Forum Discussion

mindprism's avatar
mindprism
New Contributor
12 months ago

Strange ARP behavior from COX gateway

Hello everyone. I have noticed some very weird behavior coming from my COX gateway. It appears to be answering ARP requests for any address at all, whether it's a routable IP or an RFC1918. Here's some examples:

dude@asus_gw01:/tmp/home/root# arp 70.172.202.1
ip70-172-202-1.ri.ri.cox.net (70.172.202.1) at 00:a5:bf:0f:98:19 [ether]  on eth0

So far so good, that 98:19 is a Cisco MAC if I'm not mistaken. But watch this (my router is running Asus-Merlin):

dude@asus_gw01:/tmp/home/root# arping 172.23.66.169
ARPING to 172.23.66.169 from 70.172.202.120 via eth0
Unicast reply from 172.23.66.169 [00:a5:bf:0f:98:19] 10.982ms
Unicast reply from 172.23.66.169 [00:a5:bf:0f:98:19] 10.315ms
Unicast reply from 172.23.66.169 [00:a5:bf:0f:98:19] 28.359ms
^CSent 3 probe(s) (1 broadcast(s))
Received 3 reply (0 request(s), 0 broadcast(s))

dude@asus_gw01:/tmp/home/root# arping 10.12.34.56
ARPING to 10.12.34.56 from 70.172.202.120 via eth0
Unicast reply from 10.12.34.56 [00:a5:bf:0f:98:19] 10.193ms
Unicast reply from 10.12.34.56 [00:a5:bf:0f:98:19] 9.733ms
Unicast reply from 10.12.34.56 [00:a5:bf:0f:98:19] 30.616ms
^CSent 3 probe(s) (1 broadcast(s))
Received 3 reply (0 request(s), 0 broadcast(s))

dude@asus_gw01:/tmp/home/root# arping 192.168.251.78
ARPING to 192.168.251.78 from 70.172.202.120 via eth0
Unicast reply from 192.168.251.78 [00:a5:bf:0f:98:19] 514.899ms
Unicast reply from 192.168.251.78 [00:a5:bf:0f:98:19] 57.161ms
Unicast reply from 192.168.251.78 [00:a5:bf:0f:98:19] 339.865ms
^CSent 3 probe(s) (1 broadcast(s))
Received 3 reply (0 request(s), 0 broadcast(s))

dude@asus_gw01:/tmp/home/root# arping 8.8.8.8
ARPING to 8.8.8.8 from 70.172.202.120 via eth0
Unicast reply from 8.8.8.8 [00:a5:bf:0f:98:19] 14.494ms
Unicast reply from 8.8.8.8 [00:a5:bf:0f:98:19] 10.901ms
Unicast reply from 8.8.8.8 [00:a5:bf:0f:98:19] 11.579ms
^CSent 3 probe(s) (1 broadcast(s))
Received 3 reply (0 request(s), 0 broadcast(s))

dude@asus_gw01:/tmp/home/root# arping 55.55.55.55
ARPING to 55.55.55.55 from 70.172.202.120 via eth0
Unicast reply from 55.55.55.55 [00:a5:bf:0f:98:19] 10.376ms
Unicast reply from 55.55.55.55 [00:a5:bf:0f:98:19] 10.203ms
Unicast reply from 55.55.55.55 [00:a5:bf:0f:98:19] 9.972ms
^CSent 3 probe(s) (1 broadcast(s))
Received 3 reply (0 request(s), 0 broadcast(s))

This is very perplexing to me and I can't for the life of me figure out what's going on. Anybody else seen this or have an explanation? This COX device is literally answering for my local network's LAN addresses as well. Thankfully things are segmented enough that it all appears to be functional, but it is a real headscratcher and doesn't sit right with me. Seems like a FUBAR waiting to happen. Or maybe I just don't get how COX does things (entirely possible; I'm not very bright). Any light y'all can shed would be most appreciated. Thanks!

  • WiderMouthOpen's avatar
    WiderMouthOpen
    Esteemed Contributor
    12 months ago

    Why are you using a Cox gateway if you have your own router? Do you atleast have it in bridge mode?

    • mindprism's avatar
      mindprism
      New Contributor
      12 months ago

      The Cox gateway is the default route for my router. No getting around that; there's gonna have to be a first hop on the Cox network if I'm going to reach the world.

  • ExtraChrispy's avatar
    ExtraChrispy
    Contributor III
    12 months ago

    You actually made me thing about this one for a moment but what you're seeing is expected behavior.  arping is described as doing the following: Ping destination on device interface by ARP packets, using source address source.

    Since the IP's your arpinging to aren't local to your subnet, they're being sent to the default gateway's MAC address which is replying as that is where such packets should be routed.