Different MAC addresses in packet and ARP table

Question

What happens if a host on the network receives an IP packet with a MAC source address that differs from the MAC address in the local ARP table for that source IP?

The ARP table entry for that IP was and will be filled via an valid ARP response.

Now I have noticed that the receiving host (Ubuntu 18.04) does not send a reply packet (ICMP echo response or TCP SYN/ACK ...etc). No reply packet is leaving the interface.

The question is now for what reasons the host behaves this way. What checks are being made with the packet MAC and IP addresses, the local arp table and routing table etc.?

Edit:

To clearify the scenario:

If host Hb sends a ping request to 10.2.0.5 (host Ha), Ha receives an ICMP packet with source IP 10.1.0.3 and the source MAC address is the MAC address of the router. But the ARP table of host Ha has an entry: 10.1.0.3 -> Hb MAC address. Thus the MAC addresses differ!

I'll build the lab tomorrow and check this behavior. But the check the firewall and output of the `nstat -az` command on the ubuntu host. — Anton Danilov, Jul 21 '19 at 14:53

score 0 · Accepted Answer · answered Jul 22 '19 at 11:17

This behavior is completely expected and related with the routing configuration of the Hb host, that likely has only the default route through the router. So, if you haven't setup the additional route, the packets to the N2 network (10.2.0.0/24) are sent through the default route.

So the issue is caused by enabled the reverse path filter on the Ha host, that drops the incoming packets by restrictions on the source address.

To troubleshoot this problem you should check the output of next commands on the Ha host:

ip netconf show dev <iface-N2> - check the rp_filter value. Likely it is strict.
ip route get 10.2.0.5 from 10.1.0.3 iif <iface-N2> - likely it will show something like invalid cross-device link.
nstat -az TcpExtIPReversePathFilter - likely it will have the non-zero value.

There are three oblivious ways to solve the issue:

Just disable the rp_filter on the Ha host with the sysctl (sysctl -w net.ipv4.conf.all.rp_filter=0 and sysctl -w net.ipv4.conf.<iface-N2>.rp_filter=0). Also, you should edit the /etc/sysctl.conf file to make this changes permanent.
Just add route on the Hb host to 10.2.0.5 through 10.1.0.5 address (command for linux ip route add 10.2.0.5 via 10.1.0.5, for windows route add 10.2.0.5 mask 255.255.255.255 10.1.0.5)
Configurate the source address translation (NAT) on the router to rewrite the address of the Hb to the router address. The iptables rule to do it:

iptables -t nat -A POSTROUTING -o <iface-N2> --src 10.1.0.3 --dst 10.2.0.5 -j MASQUERADE

Perfect answer, thank you! – fitcfitcfatc Jul 22 '19 at 19:36 — fitcfitcfatc, Jul 22 '19 at 19:36

Different MAC addresses in packet and ARP table

1 Answers1