ARP Cache Poisoning notification after adding extender

[Scupper 1 2]

Hi,

I have a Netgear R7000 router https://www.netgear.com/home/wifi/routers/r7000/. Once I added an extender https://www.netgear.com/home/wifi/range-extenders/ex7000/ I keep getting ARP Cache Poisoning notifications.  (both devises running the latest January 2021 firmware)

Looking at the Connected Home tool, two instances of the device appear when the notification is given.  I think what is happening is that Eset is mistakenly flagging a hand-off between the router and extender as a security issue.

I went to Setup->Network Protection->Connected Networks->and changed the setting to Home or Office Network from the default Use Windows Setting.  Still got the same notifications.

I then went to Setup->Advanced Setup->Network protection->Firewall->Advanced->Zones and added 192.168.1.1-192.168.1.15 to cover my devises in the Addresses Exclude from IDS in the Firewall Zones box.  No more notifications.

Did I do the right thing? and is there a risk by adding the exclusion.

Thanks.

 

[Marcos 5,074]

We'd like to investigate what exactly happened since the internal cache should clear when you switch from router to the wi-fi extender or vice-versa.

Please carry on as follows:
 - enable advanced logging under Help and support -> Details for technical support
- reboot the machine
- reproduce the issue
- disable logging
- collect logs with ESET Log Collector and post the generated archive here.

[Scupper 1 2]

I'll post it when I get back home this evening.

Thanks

 

[Scupper 1 2]

The notifications are more frequently the blue box New Device Detected, but they are duplicates of existing devices.

Log attached.

Thanks.

eis_logs.zip

[itman 1,659]

they are duplicates of existing devices

2 hours ago, Scupper 1 said:

The notifications are more frequently the blue box New Device Detected

This alert appears when a new device is connected to the network; e.g.external HDD, etc.. You state "they are duplicates of existing devices." What devices does the alert state it is detecting?

 

 

[Scupper 1 2]

Only devices that move through the house duplicate.  The router, extender, printer, Chromcast haven't duplicated.

A New Device alert just happened now.  Glen's mobile was in the inner circle, but got bumped with a duplicate.

Both devices are 192.168.1.10, but note that only one displays that and the MAC addresses are different.

 

 

 

[itman 1,659]

-EDIT-

Prior to setting the extender as an Access Point per below, verify that you haven't enabled Eset Device Control feature:

If its enabled, disable it and see it that stops these New Device Detected alerts.

-END EDIT-

Did you install the Netgear Wi-Fi Extender as an Access Point? I believe that may be the solution to this Eset duplicate device detection and possibly the ARP poisoning detections.

How to set up the extender as an Access Point is given here: https://www.downloads.netgear.com/files/GDC/EX7000/EX7000_UM_EN.pdf .

Edited March 23, 2021 by itman

[Scupper 1 2]

Device Control is not enabled.

It was installed as an extender, not an access point as cabling would be a problem.

I installed the Netgear app on my mobile device.  Even their app will show duplicates occasionally, but then they disappear after a few minutes without leaving any history.

I shut off the extender and router, and ran the following at the command prompt as administrator as a Hail Mary:

ipconfig /flushdns

ipconfig /renew

netsh winsock reset

and then rebooted the computer.

I then powered the extender and router back on.

So far today I've had a couple of new devices detected (even though they weren't new) but no ARP warnings.

As even Netgear's app can't get it 100%, I can't blame ESET.  The stability and strength of the modem are amazing - I guess the extender and router hold on a bit longer than most to ensure transition.

I can live with the occasional blue New Device Detected pop-ups.

Thanks for your help.

 

[itman 1,659]

4 minutes ago, Scupper 1 said:

ran the following at the command prompt as administrator

Yes, IPv4 network reset can do wonders. BTW - Win 10 has a complete network reset option accessible via System Settings.

16 minutes ago, Scupper 1 said:

So far today I've had a couple of new devices detected (even though they weren't new) but no ARP warnings.

I don't use Eset's Connected Home feature since I use Eset's Public network connection profile exclusively.

[The PIT 1]

Mobile devices may have the random mac address enabled which may cause them to be detected as new devices.

[Scupper 1 2]

Thanks itman and The Pit.

The network consists of a Netgear R7000 router and a Netgear EX7000 mesh extender running both a 2.4 and 5G network with one wired desktop which never duplicated)  and 15 devices.

Here's the solution:

1 Shut off the extender

2 Log into the router and reserve a block of address for static IPs. In my case 192.168.1.2 - .50.  Anything on the network will then be bumped to 192.168.1.51+

3. If a device can operate on both 2.4 and 5G, chose one and forget the other or you will have to repeat steps

4. Assign static IP addresses for each device.

5 If you really want or need to have both 2.4 and 5G on a device you will have to add another static IP for the other network as The Pit pointed out, MAC randomization creates a new MAC address for each network a devices connects to (one for 2.4 and another for 5G)

6. Reboot the modem, turn on the extender

To keep things simple, we kept all devices on 2.4, allowing the extender to sit alone on the 5G network.

Everything works perfectly now, both on the Netgear app, and ESET's Connected Home Monitor.

Thanks again

 

[itman 1,659]

21 minutes ago, Scupper 1 said:

4. Assign static IP addresses for each device.

This was the key to the solution plus router IP address range exclusion. In other words, take DHCP auto IP address assignment out of the picture.