Who's ARPing my Camera?

[TheWaterbug]

I have a Blue Iris server box behind a port forward (port 81 only) from my pfsense 2.60 appliance, on a "things" subnet of my segmented network, along with my IP cameras, smart TVs, etc. All cameras have DHCP reservations:



One camera in particular, TrailDown (MAC 9c:8e:cd:2a:5f:4c, reserved at 192.168.1.51), keeps disappearing from the BI feed:



and there are messages in the BI server's logs of Changed to IP 192.168.1.251 and then Changed to IP 192.168.1.51



I checked the pfsense logs, and I see repeated messages of

Oct 30 00:09:19 kernel arp: 192.168.1.251 moved from 9c:8e:cd:2f:d8:11 to 9c:8e:cd:2a:5f:4c on igc1

I never see log entries ARPing 192.168.1.51.

Those other MAC addresses 9c:8e:cd:2f:d8:11, a0:bd:1d:c4:64:2d, etc. are/were all cameras on the same subnet, some of which are active on other reserved IPs and some of which were removed from the network ages ago.

Is there any way to tell from within pfsense who/what is ARPing this camera to a different address?

Curiously, the camera interface itself has an option to allow/disallow ARP assignment, and it's disabled:



Yes, I know I can probably fix this by assigning a true static address at the camera itself, but I'd like to find out what's on my network doing this unwanted behavior!

 

[Mike A.]

Take a look at:

Settings > Video > Configure > Skip initial MAC... tests.

If that's not checked, then BI can try to reassign IP addresses based on MAC.

If that's not it, then maybe the ntopng add-on for pfSense may show it. Or WireGuard.

 

[TheWaterbug]

Take a look at:

Settings > Video > Configure > Skip initial MAC... tests.

If that's not checked, then BI can try to reassign IP addresses based on MAC.

If that's not it, then maybe the ntopng add-on for pfSense may show it. Or WireGuard.

It was unchecked, so I checked it. We'll see if the behavior improves.