Arp blocks my internet connection.

Peace · November 15, 2011, 2:26pm

Hi,
Arp blocks my internet connection.
How do i configure Comodo fw so that arp would work?
Im using a mobilebroadband dongle (dynamic IP).
Please help, thanks.

ipadress xx.xxx.xxx.45

subnetmask 255.255.255.0

defaulgateway xx.xxx.xxx.47

dhcp server xx.xxx.xxx.46

dnsservers yyy.yy.yyy.yyy
yyy.yy.yyy.yyy

Radaghast · November 15, 2011, 7:08pm

Can you provide some more information please, such why you believe ‘ARP’ may be responsibly for blocking your Internet connection, describe what is being blocked and if you have any details of the blocks from the firewall/D+ log files.

Peace · November 16, 2011, 10:39am

Hi Radaghast and thanks for the reply.
As soon as i check one of them or both (“Protect the ARP Cache” and “Block Gratuitous ARP Frames”) internet stops working and starts to work again if i uncheck them.
I did check the logs but nothing blocked showed up. The only thing that showed up (not blocked)are the subnetmask when i enable arp and that is on the firewalltab. Maybe the gateway are the culprit? MAC?

I use this config…“Block all incoming connections and make my ports stealth for everyone”. Im not using CFW at the moment so that is all i can recall. (stopped using CFW when arp blocked my connection.)
I did some “research” and it seems that its a common problem with people advising others to just uncheck the arp. Imho that’s not a solution.

Radaghast · November 16, 2011, 10:56am

Are you behind a router, if so, what kind of connection are you using, wired or wifi? If wifi, is it an open network?

Peace · November 16, 2011, 5:22pm

Im only using a 3g mobile broadband dongle (dynamic IP). No router.

Radaghast · November 16, 2011, 11:47pm

The only thing I can think of is some incomparability between the ARP protection features of CIS and something in your environment, the USB modem perhaps. As you probably know, ARP is a very simple protocol, whose function is to convert IP addresses to MAC addresses and to maintain a table of such translations.

As the protocol is broadcast based, the protection mechanisms in CIS are typically of little use to most ‘home’ users who are behind a router, simply because ARP attacks typically require physical access to the network, hence my previous question.

If you absolutely need some sort of ARP protection and CIS is causing you problems, you could use static entries, although that might be a little impractical in your situation but it may be worth a look. There’s a useful tool here. If you’re using XP you can also take a look at winarpwatch. There are others.

Peace · November 18, 2011, 9:17am

Thank you for your reply Radaghast, i appreciate you taking the time to help others out.
I still want arp (Comodo) to work properly

These addresses below are similar except for the last digit, could that be the reason?

ipadress xx.xxx.xxx.45
defaulgateway xx.xxx.xxx.47
dhcp server xx.xxx.xxx.46

Surely this must be a common “problem” for 3g mobilebroadband users?

Radaghast · November 18, 2011, 9:52am

I don’t know for sure how the ARP cache protection feature works in CIS but I’m pretty confident the IP addresses of devices on the segment aren’t going to make any difference to whether ARP protection in CIS causes problems for you. As I said, ARP is really quite a simple protocol with very little to do apart from identify a MAC address from an IP address and then store that information in a table, which is consulted every time a connection is attempted to a remote device.

With typical ARP cache poisoning attacks, the attacker attempts to place an entry in the ARP cache of your PC, which redirects traffic through their workstation instead of sending it to the ‘real’ gateway. If you were to create and maintain, which on windows is a bit of a pain, a static entry for the gateway, you should be able to circumvent this.

With regard to blocking gratuitous arp requests, you might want to consider the reasons for not enabling this option before doing so. In fact there are numerous reasons why blocking these frames can actually be quite detrimental to network communication. However, that choice is yours.

The aforementioned aside, can you provide any additional information about the problems you’re experiencing, as the partial IP addresses of a few devices doesn’t tell us very much.

Peace · November 21, 2011, 6:20pm

Hi Radaghast
sorry to bother you again…

Installed CFW in order to provide more info.
Nothing blocked shows up in the C log.

Windows event viewer:

The IP address lease xx.xxx.xxx.233 for the Network Card with network address yyyyyyyyy has been denied by the DHCP server xx.xxx.xxx.240 (The DHCP Server sent a DHCPNACK message).

Radaghast · November 23, 2011, 4:01am

DHCPNACK messages are not all that uncommon and may be generated for a number of reasons. A typical scenario is where your client attempts to renew it’s current IP address with the DHCP server and for whatever the DHCP server denies the request. If these messages are occurring very frequently, I’d suggest speaking with your ISP, as it may indicate a problem with their DHCP service.

Peace · November 23, 2011, 2:45pm

Hi Radaghast
My bad, i didnt clarify…
I get those messages only when i enable ARP in Comodo.

Radaghast · November 23, 2011, 3:08pm

I don’t really see how the two can be related, they’re quite different processes. Also, ARP won’t be involved in the decision to reject an IP address lease or renewal.

Best I can suggest, if you believe there’s a problem with the ARP protection feature, is to post a Bug Report, with all the details you can. Just use the template