Strange address Shown in the dhcp leases
-
Why don't you look in the actual file for what it shows for the end date, and see what we have..
example
[2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leaseslease 192.168.2.216 {
starts 6 2015/06/13 12:04:00;
ends 3 2015/06/17 12:04:00;
cltt 6 2015/06/13 12:04:00;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet ac:fd:ec:62:34:97;
uid "\001\254\375\354b4\227";
client-hostname "Johns-Phone";cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date? I would also track down what device it is, that is clearly an ODD mac..
Where the last line ```
client-hostname "Johns-Phone";It is not registered anything in the output of the command (in my computer) and now it is cltt 6lease 192.168.0.43 {
starts 6 2015/06/13 21:31:09;
ends never;
cltt 6 2015/06/13 21:31:09;
binding state active;
next binding state free;
rewind binding state free;
hardware ethernet 00
00:00:00:00;How exactly do I use with this ACL option I have to enroll all Mac addresses of all computers on the network One by one comma separated it says partial MAC addresses Which part ? -
edit3
My post was about wireless security, and did not belong here.
I'll not be offended if it gets deleted. http://pastebin.com/QaGHXbU4
/edit 3edit2
Looks like @cmb has a really good answer. Thanks :-)
/edit2 -
…
it says partial MAC addresses
Which part ?http://www.gcstech.net/macvendor/index.php?node=macsea
-
That's a BOOTP lease, which is why it looks weird.
Hostnames are only there where the client sends one. It not having one isn't unusual, especially for the types of devices that do BOOTP.
There are very limited devices that use BOOTP. Generally they're very old (1990s era printers for instance), or atypical embedded devices. It could be some broken device as well.
It seems to be a semi-active device, or at least your time of last contact (cltt) seems to update. If you have a managed switch, try tracking down that MAC address' port and see what's plugged into it. If you don't have a managed switch it'll be harder to track down, though not too difficult if you have a small network. Unplug most things, see if it's still updating. Add things back one by one. See when that comes back. Or just try reaching the device to see what it's running. A nmap scan with OS identification enabled might be telling.
-
checking now but even if it is why would it be set to never expire?
BOOTP leases never expire.
-
That MAC seems to be something a number of other people have seen pulling BOOTP leases, though at a glance through Google results I don't see anyone who found the source of it. Might be worthwhile to dig through those results more closely.
https://www.google.com/webhp?q=%220000:00:00:00%22 -
I know
Already encountered this once
Last time i simply blocked the addressThis time I wanted to know where it came from
-
well track it down – its clearly on your network..
-
I've checked
No device in my network
Have such addressThat's why I ask
I blocked it again
As before -
Yeah it's definitely not a device on my network, this is my home network and every device is accounted for.
Could it possibly be my Dlink router that I'm using as an AP? DHCP is turned off on the router but the wireless does occasionally quit working, especially when it gets warmer out, requiring a power cycle to restore it.
-
Sorry but its has to be something on your network..
Could be something like a media player, dvr, doubt its your dlink.. But sure.. When you delete the lease how long until it comes back? Is it every 24 hours, every 1 hour, every 10 minutes? Does it ping to that IP you gave it?
What interface are you seeing it on? Lan, Wan, Wireless? You don't have a smart switch that shows you mac address table?
-
Shows up on LAN, no smart switch. I'll have to check when I get home to see if it's back again. Had a power outage yesterday and as of last night it wasn't there.
-
Is your lan bridged to your wireless? If showing up on your lan - clearly its on your network ;)
-
No bridge, just DHCP disabled and static IP so it's working as an AP. pfsense is handling all the routing.
Checked my leases and it's not there any more. I dunno, maybe something left over from one of the many VM's I've had running? I'm out of ideas.
-
So your wireless is on the same network as your lan - ie bridged..
-
If that's what "bridged" means then yes. It is on the same subnet as LAN.
-
Sorry but its has to be something on your network..
Could be something like a media player, dvr, doubt its your dlink.. But sure.. When you delete the lease how long until it comes back? Is it every 24 hours, every 1 hour, every 10 minutes? Does it ping to that IP you gave it?
What interface are you seeing it on? Lan, Wan, Wireless? You don't have a smart switch that shows you mac address table?
Here is a list of all the addresses on my network
1-27 are static addressesand 43 is Dynamic address
If I shut down the DHCP
I assume he could not get access to the network
but Guests also can notIf I delete this address
After a while, it comes back
Can be after 10 minutes
Can be after two hours
Can be after 16 hours
No fixed timeYou can not ping to it
PING 192.168.0.43 (192.168.0.43) 56(84) bytes of data. From 192.168.0.2 icmp_seq=1 Destination Host Unreachable From 192.168.0.2 icmp_seq=2 Destination Host Unreachable From 192.168.0.2 icmp_seq=3 Destination Host Unreachable From 192.168.0.2 icmp_seq=4 Destination Host Unreachable From 192.168.0.2 icmp_seq=5 Destination Host Unreachable From 192.168.0.2 icmp_seq=6 Destination Host Unreachable From 192.168.0.2 icmp_seq=7 Destination Host Unreachable From 192.168.0.2 icmp_seq=8 Destination Host Unreachable From 192.168.0.2 icmp_seq=9 Destination Host UnreachableI do not have a smart switch
i see this address on my LAN
i have WAN ,LAN, WIFI, and BRIDGE (lan and wifi)I have 2 routers that serve as an access point
edimax 192.168.0.104
dlink 192.168.0.101
a network card on the pfsense also as AP (the wifi)
and one cisco access point (192.168.0.25)
all have fixed (static) IP
DHCP shut down in the routersI went physically at home to each device that connects to the network
And checked Mack addresses the same as in the DHCP leases
 -
If you have a *NIX box on your network you can run nmap to do some network discovery and determine what is where. I think there's also an nmap package for pfSense that would also scan your network and determine what is running where. Very handy and powerful utility.
-
what is "NIX box" ??
Know the package which is installed
It does not show anything -
Well without 3 different AP and wireless and wired on the same lan without a smart switch.. Yeah going to have a hard time tracking it down.
So your sure its showing up on your lan interface? Or your just seeing it hit your dhcp server? Why don't you sniff for the bootp packets.. This might give you some better clue to what the device in the details of the packet.
And you don't need a nix (unix/linux) box to run nmap, runs on windows just fine. Not sure that would help - the OS identification isn't very good if you ask me.
So can not ping, but it arps?? So when you try and ping that IP, and you look in your arp table you see it?
Destination host unreach normally means it didn't arp..
So no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..
So is your wireless open, or secured.. Change your psk, if can not assoicate with your wireless its not possible for it to get a lease from your dhcp server. If still happens could be one of your routers acting as AP.. Turn 1 off at a time until you don't get it showing up any more.
Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?
