I am having the strangest issue on my network and am hoping anyone could offer insight as to why it is happening?
I have a network of 50+ users with half running XP and half running Windows 7. Soon we will be upgrading all users to Windows 7. During the past month a number of the Windows 7 users have reported intermittent Internet connectivity. I would go to their computer and see that they are getting all the correct IP information from the DHCP server and reboot their network adapter. Usually one reset of the adapter would do, but sometimes had to reset it twice or three times before connectivity would occur.
After a few weeks of this more users would report consistent intermittent connectivity. Just to the Internet, as they were able to reach their folders on our file server and were able to receive e-mails from our e-mail server. I decided to monitor the network traffic on one of the adapters having the issue using Wireshark, and found an ARP request and reply for the gateway IP. I logged into the router and found that the reply given to the Windows 7 machine was incorrect, as the MAC address given to the Windows 7 machine was the WAN1 port of the RV082. The LAN port on the router is 192.168.0.1 and has a MAC of xx-xx-xx-xx-xx-x0. The WAN1 port on the router has a public IP and has a MAC of xx-xx-xx-xx-xx-x1. I checked the arp cache on the Windows 7 computers and confirmed that when they have no internet connectivity the ARP cache reads like this:
192.168.0.1 xx-xx-xx-xx-xx-x1 dynamic
The machine is able to ping every machine on the internal network except for the gateway IP. Also, after updating the cache to map the gateway IP with the LAN port MAC address, using:
netsh interface ipv4 add neighbors "connection name" 192.168.0.1 xx-xx-xx-xx-xx-x0
the issue was resolved for that Windows 7 machine. However, the issue is ongoing for every Windows 7/Vista machine added to the network. I do not want to update the ARP cache on every Vista/7 machine introduced to the network.
Is there anything that can be causing this issue? We are running firmware 2.0.2.01-tm which was updated from 22.214.171.124-tm just 2 weeks ago.
You might want to backup your router's config file, and contact the Support Center to provide the config file for analysis.
One thing you could consider trying is to reset the router to factory default, reconfig the router from scratch. and see if that clears up the issue.
Well, it's definitely not a router hardware issue as we received a new router RV082, and I reconfigured it from scratch. After switching back the Windows 7 computers' ARP cache it started reverting the gateway IP to the WAN port MAC of the new router. Frustrating.
Possibly a Windows 7 issue as it only appears to rear its head on these machines?
downloaded XArp to see what's going on and the logs detail that it is indeed happening to XP machines, however, the correct port is immediately sending out the correct ARP reply after the WAN port's incorrect reply:
19/07/2012 - 14:03:25 - arp - ChangeFilter: MAC address for IP 192.168.0.1 changed from f0-f7-55-4e-e3-d0 to f0-f7-55-4e-e3-d1 - 0x2 - f0-f7-55-4e-e3-d1 - 00-25-11-1f-8a-7c - reply - f0-f7-55-4e-e3-d1 - 00-25-11-1f-8a-7c - 192.168.0.1 - 192.168.0.109 - in
19/07/2012 - 14:03:25 - arp - ChangeFilter: MAC address for IP 192.168.0.1 changed from f0-f7-55-4e-e3-d1 to f0-f7-55-4e-e3-d0 - 0x2 - f0-f7-55-4e-e3-d0 - 00-25-11-1f-8a-7c - reply - f0-f7-55-4e-e3-d0 - 00-25-11-1f-8a-7c - 192.168.0.1 - 192.168.0.109 - in
So XArp is saying that the source mac for this change is the WAN port of my new router? If this was an ARP attack what would be the benefit of creating a script to change everyone's ARP cache to point the gateway IP to the WAN port of the RV082?? Just as a denial of service? How would I go about flushing this offensive script out?
Is there a way to tell the WAN port of the RV082 to stop responding to such an internal ARP request?