ARP Configuration in pfSense

Address Resolution Protocol (ARP)

Address Resolution Protocol (ARP) is a protocol used for resolution of network layer addresses into link layer addresses. It was defined by RFC 826 in November 1982. ARP is used to convert an IP address to a physical address (the RFC specifies a 48-bit Ethernet address, called the MAC address). The RFC also specifies 10 Mb Ethernet, but ARP applies to all variants of Ethernet, regardless of speed.

To demonstrate how ARP works, let’s assume that we have two systems on our local network: NODE1 ( and NODE2 ( NODE1 wants to send data to NODE2. It knows the IP address, but it does not know the MAC address, and without the MAC address, it cannot make a frame. So NODE1 sends out a broadcast frame to the broadcast address, which is FF:FF:FF:FF:FF:FF. All systems on the network receive and process frames sent to the broadcast address. This frame asks all systems on the local network what the MAC address for IP address is. This frame is called an ARP request. The system with the IP address replies to NODE1 with an ARP reply.

Once NODE1 gets the MAC information for NODE2, it stores this information in a cache. You can see the ARP cache in your Windows or Linux system by typing arp -a (in Unixoid environments, you may have to specify the path; e.g. /sbin/arp -a). In some situations, a computer knows the MAC address, but needs the system’s IP address; in those cases, it can broadcast a Reverse ARP (RARP) command. While ARP is fairly common, few applications require RARP.

ARP is an essential networking component, but it will not work if the target computer is not part of the local network. If NODE1 wanted to send data to a remote computer, it cannot ARP that system, because the Internet does not allow any form of broadcast frames. In this case, NODE1 creates frames with the remote system’s IP addres and runs an ARP to determine the MAC address of the remote system. The sending system’s network interface card (NIC) then creates frames with the gateway’s MAC address. As each frame comes into the gateway, it strips off the frame, leaving the IP packets, which still have the IP address of the remote system as its destination. The gateway then wraps the IP packets in whatever type of frame the outgoing connection needs and sends them toward the intended system.

Viewing the ARP Table and Other Configuration Tips


Viewing the ARP table in pfSense.

To view the pfSense ARP table, navigate to Diagnostics -> ARP Table. The table will contain some, but not necessarily all, of the systems in pfSense’s local network. Only systems that have been the target of an ARP query show up in the table.

Because ARP does not provide methods for authenticating ARP replies on a network, ARP replies can come from systems other than the one with the required Layer 2 address. An ARP proxy is a system which answers the ARP request on behalf of another system for which it will forward traffic, normally part of the network’s design. Proxy ARP configuration in pfSense has already been detailed in a previous article.

There is one last setting that should be noted. In some cases, you may have two NICs on the same physical network, but on different subnets. Everything works, but you get a lot of messages like this in the system log:

kernel: arp: is on fxp2 but got reply from 00:30:ab:0e:de:a2 on fxp0

You can ignore these error messages, but because of the sheer amount of them, they may hide some of the more important error messages. Fortunately, pfSense has provided an easy way of getting rid of them. Navigate to System -> Advanced, and click on the “Networking” tab. Under “Network Interfaces“, check the “Suppress ARP messages” check box. Now ARP log messages will be suppressed between multiple interfaces on the same broadcast domain, even if they are on separate subnets.

External Links:

Address Resolution Protocol at Wikipedia

Ethernet Address Resolution Protocol at

Switch management on two interfaces at

pfSense Virtual IP Addresses: Part One

pfSense Virtual IP Addresses

Virtual IP address configuration page in pfSense.

A virtual IP address (VIP or VIPA) is an IP address that is not assigned to a specific single server or network interface card (NIC). Rather, it is assigned to multiple applications on a single server, multiple domain names, or multiple servers. Normally, a server IP address depends on the MAC address of the attached NIC, and only one logical IP may be assigned per card. However, VIP addressing enables hosting for several different applications and virtual appliances on a server with only one logical IP address. VIPs have several variations and implementations, including Common Address Redundancy Protocol (CARP) and Proxy Address Resolution Protocol (Proxy ARP).

pfSense Virtual IP Addresses: Proxy ARP

pfSense allows four types of virtual IP addresses: Proxy ARP, CARP, Other, and IP Alias. In this article, I will cover how to configure pfSense virtual IP addresses using Proxy ARP and CARP.

The different types of virtual IP addresses have slightly varied properties. With proxy ARP, the properties are:

  • Can only be forwarded by the firewall (cannot be used by the firewall)
  • Uses Layer 2 (the data link layer) traffic
  • Can be in a different subnet than the interface
  • Cannot respond to pings
pfSense Virtual IP Addresses

Once the Virtual IP has been entered and saved, it is added to the list.

To configure a Proxy ARP virtual IP address, browse to Firewall -> Virtual IPs and Click the “plus” button to add a new virtual IP address. At type, there are four radio buttons; select the radio button for “Proxy ARP” (it should be the default selection). For “Interface”, select “WAN”. At “IP Address(es)“, select “Single address” for “Type” (this should be the default). At “Address“, specify an IP address. At “Description“, enter a description if desired. Then press “Save” to save the changes and “Apply changes” to apply changes if necessary.

Now, the newly-created VIP should be listed at the “Virtual IPs” tab at Firewall -> Virtual IPs.

pfSense Virtual IP Addresses: CARP

You can also configure a virtual IP with CARP in pfSense 2.0. The properties for a CARP VIP include:

  • Can be used or forwarded by the firewall
  • Uses Layer 2 (data link layer) traffic
  • Should be used in firewall fail-over or load-balancing scenarios
  • Must be in the same subnet as the interface
  • Will respond to pings if configured properly

To set up a CARP virtual IP address, browse to Firewall -> Virtual IPs and click the “plus” button to add a new virtual IP address. At “Type“, select the “CARP” radio button, and at “Interface“, select “WAN” (it should be the default). At “IP address(es)“, specify an IP address. At “Virtual IP Password“, specify a password. At “VHID Group“, choose a group. At “Advertising Frequency“, select a frequency (0 for master). At “Description“, add a description if desired. Then press “Save” to save the changes and “Apply changes” to apply the changes if necessary.

In part two of this series, I will cover setting up virtual IP addresses with IP Alias and Other types.

Once again, the “Virtual IPs” tab under Firewall -> Virtual IPs should display the newly-created VIP within the list of pfSense virtual IP addresses. In part two, I will cover IP aliases (new to pfSense 2.0) and other VIPs.

External Links:

What are Virtual IP Addresses? at

© 2013 David Zientara. All rights reserved. Privacy Policy