Troubleshooting ARP Move Log Messages

Log entries on pfSense® software may appear in the system log showing something similar to the following:

pfsense kernel: arp: 192.168.1.50 moved from c4:0c:5c:69:6c:05 to 62:1e:3e:43:04:0c on em1

This indicates that the firewall saw the specified IP address move between the first MAC address and the second. This can happen for several reasons.

IP address conflict

Two hosts are configured with the same IP address

ARP poisoning

Someone on the network is ARP poisoning hosts

NIC teaming

Some NIC teaming or bonding configurations will routinely log messages such as this because of the way they function. In these cases, this message is normal.

IP address moved to a different host or NIC

If an actively used IP address is reassigned to a different device or different NIC, this message will be logged. This will only occur when an active IP is moved, for instance an expired DHCP lease that later is assigned to a different host will not trigger this as the IP must have an active ARP table entry on the firewall for this to occur.

Apple Bonjour sleep proxy

Apple’s Bonjour sleep proxy will cause these logs to appear because of its network behavior. If both of the listed MAC addresses are Apple vendor MACs, this is likely why and can be disregarded as normal behavior.

This logging can be disabled by setting the tunable net.link.ether.inet.log_arp_movements to value 0 under System > Advanced, System Tunables tab.