different approach: On your FreeBSD machine, simply block those packets in pf.  Then they get silently dropped, and no message will be printed.  For example, on my machine there is some nonsense traffic coming from the public Internet (via an Ethernet line), and I have the following lines in my /etc/pf.conf to pretend that they don't exit (you have to imagine that the variable $ext_hi is filled with the name of the ethernet port for that network):

```
# The Hilltop internet antenna blabbers on port 49 (tacacs or or bbn-login)
block drop in quick on $ext_hi inet proto udp to 255.255.255.255 port 49
# And someone on Hilltops internal network blabbers snmp:
block drop in quick on $ext_hi inet proto tcp to 255.255.255.255 port snmp-trap
```

You could try something similar.  But be careful to be as surgical as possible.  If you tell `pf` to drop all arp traffic, then pretty much everything will stop working.  Fortunately, `pf` allows one to be quite accurate in describing packets.


----------

