Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange address Shown in the dhcp leases

    Scheduled Pinned Locked Moved General pfSense Questions
    57 Posts 12 Posters 14.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      firefox
      last edited by

      @johnpoz:

      Why don't you look in the actual file for what it shows for the end date, and see what we have..

      example
      [2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leases

      lease 192.168.2.216 {
        starts 6 2015/06/13 12:04:00;
        ends 3 2015/06/17 12:04:00;
        cltt 6 2015/06/13 12:04:00;
        binding state active;
        next binding state free;
        rewind binding state free;
        hardware ethernet ac:fd:ec:62:34:97;
        uid "\001\254\375\354b4\227";
        client-hostname "Johns-Phone";

      cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date?  I would also track down what device it is, that is clearly an ODD mac..

      Where the last line ```
      client-hostname "Johns-Phone";

      
      It is not registered anything in the output of the command (in my computer)
      
      and now it is cltt 6
      
      

      lease 192.168.0.43 {
        starts 6 2015/06/13 21:31:09;
        ends never;
        cltt 6 2015/06/13 21:31:09;
        binding state active;
        next binding state free;
        rewind binding state free;
        hardware ethernet 00🆎00:00:00:00;

      
      How exactly do I use with this ACL option
      
      I have to enroll all Mac addresses of all computers on the network
      One by one comma separated
      
      it says partial MAC addresses
      Which part ?
      1 Reply Last reply Reply Quote 0
      • M Offline
        motionthings
        last edited by

        edit3
        My post was about wireless security, and did not belong here.
        I'll not be offended if it gets deleted. http://pastebin.com/QaGHXbU4
        /edit 3

        edit2
        Looks like @cmb has a really good answer. Thanks :-)
        /edit2

        Intel Core i3, 8GB RAM, 2x Intel Gigabit NIC's.
        CURRENT network: https://cacoo.com/diagrams/1Fh6EcMdZLjGq3zj
        Planned network: https://cacoo.com/diagrams/y2rMw37kzlzcHzZy
        Read BOFH (Bastard Operator From Hell): http://bofh.ntk.net/BOFH/index.php

        1 Reply Last reply Reply Quote 0
        • H Offline
          hda
          last edited by

          @firefox:

          …
          it says partial MAC addresses
          Which part ?

          http://www.gcstech.net/macvendor/index.php?node=macsea

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            That's a BOOTP lease, which is why it looks weird.

            Hostnames are only there where the client sends one. It not having one isn't unusual, especially for the types of devices that do BOOTP.

            There are very limited devices that use BOOTP. Generally they're very old (1990s era printers for instance), or atypical embedded devices. It could be some broken device as well.

            It seems to be a semi-active device, or at least your time of last contact (cltt) seems to update. If you have a managed switch, try tracking down that MAC address' port and see what's plugged into it. If you don't have a managed switch it'll be harder to track down, though not too difficult if you have a small network. Unplug most things, see if it's still updating. Add things back one by one. See when that comes back. Or just try reaching the device to see what it's running. A nmap scan with OS identification enabled might be telling.

            1 Reply Last reply Reply Quote 0
            • C Offline
              cmb
              last edited by

              @Jailer:

              checking now but even if it is why would it be set to never expire?

              BOOTP leases never expire.

              1 Reply Last reply Reply Quote 0
              • C Offline
                cmb
                last edited by

                That MAC seems to be something a number of other people have seen pulling BOOTP leases, though at a glance through Google results I don't see anyone who found the source of it. Might be worthwhile to dig through those results more closely.
                https://www.google.com/webhp?q=%2200🆎00:00:00:00%22

                1 Reply Last reply Reply Quote 0
                • F Offline
                  firefox
                  last edited by

                  I know
                  Already encountered this once
                  Last time i  simply blocked the address

                  This time I wanted to know where it came from

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    well track it down – its clearly on your network..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                    1 Reply Last reply Reply Quote 0
                    • F Offline
                      firefox
                      last edited by

                      I've checked
                      No device in my network
                      Have such address

                      That's why I ask

                      I blocked it again
                      As before

                      1 Reply Last reply Reply Quote 0
                      • JailerJ Offline
                        Jailer
                        last edited by

                        Yeah it's definitely not a device on my network, this is my home network and every device is accounted for.

                        Could it possibly be my Dlink router that I'm using as an AP? DHCP is turned off on the router but the wireless does occasionally quit working, especially when it gets warmer out, requiring a power cycle to restore it.

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ Offline
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          Sorry but its has to be something on your network..

                          Could be something like a media player, dvr, doubt its your dlink.. But sure..  When you delete the lease how long until it comes back?  Is it every 24 hours, every 1 hour, every 10 minutes?  Does it ping to that IP you gave it?

                          What interface are you seeing it on?  Lan, Wan, Wireless?  You don't have a smart switch that shows you mac address table?

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 25.07 | Lab VMs 2.8, 25.07

                          1 Reply Last reply Reply Quote 0
                          • JailerJ Offline
                            Jailer
                            last edited by

                            Shows up on LAN, no smart switch. I'll have to check when I get home to see if it's back again. Had a power outage yesterday and as of last night it wasn't there.

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ Offline
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Is your lan bridged to your wireless?  If showing up on your lan - clearly its on your network ;)

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 25.07 | Lab VMs 2.8, 25.07

                              1 Reply Last reply Reply Quote 0
                              • JailerJ Offline
                                Jailer
                                last edited by

                                No bridge, just DHCP disabled and static IP so it's working as an AP. pfsense is handling all the routing.

                                Checked my leases and it's not there any more. I dunno, maybe something left over from one of the many VM's I've had running? I'm out of ideas.

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ Offline
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  So your wireless is on the same network as your lan - ie bridged..

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 25.07 | Lab VMs 2.8, 25.07

                                  1 Reply Last reply Reply Quote 0
                                  • JailerJ Offline
                                    Jailer
                                    last edited by

                                    If that's what "bridged" means then yes. It is on the same subnet as LAN.

                                    1 Reply Last reply Reply Quote 0
                                    • F Offline
                                      firefox
                                      last edited by

                                      @johnpoz:

                                      Sorry but its has to be something on your network..

                                      Could be something like a media player, dvr, doubt its your dlink.. But sure..  When you delete the lease how long until it comes back?  Is it every 24 hours, every 1 hour, every 10 minutes?  Does it ping to that IP you gave it?

                                      What interface are you seeing it on?  Lan, Wan, Wireless?  You don't have a smart switch that shows you mac address table?

                                      Here is a list of all the addresses on my network
                                      1-27 are static addresses

                                      and 43 is Dynamic address

                                      If I shut down the DHCP
                                      I assume he could not get access to the network
                                      but Guests also can not

                                      If I delete this address
                                      After a while, it comes back
                                      Can be after 10 minutes
                                      Can be after two hours
                                      Can be after 16 hours
                                      No fixed time

                                      You can not ping to it

                                      PING 192.168.0.43 (192.168.0.43) 56(84) bytes of data.
                                      From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=2 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=3 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=4 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=5 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=6 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=7 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=8 Destination Host Unreachable
                                      From 192.168.0.2 icmp_seq=9 Destination Host Unreachable
                                      
                                      

                                      I do not have a smart switch
                                      i see this address on my LAN
                                      i have WAN ,LAN, WIFI, and BRIDGE (lan and wifi)

                                      I have 2 routers that serve as an access point
                                      edimax 192.168.0.104
                                      dlink 192.168.0.101
                                      a network card on the pfsense also as AP (the wifi)
                                      and one cisco access point (192.168.0.25)
                                      all have fixed (static) IP
                                      DHCP shut down in the routers

                                      I went physically at home  to each device that connects to the network
                                      And checked Mack addresses the same as in the DHCP leases

                                      ![mac address.png](/public/imported_attachments/1/mac address.png)
                                      ![mac address.png_thumb](/public/imported_attachments/1/mac address.png_thumb)

                                      1 Reply Last reply Reply Quote 0
                                      • T Offline
                                        tim.mcmanus
                                        last edited by

                                        If you have a *NIX box on your network you can run nmap to do some network discovery and determine what is where.  I think there's also an nmap package for pfSense that would also scan your network and determine what is running where.  Very handy and powerful utility.

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          firefox
                                          last edited by

                                          what is "NIX box" ??

                                          Know the package which is installed
                                          It does not show anything

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Well without 3 different AP and wireless and wired on the same lan without a smart switch.. Yeah going to have a hard time tracking it down.

                                            So your sure its showing up on your lan interface?  Or your just seeing it hit your dhcp server?  Why don't you sniff for the bootp packets..  This might give you some better clue to what the device in the details of the packet.

                                            And you don't need a nix (unix/linux) box to run nmap, runs on windows just fine.  Not sure that would help - the OS identification isn't very good if you ask me.

                                            So can not ping, but it arps??  So when you try and ping that IP, and you look in your arp table you see it?

                                            Destination host unreach normally means it didn't arp..

                                            So no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..

                                            So is your wireless open, or secured..  Change your psk, if can not assoicate with your wireless its not possible for it to get a lease from your dhcp server.  If still happens could be one of your routers acting as AP..  Turn 1 off at a time until you don't get it showing up any more.

                                            Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.