By default when a Linux host is connected to the same layer 2 network by two network interfaces (i.e. plugged into the same or connected switch (and VLAN) or attached to a bridge in similar configuration) ARP requests for any IP on the NICs in question will produce a single response for every interface’s MAC address. Obviously, this poses a problem called ARP flux where an IP may seem to migrate from MAC to MAC.

This example uses a DHCP server of similar stock to the one covered in Transparent Proxy for Hot Spot/Public Network Web-Based Authentication on ClearOS . It has an external interface (192.168.222.22) and an internal interface (192.168.111.1) on which DHCP clients are collected. Since we are collecting DHCP users then routing them through another private network both interfaces are connected to the same switch. When an ARP request for either IP is made both will respond at first. Observe:

bzp ~ # arping 192.168.222.22 -I br0
ARPING 192.168.222.22 from 192.168.222.53 br0
Unicast reply from 192.168.222.22 [00:16:3E:22:00:01]  0.950ms
Unicast reply from 192.168.222.22 [00:16:3E:22:00:02]  0.987ms
Unicast reply from 192.168.222.22 [00:16:3E:22:00:02]  0.930ms
^CSent 2 probes (1 broadcast(s))
Received 3 response(s)
bzp ~ # arping 192.168.111.1 -I br0
ARPING 192.168.111.1 from 192.168.111.99 br0
Unicast reply from 192.168.111.1 [00:16:3E:22:00:01]  0.946ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.981ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.887ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.891ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.953ms
^CSent 4 probes (1 broadcast(s))
Received 5 response(s)

We can correct this by adding the following lines to /etc/sysctl.conf:

net.ipv4.conf.default.arp_filter=1
net.ipv4.conf.all.arp_filter=1

Now run:

# sysctl -p

The issue should be corrected:

bzp ~ # arping 192.168.111.1 -I br0
ARPING 192.168.111.1 from 192.168.111.99 br0
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  1.171ms
Unicast reply from 192.168.111.1 [00:16:3E:22:00:02]  0.991ms
^CSent 2 probes (1 broadcast(s))
Received 2 response(s)
bzp ~ # arping 192.168.222.22 -I br0
ARPING 192.168.222.22 from 192.168.222.22 br0
Unicast reply from 192.168.222.22 [00:16:3E:22:00:01]  0.919ms
Unicast reply from 192.168.222.22 [00:16:3E:22:00:01]  0.980ms
^CSent 2 probes (1 broadcast(s))
Received 2 response(s)

Note that one of the MACs will “win out” after the first broadcast because the target machine will start sending unicast responses from the correct interface; if you are consistently seeing multiple MACs responding on every ARPing it is safe to say you are probably looking at an IP address conflict instead.