Am I supposed to see ARP requests from non-router devices?

EnthusiastXYZ

Limp Gawd
Joined
Jun 26, 2020
Messages
221
All devices, except for one, are assigned static IP's. Due to one device requiring DHCP Server to get a functional IP I can control, my router is now set to be a DHCP server. All WiFi devices are using isolated guest network, but there is no way to create VLAN's due to router limitations. When I run TCPDump from my Android device, I see ARP requests with information about 3 devices:
- Router's IP + MAC address
- My Android Device's local IP + MAC address
- Amazon Fire TV Stick's local IP + MAC address

Fire TV Stick is also using isolated via guest WiFi. It isn't rooted, but with available tools, it is heavily debloated, uses local VPN as a firewall + ad blocking + forcing DNS-over-HTTPS. Due to being isolated, there are no Chromecast, DLNA, DIAL, or other Multicast signals that other devices on my local network see in their TCPDump logs from Fire TV Stick. That Amazon Fire TV Stick ARP request is the only signal that all network devices see.

Other WiFi devices do not see each other's ARP request signals, only their own + router + Amazon Fire TV Stick. Is that normal? Amazon Fire TV Stick's ARP request is between itself and router, but why do I see the request on a difference device? Why don't I see other device's ARP requests, only Fire TV Stick's?
 
I'd guess the wifi router is screwing up. I'd do a firmware update. If the problem still presents then factory reset it, then reattach each device sequentially ( with the firestick being last ), see what happens. If it does it again, same procedure, but this time hook up the firestick first. If it keeps happening with the firestick then it's probably a bug in the firmware of the router that's triggered by something with the firestick. If it happens but with a different device, router firmware again.

Mind you, I'm just guessing here.
 
Yes every device on the same broadcast network will generally see the arp request, https://www.dummies.com/programming/networking/cisco/network-basics-local-host-arp-requests/ it isn't only on the router that sees the request.

To truly not see an ARP request on other devices you'd have to limit the broadcast domain, this could be with separating out the networks physically, or with proper VLANs

if you want a little more in-depth on how it all works together Juniper has a great intro to networking video series. https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5798 last I checked it was still free to create an account, and take this specific course.
 
Last edited:
Sorry for the detail but what tools for debloating Fire Stick??
https://www.techdoctoruk.com/tutorials/ - search for "debloat". It did an excellent job and root was never needed. I removed all the junk except for the 4 entries (clearly labeled in Debloat tool) needed to allow Amazon Prime to work. I used Wolf Launcher from the same page to have a clean pristine Home Screen. Then I used Remote ADB to sideload the latest version of AdGuard to get rid of many ads, enable DNS-over-HTTPS, and allow for easy blocking of Amazon privacy-invading domains. AdGuard also prevented public and local IP from leaking via Amazon Silk's WebRTC implementation. It let me block some Multicast features that showed up in its Filtering Log (239.255.255.250, ports 1900, port 1990), but AdGuard Local VPN is not a true VPN (only runs locally to filter ads and bloat) and is not a true firewall either, but it is awesome at blocking crap. You're going to need to either use Guest WiFi Isolation or VLAN (or both) to prevent Firestick from sending Multicast signals all over the network and discovering other devices.
 
Yes every device on the same broadcast network will generally see the arp request, https://www.dummies.com/programming/networking/cisco/network-basics-local-host-arp-requests/ it isn't only on the router that sees the request.

To truly not see an ARP request on other devices you'd have to limit the broadcast domain, this could be with separating out the networks physically, or with proper VLANs

if you want a little more in-depth on how it all works together Juniper has a great intro to networking video series. https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5798 last I checked it was still free to create an account, and take this specific course.
The variable here is the wifi device isolation some routers have. It shouldn't allow any traffic to flow between wifi connected devices, including ARP.
 
Yes every device on the same broadcast network will generally see the arp request, https://www.dummies.com/programming/networking/cisco/network-basics-local-host-arp-requests/ it isn't only on the router that sees the request.

To truly not see an ARP request on other devices you'd have to limit the broadcast domain, this could be with separating out the networks physically, or with proper VLANs

if you want a little more in-depth on how it all works together Juniper has a great intro to networking video series. https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5798 last I checked it was still free to create an account, and take this specific course.

I am checking them out :D!
 
The variable here is the wifi device isolation some routers have. It shouldn't allow any traffic to flow between wifi connected devices, including ARP.

Yeah. The Guest WiFi Isolation my router uses prevents devices on it from:
- responding to ICMP IPv4 pings from any device on the local network
- sending/receiving IPv4 TCP/UDP packets from any device on the local network
- sending/receiving any IPv4 multicast packets
- accessing router settings

It does NOT prevent IPv6 device discovery and multicast signals over IPv6 Link Local addresses, even though IPv6 is disabled in router. This could be because the router uses IGMPv3 Snooping that can't be disabled and all devices get all-systems.mcast.net packets every once in a while. IPv6 can't be fully disabled on most mobile WiFi devices...


I am testing iptables and ip6tables rules that drop MAC address packets to see if that stops ARP requests for other devices in TCPDump log, but there have to be some commands that auto-capture if something like that happens... I can't stare at TCPDump lines all day long... It's not healthy.
 
The variable here is the wifi device isolation some routers have. It shouldn't allow any traffic to flow between wifi connected devices, including ARP.
Depends on the router and what they consider "wifi device isolation" different routers may implement it differently. This is why I don't like just trusting "guest wifi" because than the rules are up to the manufacture, they could just be blocking at layer 3 and not 2, would still qualify as "isolation" but without access to the routers firmware code there is no real way to tell. This is why I prefer devices that let me see(and if necessary edit) those rules. Ubiquity AP's have a guest wifi option, but you can than also look at the rules they implement to accomplish that and add some more if you so choose.

Honestly, will all the security/networking questions OP is hoping to accomplish I'd recommend getting a ubiquity Router/Switch/AP set up, and than VLAN off his troublesome devices. It's a bit more set-up, but with the right configuration it would be better than trusing old devices on the same network. But that's just one opinion.
 
Depends on the router and what they consider "wifi device isolation" different routers may implement it differently. This is why I don't like just trusting "guest wifi" because than the rules are up to the manufacture, they could just be blocking at layer 3 and not 2, would still qualify as "isolation" but without access to the routers firmware code there is no real way to tell. This is why I prefer devices that let me see(and if necessary edit) those rules. Ubiquity AP's have a guest wifi option, but you can than also look at the rules they implement to accomplish that and add some more if you so choose.

Honestly, will all the security/networking questions OP is hoping to accomplish I'd recommend getting a ubiquity Router/Switch/AP set up, and than VLAN off his troublesome devices. It's a bit more set-up, but with the right configuration it would be better than trusing old devices on the same network. But that's just one opinion.
How do you test whether whichever router's Guest WiFi Isolation implementation is on Layer 3 or on Layer 2 when the router has very limited settings? ICMP and IGMP are both Layer 3.
 
How do you test whether whichever router's Guest WiFi Isolation implementation is on Layer 3 or on Layer 2 when the router has very limited settings? ICMP and IGMP are both Layer 3.
"isolation" but without access to the routers firmware code there is no real way to tell.
Can't really tell without access to the routers firmware, however the face that you are seeing both IPV6 requests as well as ARP requests on other devices beside the router suggest their implementation is layer 3, but it could also just be they are trying layer 2 isolation but failing because of some bug, no real way to tell the difference, only the manufacture knows what they mean by "guest wifi isolation", you may be able to search documentation for your particular router, but honestly I'd suggest you get a better router with more advanced filtering features, I personally haven't used it, but I hear good things about USG, it's Ubiquity's "security gateway" that in combination with a Unifi switch/Unifi AP and you'll be good. The controller software will allow you to manage all 3 at the time, you'll see what's connected where, and you'll be able to set up proper VLANs and different SSID's for other people. But it's expensive to start, and there is definitely a learning curve, but there are good resources to help.

adding a link to a video I think you'd be interested in good information on securing your own network.
 
Last edited:
Huge thanks, man! That Linode service is excellent! Aside from that, everything else (and a hell of a lot more!) that video covers is something I am already doing.
 
Last edited:
Routers usually allow 3 main mods - Router, AP, Bridged. Only Router modes have isolation features. Are you saying UniFi AP's also have routing isolation features? UniFi Dream Machine (non-Pro) is supposedly really good, but perhaps UniFi AP's + USG is a better alternative with more customization? I am not sure why UniFi uses "Gateway" in their product names when those products don't include actual modems. Modem+Router=Gateway. Neither UniFi Dreams Machine nor USG have built-in modems from what I can tell.
 
Consumer routers in AP mode essentially disable all router functionality amd often won't even allow you to log into them, proper APs are normally configured using some type of controller feature or have a management IP that lets you configure them on the device locally. The Unifi AP does in fact have a built in limited FW functionality, here is a great video on it
 
With UniFi Dream Machine offering so much in one device, why go with AP's + Switch + Secure Gateway combo?
 
With UniFi Dream Machine offering so much in one device, why go with AP's + Switch + Secure Gateway combo?
This video came out before the Dream Machine was available. I personally like having separate devices, normally all-in-combos don't off the same level of individual configuration for each, not sure about the dream machine because I honestly have no experience with it. A personal preference for me is at least separation of the AP, with a POE AP I can Cieling mount it and get much better Wifi coverage than I could with a single box sitting somewhere, same with switches, I can add additional switches connect to a proper router in different rooms of the house(if I want/need) But it all depends on an individuals personal needs/preferences.
 
If routers are AP's + Switches + Gateways, then doesn't VLAN isolation happen on the switch-level? If all I wanted was to add more secure VLAN Layer-2 WiFi isolation to my existing network, wouldn't I simply need to:
1. Disable current router's WiFi
2. Add whichever AP's
3. Add a switch with VLAN isolation capabilities (
4. Connect WiFi clients to new AP's, isolate WiFi clients via switch settings
?
If that is so, then what makes one AP less or more secure than another? All the firewall, NAT, IPS/IDS happens on the router, not AP...
 
Last edited:
That would be better than an all in one, but you're still missing things. There is a difference between tagged and untagged traffic for VLANs, yes VLANs are done at the switch level, say you set port 3 on the switch as VLAN 3, and off that port you have an AP attached, you'll connect to your AP, it will than forward that to the switch, the switch knows that port is VLAN3 and will tag that as such and if it needs to talk to something else on that VLAN it will send it back out whatever other port is also on VLAN3, if not it will send it up to the router if allowed, or drop it if not. Now in this setup your AP, if it's not tagging vlans, all SSID's will end up on the same VLAN as the switch is tagging any traffic that comes into that port.

Maybe an example is warranted, here is how I have my network setup. (specifics have been altered, but same concept)

I have my AP setup with 2 SSID's,
IOT-Wifi - AP tags this as VLAN 5 192.168.5.0/24
My-Wifi -AP tags this as VLAN 10 192.168.10.0/24
MGT-VLAN(2) for untagged traffic 192.168.2.0/30(required for unifi AP)

AP connected to switch port 3

Port 3 setup as a VLAN trunk port with only VLANs 5, 10, and native 2(VLAN 2) allowed.

Switch port one is connected to my router on port 1, again as a trunk port, with VLANs 5, 10, and 2 allowed.

On that interface I have the main IP(untagged 192.168.2.1/30)(default GW for VLAN 2), and sub-interfaces 192.168.5.1(default GW for VLAN 5), and 192.168.10.1(defualt GW for VLAn 10)

My router is my DHCP server as well, I have 3 DHCP scopes set up, 192.168.5.10-30, 192.168.10.10-100, and 192.168.2.2(yep only one IP, for AP management)

So when you connect to my AP your packet will be tagged and forwarded up to the router, it will the correct sub interface of the router because of the VLANs and than the router will give out an IP address to that device on that VLAN, I have rules in the router on what networks can talk to what devices. For example, I have a rule that prohibits any traffic from 192.168.5.0 to 192.168.10.0, and vice versa I have many other rules as well. My devices all get a different IP network dependent on what Wifi they connect to.
Do you have to use a Unifi AP? absolutely not, you can use any AP, but if you're truly trying to segment off different SSID's than at least make sure it can tag VLAN traffic based on what SSId it is connecting to otherwise all your wifi traffic will end up on the same VLAN that the switch is configured for, of course you could do physical separation as well, but a couple of really cheap dumb APs, connect them to different ports on the switch, and have those ports set as different VLANs, that would work to separate the traffic as well, you'd just have two separate APs each with their own SSID
 
Yeah, per-AP SSID and per-AP port VLAN is what I am thinking, but it is cost-inefficient and only a short-term solution... I still don't know how to test isolation level. On current router, NMAP results a Guest WiFi device to another Guest WiFi device show isolation of ICMP, all TCP ports, and all UDP ports. I no longer ARP packets on non-guest devices and guest devices from other guest (and non-guest) devices, a consequence of router firmware update, reset-to-factory, and re-configuring from scratch. Every device uses VPN with software-based isolation. No guest device can access router. Every guest device says "No internet available".

There is no way to stop IGMP Snooping on the router, but IGMP snooping only sends IGMPv3 Queries from router to each device. IGMP Snooping doesn't make any Guest WiFi devices see each other. IGMP-based casting (Chromecast, DLNA, UPnP) is impossible on Guest WiFi devices (as intended). I now use an old DD-WRT (with custom IPTables) router to prevent the one device I can't control via OS settings on non-Guest wired network from sending out IPv6 Link Local packets and contacting other devices. I can't control it because it is locked by the US government and happens to be the noisiest device on the entire network.

In other words, I don't know enough to know for sure that what I want (proper isolation) isn't already there.
 
Back
Top