Strange address Shown in the dhcp leases
-
Access Control List(s)
In pfSense have look at Services: DHCP server [MAC Address Control]
-
Why don't you look in the actual file for what it shows for the end date, and see what we have..
example
[2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leaseslease 192.168.2.216 {
starts 6 2015/06/13 12:04:00;
ends 3 2015/06/17 12:04:00;
cltt 6 2015/06/13 12:04:00;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet ac:fd:ec:62:34:97;
uid "\001\254\375\354b4\227";
client-hostname "Johns-Phone";cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date? I would also track down what device it is, that is clearly an ODD mac..
Where the last line ```
client-hostname "Johns-Phone";It is not registered anything in the output of the command (in my computer) and now it is cltt 6
lease 192.168.0.43 {
starts 6 2015/06/13 21:31:09;
ends never;
cltt 6 2015/06/13 21:31:09;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 0000:00:00:00;How exactly do I use with this ACL option I have to enroll all Mac addresses of all computers on the network One by one comma separated it says partial MAC addresses Which part ?
-
edit3
My post was about wireless security, and did not belong here.
I'll not be offended if it gets deleted. http://pastebin.com/QaGHXbU4
/edit 3edit2
Looks like @cmb has a really good answer. Thanks :-)
/edit2 -
…
it says partial MAC addresses
Which part ?http://www.gcstech.net/macvendor/index.php?node=macsea
-
That's a BOOTP lease, which is why it looks weird.
Hostnames are only there where the client sends one. It not having one isn't unusual, especially for the types of devices that do BOOTP.
There are very limited devices that use BOOTP. Generally they're very old (1990s era printers for instance), or atypical embedded devices. It could be some broken device as well.
It seems to be a semi-active device, or at least your time of last contact (cltt) seems to update. If you have a managed switch, try tracking down that MAC address' port and see what's plugged into it. If you don't have a managed switch it'll be harder to track down, though not too difficult if you have a small network. Unplug most things, see if it's still updating. Add things back one by one. See when that comes back. Or just try reaching the device to see what it's running. A nmap scan with OS identification enabled might be telling.
-
checking now but even if it is why would it be set to never expire?
BOOTP leases never expire.
-
That MAC seems to be something a number of other people have seen pulling BOOTP leases, though at a glance through Google results I don't see anyone who found the source of it. Might be worthwhile to dig through those results more closely.
https://www.google.com/webhp?q=%220000:00:00:00%22 -
I know
Already encountered this once
Last time i simply blocked the addressThis time I wanted to know where it came from
-
well track it down – its clearly on your network..
-
I've checked
No device in my network
Have such addressThat's why I ask
I blocked it again
As before -
Yeah it's definitely not a device on my network, this is my home network and every device is accounted for.
Could it possibly be my Dlink router that I'm using as an AP? DHCP is turned off on the router but the wireless does occasionally quit working, especially when it gets warmer out, requiring a power cycle to restore it.
-
Sorry but its has to be something on your network..
Could be something like a media player, dvr, doubt its your dlink.. But sure.. When you delete the lease how long until it comes back? Is it every 24 hours, every 1 hour, every 10 minutes? Does it ping to that IP you gave it?
What interface are you seeing it on? Lan, Wan, Wireless? You don't have a smart switch that shows you mac address table?
-
Shows up on LAN, no smart switch. I'll have to check when I get home to see if it's back again. Had a power outage yesterday and as of last night it wasn't there.
-
Is your lan bridged to your wireless? If showing up on your lan - clearly its on your network ;)
-
No bridge, just DHCP disabled and static IP so it's working as an AP. pfsense is handling all the routing.
Checked my leases and it's not there any more. I dunno, maybe something left over from one of the many VM's I've had running? I'm out of ideas.
-
So your wireless is on the same network as your lan - ie bridged..
-
If that's what "bridged" means then yes. It is on the same subnet as LAN.
-
Sorry but its has to be something on your network..
Could be something like a media player, dvr, doubt its your dlink.. But sure.. When you delete the lease how long until it comes back? Is it every 24 hours, every 1 hour, every 10 minutes? Does it ping to that IP you gave it?
What interface are you seeing it on? Lan, Wan, Wireless? You don't have a smart switch that shows you mac address table?
Here is a list of all the addresses on my network
1-27 are static addressesand 43 is Dynamic address
If I shut down the DHCP
I assume he could not get access to the network
but Guests also can notIf I delete this address
After a while, it comes back
Can be after 10 minutes
Can be after two hours
Can be after 16 hours
No fixed timeYou can not ping to it
PING 192.168.0.43 (192.168.0.43) 56(84) bytes of data. From 192.168.0.2 icmp_seq=1 Destination Host Unreachable From 192.168.0.2 icmp_seq=2 Destination Host Unreachable From 192.168.0.2 icmp_seq=3 Destination Host Unreachable From 192.168.0.2 icmp_seq=4 Destination Host Unreachable From 192.168.0.2 icmp_seq=5 Destination Host Unreachable From 192.168.0.2 icmp_seq=6 Destination Host Unreachable From 192.168.0.2 icmp_seq=7 Destination Host Unreachable From 192.168.0.2 icmp_seq=8 Destination Host Unreachable From 192.168.0.2 icmp_seq=9 Destination Host Unreachable
I do not have a smart switch
i see this address on my LAN
i have WAN ,LAN, WIFI, and BRIDGE (lan and wifi)I have 2 routers that serve as an access point
edimax 192.168.0.104
dlink 192.168.0.101
a network card on the pfsense also as AP (the wifi)
and one cisco access point (192.168.0.25)
all have fixed (static) IP
DHCP shut down in the routersI went physically at home to each device that connects to the network
And checked Mack addresses the same as in the DHCP leases![mac address.png](/public/imported_attachments/1/mac address.png)
![mac address.png_thumb](/public/imported_attachments/1/mac address.png_thumb) -
If you have a *NIX box on your network you can run nmap to do some network discovery and determine what is where. I think there's also an nmap package for pfSense that would also scan your network and determine what is running where. Very handy and powerful utility.
-
what is "NIX box" ??
Know the package which is installed
It does not show anything