 Tom here from Orange Systems and we're going to talk about a PFSense package called ARPWatch. ARPWatch automatically creates a per network database from ARP entries, then alerts on ads or changes to those Mac IP combinations. The ARPWatch tool is especially useful for network administrators to keep an eye and watch ARP activity to detect ARP spoofing or unexpected IP Mac address modifications, such as someone plugging in something you didn't expect. Now you wouldn't want to run this on a guest network because that would be very noisy because it sends you an email alert for each change it finds. But for a network that you have locked down that you don't expect changes, maybe a server or a storage network, it's good to run ARPWatch because it shouldn't make any noise at all. And when it does, that's a cause for concern and a reason to investigate. So really any static network that you want to keep a good eye on is a good place to run this. Now there's a prerequisite and the first thing we're going to be doing is showing you how to set up notifications in PF sense, specifically email notifications. That's the way ARPWatch sends out this data. So this is good to use in your own network, but it can also be very helpful for remotely monitored networks. If you're an IT service provider and would like to know when something's changing on the customer's network that you weren't expecting a change on. So let's jump into how to get that set up and we'll first mention where to get some email if you don't have outbound relay email. Now I don't have any business affiliation outside of using the Duo Circle SMTP relay, but they do give you a thousand free monthly messages. So they're kind of an easy one. If you're in the home lab environment to get set up, but they do require that you have a domain that you can set up secure DKM with relatively easy to do. I did this in about five minutes by buying a cloudflare domain. So if you need somewhere to send outbound relayed email, this is what I'm using and it works rather well. We're doing this demo on PF Sense plus 2301, but this will work just the same in the community edition. The package is available in both. The first step is in making sure under system then advanced, we go to notifications, you have to have SMTP working in PF Sense to get our watch to send you notifications. If you have our watch set up, but this does not work, then they will not work of note when you first load our watch is going to send an email for every Mac IP combo that it finds. So if you have a hundred devices that it finds, it will send a hundred emails. So once you do have SMTP configured, and this is that duo circle outbound dot mail hop.org that I'm using, I have all the settings in here, log in. It does support SMTP over SSL and TLS. I have all the ports set up, then you hit test SMTP, make sure it's working. But before you enable artwatch, once you know emails working, you might want to disable it to avoid those device discoveries flooding your email. Maybe you want them, maybe you don't. But if you disable it, let our watch populate the database, then go back and enable it after the database is populated, it will only notify you on changes. Now let's go over and make sure the package is loaded. So we're going to go to the package manager. And I see our watch loader right here. If it's not loaded, you just go over to the available packages, type in ARP and hit the install, there's no configuration until it's installed, which then it shows up over here, we're going to do services and then artwatch. Now I've chose lab 101, but you can choose each one of the interfaces you wanted to listen on. As I noted in the beginning, don't do this on a guest network unless you want to be flooded with every time someone joins your guest network. I mean, this can be handy. So you're always being told when someone is joining and getting an email or it can end up being email fatigue from getting too many emails. The notifications I have going to labfirewall.launch but the notification recipient does not need to be the same as the default recipient for things inside a PF sense for notifications. You can choose where they want. Maybe you'll set up a separate email artwatch at your domain.com. So you can receive those emails, disable crown emails, leave that checked zero pad at ethernet addresses, leave that checked to check by default, disabled reporting on carp, VRRP external prefixes. That's up to you. I do not want that. So I have the disabled disabled reporting of bogans. Now these don't send alerts. Bogans are if it finds a Mac, but not a matching IP to the subnet, these will go to your syslog. So you may want to pull them out of there. If it's something you're interested in disabled reporting, 000 changes and helpful for busy networks. Yes, if you have a lot of DCP going on, you may get more of these. Once again, these will go to your syslog update vendors. I do recommend this updates the ethernet vendors database download from standards dot OUI dot I triple E dot org. And these are the prefixes because the first couple prefixes of a Mac determines an assigned vendor for name for that. We'll show you how that works. If you want reset the database for collected Mac IP addresses when uninstalling, this is the way to clear our watch. If you uninstall it, it can clear everything out of there. The database it's not checked by default. Suppress Mac address is an option. If you want to suppress a Mac that maybe is too noisy for some reason, there are legit reasons outside the scope of this video where you may have something that does ARP spoofing. And you may want to say ignore when that Mac does any ARP spoofing or any of these other options. And you can say which ones and put that on a suppress list. Now let's show this in action, which is just over here to the database. And we have first the land of 192 168 40 dot one. And there's the MAC address. And this is the MAC address of this system natively. So this is the PF sense system. This right here is the one device we have, we see it was identified as Chelsea communications. Now what we're going to do next is since these are discovered and I have it running and I have SMTP notices to on, I'm going to add some devices and show you what they look like and how the notifications look right. I've added a device to the network. And then it sent me an email pf sense lab dot local domain, our watch notification new station. And that new station is at 192 168 40 dot 158. There's the ethernet address. And based on the first part of the ethernet address, it will figure out the ethernet vendor that is supposedly belongs to which is Lockheed Martin tactical systems. As you can tell, that's easy enough to spoof. Just throw a few different addresses in here and you get some different device names. Now, if you look over here at the database, I actually added two different devices. One says Lawrence electronics, one says Lockheed Martin, and there they are. So determined on these MAC addresses, we have an idea of something of note where it says unknown if the vendor is not known in a database, you'll just get an unknown. For example, this PF sense is running virtualized. That's why it doesn't know the actual vendor of what's plugged in here. If you are using many of the devices that are notified, it is nice to be able to see which vendors are plugged into this network can give you a good idea. As I note, though, they can be fooled or spoofed. So you can actually be misled by what's on there. But generally, you'll find if you're plugging in, for example, ubiquity devices, they all show up as ubiquity devices. Now, it's worth noting these can be sorted by IP address by MAC address by vendor by hostname and timestamp. This makes it really easy and by interfaces an option as well to sort out all the different devices it's discovering. That does include if we added more later, this is why the per interface can be very helpful. So if there's any changes across multiple interfaces, they'll all populate right into this database right here. So we hit save. And that will actually add things to the lab one or two database. So it'll take a second to find them. And with a quick page refresh, we see we've added a couple more. Something I want to note is this right here. So the first device is called LAN, then it calls it opt one. The naming of the interfaces is not consistent with what you have the interfaces name. So this is lab 101 and lab 102. And if we go to the interface assignments, they're called that here, but it will still in the behind the scenes, pull their opt one opt two. So that's one thing you have to keep in mind when you're looking at it, when you set this up on a several different networks that they're going to be named sequentially opt one opt two so on and so forth as they go down. Now besides monitoring server networks, I actually think it's useful for camera networks when you're setting them up. One of the advantages is if any of the cameras get moved or changed, or when you're setting up something remotely and you're waiting for a technician to plug in another camera and set it up, you don't have to wonder or look through the DHCP table to find the IP address of it, you'll get a notice right away with the MAC address that it found it. And then you can go ahead and maybe make a static reservation for it or whatever your procedure is for setting it up. But nonetheless, this is a great tool. Let me know your thoughts and comments down below or head over my forums for more in depth discussion. Thanks.