Strange address Shown in the dhcp leases
-
And? What's strange about 192.168.0.34? Or you mean the MAC? Everyone can set their MAC to anything they want in seconds, including invalid values.
-
I have the same entry, different IP and it's set to never expire. It's not any device in my network.
-
Maybe a VM on one of your computers? I don't have that MAC showing up in my list…
-
checking now but even if it is why would it be set to never expire?
-
i dont have VM
and i mean the MAC
and the status cltt 3what is cltt 3 ??
-
prob got some kind of corruption in the leases db.. just delete it..
-
It come back
this time Listed cltt 5 not 3Could it be that someone is trying to get in to the network
Wirelessly ?? -
Why don't you look in the actual file for what it shows for the end date, and see what we have..
example
[2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leaseslease 192.168.2.216 {
starts 6 2015/06/13 12:04:00;
ends 3 2015/06/17 12:04:00;
cltt 6 2015/06/13 12:04:00;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet ac:fd:ec:62:34:97;
uid "\001\254\375\354b4\227";
client-hostname "Johns-Phone";cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date? I would also track down what device it is, that is clearly an ODD mac..
-
how do i see this file
i did ssh to the Machine (Reminds me person of interest)
and Paste this /var/dhcpd/var/db: cat dhcpd.leasesi got this
/var/dhcpd/var/db:: Too many arguments. -
i did ssh to the Machine (Reminds me person of interest)
and Paste this /var/dhcpd/var/db: cat dhcpd.leasestry:
cd /var/dhcpd/var/db
cat dhcpd.leasesor:
cat /var/dhcpd/var/db/dhcpd.leasesor:
less /var/dhcpd/var/db/dhcpd.leases
These are basic FreeBSD commands.
There are many primers/HowTos on the commands and how/when to use them available with a quick Google search. -
this is what i got
# The format of this file is documented in the dhcpd.leases(5) manual page. # This lease file was written by isc-dhcp-4.2.6 lease 192.168.0.30 { starts 1 2015/05/25 04:04:19; ends 1 2015/05/25 06:04:19; tstp 1 2015/05/25 06:04:19; cltt 1 2015/05/25 04:04:19; binding state free; hardware ethernet 00:1c:85:0d:1d:68; uid "\001\000\034\205\015\035h"; } lease 192.168.0.31 { starts 3 2015/05/27 12:43:26; ends 3 2015/05/27 14:43:26; tstp 3 2015/05/27 14:43:26; cltt 3 2015/05/27 12:43:26; binding state free; hardware ethernet 54:35:30:b1:da:f5; uid "\001T50\261\332\365"; } lease 192.168.0.32 { starts 0 2015/05/31 19:16:46; ends 0 2015/05/31 21:16:46; tstp 0 2015/05/31 21:16:46; cltt 0 2015/05/31 19:16:46; binding state free; hardware ethernet 94:35:0a:23:07:f3; uid "\001\2245\012#\007\363"; } lease 192.168.0.33 { starts 4 2015/06/04 06:42:41; ends 5 2015/06/05 06:42:41; tstp 5 2015/06/05 06:42:41; cltt 4 2015/06/04 06:42:41; binding state free; hardware ethernet 0c:74:c2:e1:78:f9; uid "\001\014t\302\341x\371"; } lease 192.168.0.36 { starts 4 2015/06/11 15:39:16; ends 4 2015/06/11 17:39:16; tstp 4 2015/06/11 17:39:16; cltt 4 2015/06/11 15:39:16; binding state free; hardware ethernet f8:d1:11:16:4b:d9; } lease 192.168.0.35 { starts 4 2015/06/11 15:41:11; ends 4 2015/06/11 17:41:11; tstp 4 2015/06/11 17:41:11; cltt 4 2015/06/11 15:41:11; binding state free; hardware ethernet 00:1b:38:46:27:6b; } lease 192.168.0.37 { starts 4 2015/06/11 15:41:19; ends 4 2015/06/11 17:41:19; tstp 4 2015/06/11 17:41:19; cltt 4 2015/06/11 15:41:19; binding state free; hardware ethernet 00:1c:bf:11:dc:62; } lease 192.168.0.42 { starts 5 2015/06/12 08:38:46; ends 5 2015/06/12 10:38:46; tstp 5 2015/06/12 10:38:46; cltt 5 2015/06/12 08:38:46; binding state free; hardware ethernet 94:35:0a:23:07:f3; uid "\001\2245\012#\007\363"; } server-duid "\000\001\000\001\034c\215 \000\002\263\013\253.";
-
Could it be that someone is trying to get in to the network. Wirelessly ??
If you are suspicious about (wireless) connections, then do ACL, explicitly allow MAC addresses (therefore deny the undefined) in your AP.
-
what is ACL ?
-
Access Control List(s)
In pfSense have look at Services: DHCP server [MAC Address Control]
-
Why don't you look in the actual file for what it shows for the end date, and see what we have..
example
[2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leaseslease 192.168.2.216 {
starts 6 2015/06/13 12:04:00;
ends 3 2015/06/17 12:04:00;
cltt 6 2015/06/13 12:04:00;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet ac:fd:ec:62:34:97;
uid "\001\254\375\354b4\227";
client-hostname "Johns-Phone";cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date? I would also track down what device it is, that is clearly an ODD mac..
Where the last line ```
client-hostname "Johns-Phone";It is not registered anything in the output of the command (in my computer) and now it is cltt 6
lease 192.168.0.43 {
starts 6 2015/06/13 21:31:09;
ends never;
cltt 6 2015/06/13 21:31:09;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 0000:00:00:00;How exactly do I use with this ACL option I have to enroll all Mac addresses of all computers on the network One by one comma separated it says partial MAC addresses Which part ?
-
edit3
My post was about wireless security, and did not belong here.
I'll not be offended if it gets deleted. http://pastebin.com/QaGHXbU4
/edit 3edit2
Looks like @cmb has a really good answer. Thanks :-)
/edit2 -
…
it says partial MAC addresses
Which part ?http://www.gcstech.net/macvendor/index.php?node=macsea
-
That's a BOOTP lease, which is why it looks weird.
Hostnames are only there where the client sends one. It not having one isn't unusual, especially for the types of devices that do BOOTP.
There are very limited devices that use BOOTP. Generally they're very old (1990s era printers for instance), or atypical embedded devices. It could be some broken device as well.
It seems to be a semi-active device, or at least your time of last contact (cltt) seems to update. If you have a managed switch, try tracking down that MAC address' port and see what's plugged into it. If you don't have a managed switch it'll be harder to track down, though not too difficult if you have a small network. Unplug most things, see if it's still updating. Add things back one by one. See when that comes back. Or just try reaching the device to see what it's running. A nmap scan with OS identification enabled might be telling.
-
checking now but even if it is why would it be set to never expire?
BOOTP leases never expire.
-
That MAC seems to be something a number of other people have seen pulling BOOTP leases, though at a glance through Google results I don't see anyone who found the source of it. Might be worthwhile to dig through those results more closely.
https://www.google.com/webhp?q=%220000:00:00:00%22