In this story, I show you how to clear the Address Resolution Protocol cache (ARP cache). This story is based largely on a post I made to the pfSense forums back in December, 2010.

Recently I swapped out an internet router that was in production and replaced it with a router of the same make and model, with the exact same configuration. Both routers were running pfSense 2. The only difference was that the WAN network interface adapter had a different MAC address.

In addition to one physical IP address, the WAN interface also had multiple virtual IP addresses (e.g. CARP and Proxy ARP addresses) bound to it. After doing the swap, the replacement router did not receive any packets where the destination IP was a virtual IP. For example, pings from the internet to any virtual IP address were not responding. However, pings of the physical IP address did respond.

I was pulling my hair out, thinking that I misconfigured something on the replacement router because we’ve done similar router swaps in the past and never had problems with virtual IP addresses.

After waiting several hours, the ISP’s arp cache finally cleared and the replacement  router was again receiving packets destined for the router’s virtual IP addresses.

After searching the pfSense forums, I found the post Virtual IP Proxy Arp Not Working, which was very helpful. In the post, Jimp suggested use the command arping -S. The original poster said that arping -S did not work for him. However, it did work for me.

In my case, I had to add the -i switch to specify which interface to send the arping out. Specifically, here is the syntax that worked for me and forced my ISP’s arp cache to be cleared immediately:

arping -i <interface name> -S <virtual IP address that I want cleared from arp cache> <IP address of ISP’s gateway>

For example:

arping -i sis2 -S 192.168.1.50 192.168.1.1

I’m not sure if the -S switch causes a “gratuitous” arp packet to be sent out or if something else is happening under the hood. There is a good discussion of this here (scroll down to the “ARP Cache” section). If you’re curious, version 2.09 of the arping package in pfSense version 2.0-BETA4 appears to use Thomas Habets’ arping and not Alexey Kuznetsov’s arping. If you were using Alexey Kuznetsov’s arping, I think the magic switch for gratuitous arp is -U.

In my case, my virtual IPs were CARP VIPs. However, I would imagine arping -S would probably also work with Proxy ARP VIPs.

Physical IPs (i.e. real interface IPs, not virtual IPs) seem to get automatically cleared from the ISP’s arp cache immediately without using arping -S.  You might have to reboot or it might be enough just to bring the interface up. I can’t remember what I did in my case.