Why does no router support ARP Spoofing Defense in Controller mode?
Hi!
Recently, I started delving into ARP Spoofing and ARP Poisoning attacks. Then, I looked into how I could (better) protect my Omada network against this. I saw an option for "ARP Spoofing Defense" in my Omada controller.
I enabled it, did an ARP Spoof, but the router didn't do anything.
Now I see in the specifications of my ER605 that ARP protection only works in Standalone Mode. That makes some sense since it's a budget device. But even the ER7206 (€142), ER707-M2 (€160), and the brand new ER7412-M2 (€200) from August 2024 (!) can only do this in Standalone mode.
For the ER704W-4G (€309) and ER706W (€132) variants, I don’t see an icon for "Sending GARP Packets" and "IP-MAC Binding." Only ARP Scanning has an icon, which means it is only available in Standalone mode.
Is it true that ARP Spoofing Defense works fully in Controller mode for the ER704W-4G and ER706W variants? Is ARP Scanning necessary for this functionality? Why was this choice made? It seems completely illogical to me based on hardware specifications and price.
In addition, I noticed that the specifications of the ER8411 have a *5 next to ARP Inspection, but at the bottom, it doesn't say what *5 means. Did you forget to add that, or does the ER8411 actually support ARP Inspection in Controller mode?
Omada er605 with firmware 2.2.6 Build 20241111 Rel.57697 doesnt detect any arp-attacks.
i can successfully assign any IP from IP-MAC Binding list for any device and it works like a charm.
as example no problem to assign 192.168.6.10 to any other device with different MAC and it will work like native network device passing through all access control, policy routing and bandwitth control rules.
on attacker device i successfully assigned IP that has IP-MAC binding in ARP defence: and it have access to network.
no arp-attack detected.
tell pls what wireshark log you wish to see?
Hi @YuriyB
Thanks for posting in our business forum.
Ends with CC:DC:3A is the device that has a 192.168.6.10 which has been taken by the entry in the ARP firewall. Right?
Filter with the ARP, and what does the router reply to the ARP?
@Clive_A Thanks for reply.
On windows PC with mac(E0-D5-5E-CC-DC-3A) I assigned in windows network settings static IP 192.168.6.10
(192.168.6.10 is another device and it has entry in ER605 ARP IP-MAC Binding List AC-80-FB-65-90-A7)
wireshark log 192168610.pcapng attached
put in ethernet cable and heres screen:
No messages in syslog.
so any schoolboy can change his IP and making IP groups with access control list or routing rules is is senseless :(
@Clive_A Okay, now it looks like this:
Router tells me about suspected attack. but why it is telling arp to attacker device?
now get foreigh device, set sny IP from ARP MAC-bindig list and watching wideos from my ip cameras on foreign device.
can access all my network devices also.
I can understand purpose of ARP-Spoofing defence?
why on tplink archer ax23 or archer c64 devices NOT from ip-mac binding list or changing IP as i did, cant access to network but er605 does?