Am I supposed to see ARP requests from non-router devices?

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
All devices, except for one, are assigned static IP's. Due to one device requiring DHCP Server to get a functional IP I can control, my router is now set to be a DHCP server. All WiFi devices are using isolated guest network, but there is no way to create VLAN's due to router limitations. When I run TCPDump from my Android device, I see ARP requests with information about 3 devices:
- Router's IP + MAC address
- My Android Device's local IP + MAC address
- Amazon Fire TV Stick's local IP + MAC address

Fire TV Stick is also using isolated via guest WiFi. It isn't rooted, but with available tools, it is heavily debloated, uses local VPN as a firewall + ad blocking + forcing DNS-over-HTTPS. Due to being isolated, there are no Chromecast, DLNA, DIAL, or other Multicast signals that other devices on my local network see in their TCPDump logs from Fire TV Stick. That Amazon Fire TV Stick ARP request is the only signal that all network devices see.

Other WiFi devices do not see each other's ARP request signals, only their own + router + Amazon Fire TV Stick. Is that normal? Amazon Fire TV Stick's ARP request is between itself and router, but why do I see the request on a difference device? Why don't I see other device's ARP requests, only Fire TV Stick's?
 

grasshoppa

Supreme [H]ardness
Joined
Jun 18, 2017
Messages
4,736
I'd guess the wifi router is screwing up. I'd do a firmware update. If the problem still presents then factory reset it, then reattach each device sequentially ( with the firestick being last ), see what happens. If it does it again, same procedure, but this time hook up the firestick first. If it keeps happening with the firestick then it's probably a bug in the firmware of the router that's triggered by something with the firestick. If it happens but with a different device, router firmware again.

Mind you, I'm just guessing here.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
180
Yes every device on the same broadcast network will generally see the arp request, https://www.dummies.com/programming/networking/cisco/network-basics-local-host-arp-requests/ it isn't only on the router that sees the request.

To truly not see an ARP request on other devices you'd have to limit the broadcast domain, this could be with separating out the networks physically, or with proper VLANs

if you want a little more in-depth on how it all works together Juniper has a great intro to networking video series. https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5798 last I checked it was still free to create an account, and take this specific course.
 
Last edited:

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
Sorry for the detail but what tools for debloating Fire Stick??
https://www.techdoctoruk.com/tutorials/ - search for "debloat". It did an excellent job and root was never needed. I removed all the junk except for the 4 entries (clearly labeled in Debloat tool) needed to allow Amazon Prime to work. I used Wolf Launcher from the same page to have a clean pristine Home Screen. Then I used Remote ADB to sideload the latest version of AdGuard to get rid of many ads, enable DNS-over-HTTPS, and allow for easy blocking of Amazon privacy-invading domains. AdGuard also prevented public and local IP from leaking via Amazon Silk's WebRTC implementation. It let me block some Multicast features that showed up in its Filtering Log (239.255.255.250, ports 1900, port 1990), but AdGuard Local VPN is not a true VPN (only runs locally to filter ads and bloat) and is not a true firewall either, but it is awesome at blocking crap. You're going to need to either use Guest WiFi Isolation or VLAN (or both) to prevent Firestick from sending Multicast signals all over the network and discovering other devices.
 

grasshoppa

Supreme [H]ardness
Joined
Jun 18, 2017
Messages
4,736
Yes every device on the same broadcast network will generally see the arp request, https://www.dummies.com/programming/networking/cisco/network-basics-local-host-arp-requests/ it isn't only on the router that sees the request.

To truly not see an ARP request on other devices you'd have to limit the broadcast domain, this could be with separating out the networks physically, or with proper VLANs

if you want a little more in-depth on how it all works together Juniper has a great intro to networking video series. https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5798 last I checked it was still free to create an account, and take this specific course.
The variable here is the wifi device isolation some routers have. It shouldn't allow any traffic to flow between wifi connected devices, including ARP.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
Yes every device on the same broadcast network will generally see the arp request, https://www.dummies.com/programming/networking/cisco/network-basics-local-host-arp-requests/ it isn't only on the router that sees the request.

To truly not see an ARP request on other devices you'd have to limit the broadcast domain, this could be with separating out the networks physically, or with proper VLANs

if you want a little more in-depth on how it all works together Juniper has a great intro to networking video series. https://learningportal.juniper.net/juniper/user_activity_info.aspx?id=5798 last I checked it was still free to create an account, and take this specific course.

I am checking them out :D!
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
The variable here is the wifi device isolation some routers have. It shouldn't allow any traffic to flow between wifi connected devices, including ARP.

Yeah. The Guest WiFi Isolation my router uses prevents devices on it from:
- responding to ICMP IPv4 pings from any device on the local network
- sending/receiving IPv4 TCP/UDP packets from any device on the local network
- sending/receiving any IPv4 multicast packets
- accessing router settings

It does NOT prevent IPv6 device discovery and multicast signals over IPv6 Link Local addresses, even though IPv6 is disabled in router. This could be because the router uses IGMPv3 Snooping that can't be disabled and all devices get all-systems.mcast.net packets every once in a while. IPv6 can't be fully disabled on most mobile WiFi devices...


I am testing iptables and ip6tables rules that drop MAC address packets to see if that stops ARP requests for other devices in TCPDump log, but there have to be some commands that auto-capture if something like that happens... I can't stare at TCPDump lines all day long... It's not healthy.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
180
The variable here is the wifi device isolation some routers have. It shouldn't allow any traffic to flow between wifi connected devices, including ARP.
Depends on the router and what they consider "wifi device isolation" different routers may implement it differently. This is why I don't like just trusting "guest wifi" because than the rules are up to the manufacture, they could just be blocking at layer 3 and not 2, would still qualify as "isolation" but without access to the routers firmware code there is no real way to tell. This is why I prefer devices that let me see(and if necessary edit) those rules. Ubiquity AP's have a guest wifi option, but you can than also look at the rules they implement to accomplish that and add some more if you so choose.

Honestly, will all the security/networking questions OP is hoping to accomplish I'd recommend getting a ubiquity Router/Switch/AP set up, and than VLAN off his troublesome devices. It's a bit more set-up, but with the right configuration it would be better than trusing old devices on the same network. But that's just one opinion.
 

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
Depends on the router and what they consider "wifi device isolation" different routers may implement it differently. This is why I don't like just trusting "guest wifi" because than the rules are up to the manufacture, they could just be blocking at layer 3 and not 2, would still qualify as "isolation" but without access to the routers firmware code there is no real way to tell. This is why I prefer devices that let me see(and if necessary edit) those rules. Ubiquity AP's have a guest wifi option, but you can than also look at the rules they implement to accomplish that and add some more if you so choose.

Honestly, will all the security/networking questions OP is hoping to accomplish I'd recommend getting a ubiquity Router/Switch/AP set up, and than VLAN off his troublesome devices. It's a bit more set-up, but with the right configuration it would be better than trusing old devices on the same network. But that's just one opinion.
How do you test whether whichever router's Guest WiFi Isolation implementation is on Layer 3 or on Layer 2 when the router has very limited settings? ICMP and IGMP are both Layer 3.
 

scrappymouse

Limp Gawd
Joined
Mar 18, 2016
Messages
180
How do you test whether whichever router's Guest WiFi Isolation implementation is on Layer 3 or on Layer 2 when the router has very limited settings? ICMP and IGMP are both Layer 3.
"isolation" but without access to the routers firmware code there is no real way to tell.
Can't really tell without access to the routers firmware, however the face that you are seeing both IPV6 requests as well as ARP requests on other devices beside the router suggest their implementation is layer 3, but it could also just be they are trying layer 2 isolation but failing because of some bug, no real way to tell the difference, only the manufacture knows what they mean by "guest wifi isolation", you may be able to search documentation for your particular router, but honestly I'd suggest you get a better router with more advanced filtering features, I personally haven't used it, but I hear good things about USG, it's Ubiquity's "security gateway" that in combination with a Unifi switch/Unifi AP and you'll be good. The controller software will allow you to manage all 3 at the time, you'll see what's connected where, and you'll be able to set up proper VLANs and different SSID's for other people. But it's expensive to start, and there is definitely a learning curve, but there are good resources to help.

adding a link to a video I think you'd be interested in good information on securing your own network.
 
Last edited:

EnthusiastXYZ

Weaksauce
Joined
Jun 26, 2020
Messages
71
Huge thanks, man! That Linode service is excellent! Aside from that, everything else (and a hell of a lot more!) that video covers is something I am already doing.
 
Last edited:
Top