Strange address Shown in the dhcp leases
-
I've checked
No device in my network
Have such addressThat's why I ask
I blocked it again
As before -
Yeah it's definitely not a device on my network, this is my home network and every device is accounted for.
Could it possibly be my Dlink router that I'm using as an AP? DHCP is turned off on the router but the wireless does occasionally quit working, especially when it gets warmer out, requiring a power cycle to restore it.
-
Sorry but its has to be something on your network..
Could be something like a media player, dvr, doubt its your dlink.. But sure.. When you delete the lease how long until it comes back? Is it every 24 hours, every 1 hour, every 10 minutes? Does it ping to that IP you gave it?
What interface are you seeing it on? Lan, Wan, Wireless? You don't have a smart switch that shows you mac address table?
-
Shows up on LAN, no smart switch. I'll have to check when I get home to see if it's back again. Had a power outage yesterday and as of last night it wasn't there.
-
Is your lan bridged to your wireless? If showing up on your lan - clearly its on your network ;)
-
No bridge, just DHCP disabled and static IP so it's working as an AP. pfsense is handling all the routing.
Checked my leases and it's not there any more. I dunno, maybe something left over from one of the many VM's I've had running? I'm out of ideas.
-
So your wireless is on the same network as your lan - ie bridged..
-
If that's what "bridged" means then yes. It is on the same subnet as LAN.
-
Sorry but its has to be something on your network..
Could be something like a media player, dvr, doubt its your dlink.. But sure.. When you delete the lease how long until it comes back? Is it every 24 hours, every 1 hour, every 10 minutes? Does it ping to that IP you gave it?
What interface are you seeing it on? Lan, Wan, Wireless? You don't have a smart switch that shows you mac address table?
Here is a list of all the addresses on my network
1-27 are static addressesand 43 is Dynamic address
If I shut down the DHCP
I assume he could not get access to the network
but Guests also can notIf I delete this address
After a while, it comes back
Can be after 10 minutes
Can be after two hours
Can be after 16 hours
No fixed timeYou can not ping to it
PING 192.168.0.43 (192.168.0.43) 56(84) bytes of data. From 192.168.0.2 icmp_seq=1 Destination Host Unreachable From 192.168.0.2 icmp_seq=2 Destination Host Unreachable From 192.168.0.2 icmp_seq=3 Destination Host Unreachable From 192.168.0.2 icmp_seq=4 Destination Host Unreachable From 192.168.0.2 icmp_seq=5 Destination Host Unreachable From 192.168.0.2 icmp_seq=6 Destination Host Unreachable From 192.168.0.2 icmp_seq=7 Destination Host Unreachable From 192.168.0.2 icmp_seq=8 Destination Host Unreachable From 192.168.0.2 icmp_seq=9 Destination Host UnreachableI do not have a smart switch
i see this address on my LAN
i have WAN ,LAN, WIFI, and BRIDGE (lan and wifi)I have 2 routers that serve as an access point
edimax 192.168.0.104
dlink 192.168.0.101
a network card on the pfsense also as AP (the wifi)
and one cisco access point (192.168.0.25)
all have fixed (static) IP
DHCP shut down in the routersI went physically at home to each device that connects to the network
And checked Mack addresses the same as in the DHCP leases
 -
If you have a *NIX box on your network you can run nmap to do some network discovery and determine what is where. I think there's also an nmap package for pfSense that would also scan your network and determine what is running where. Very handy and powerful utility.
-
what is "NIX box" ??
Know the package which is installed
It does not show anything -
Well without 3 different AP and wireless and wired on the same lan without a smart switch.. Yeah going to have a hard time tracking it down.
So your sure its showing up on your lan interface? Or your just seeing it hit your dhcp server? Why don't you sniff for the bootp packets.. This might give you some better clue to what the device in the details of the packet.
And you don't need a nix (unix/linux) box to run nmap, runs on windows just fine. Not sure that would help - the OS identification isn't very good if you ask me.
So can not ping, but it arps?? So when you try and ping that IP, and you look in your arp table you see it?
Destination host unreach normally means it didn't arp..
So no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..
So is your wireless open, or secured.. Change your psk, if can not assoicate with your wireless its not possible for it to get a lease from your dhcp server. If still happens could be one of your routers acting as AP.. Turn 1 off at a time until you don't get it showing up any more.
Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?
-
So your sure its showing up on your lan interface? Or your just seeing it hit your dhcp server?
i see it on the DHCP leases not in the dhcp server
Why don't you sniff for the bootp packets.. This might give you some better clue to what the device in the details of the packet.
how do i do that ?
So can not ping, but it arps?? So when you try and ping that IP, and you look in your arp table you see it?
no cant see it in the arp
there are all the options
Running: /usr/local/bin/nmap -sP -PR '192.168.0.43' Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:03 IDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.52 seconds Running: /usr/local/bin/nmap -sS -P0 -sV -O '192.168.0.43' Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:04 IDT Nmap done: 1 IP address (0 hosts up) scanned in 2.95 seconds Running: /usr/local/bin/nmap -sT '192.168.0.43' Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:05 IDT Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn Nmap done: 1 IP address (0 hosts up) scanned in 0.49 seconds Running: /usr/local/bin/nmap -sS -P0 -sV -O '192.168.0.43' Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:06 IDT Nmap done: 1 IP address (0 hosts up) scanned in 2.07 secondsSo no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..
the cisco is real access point
So is your wireless open, or secured
my wireless is secured
If still happens could be one of your routers acting as AP..
my routers are acting as AP as i said
Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?
i went to every computer and tv and printer and lap top
and check (i go to setting Depending on the device And saw the mac address)
 -
diag, packet capture will allow you to sniff.. Pick your lan interface, UDP and either port 67 or 68 since these are the ports bootp/dhcp will be on.
Let it run until you see the lease show up with that weird mac in it, if you have a lot of dhcp on your network then you might need to change the 100 packet limit to 0 or something greater to catch the packets.
Then download it and check it wireshark.
example see attached - you can validate the discover is from the odd ball mac, and then look into the details of the packet and you might get some info that helps you identify what is actually asking for ip.
If you can not see it in arp, your not going to be able to nmap scan it. Turn off your other AP, do you still get it - then look in the AP for associated clients.. If you change your psk, would seem unlikely the device could associate with your wireless and get an IP.. So either its an actual AP device asking for it, or something wired.
So are any of your machines running any visualization software?
-
diag, packet capture will allow you to sniff.. Pick your lan interface, UDP and either port 67 or 68 since these are the ports bootp/dhcp will be on.
Let it run until you see the lease show up with that weird mac in it, if you have a lot of dhcp on your network then you might need to change the 100 packet limit to 0 or something greater to catch the packets.
you mean this in the image ?
 -
What?? No diagnostics on your pfsense menu, packet capture.. You don't need to install any package to do sniffs.
-
i try it with 67 and 68 port
and the IP of the Weird mac addressand i got Nothing
 -
no I would not put in an IP.. If you delete the lease and it asks for a new one doesn't mean it gets one.. Don't put in an IP..
And how long did you let it run?? Thought you said it could take 16 hour for it to show up?? Did a new lease show up? After you deleted the current one?
-
so i need to delete the IP from the DHCP leases
in the packet capture screen i should leave Host Address Empty
in the port Enroll 67and let it run
Then again, with the number 68 ?
-
Make sure you put in UDP and either port 67 or 68 would work.. see attached
Yes I would delete the lease, so you know for sure if it shows up again or not, etc.
Depending on how many dhcp clients and how long your default leases are, etc.. You might get some noise.. Which is why should prob set to 0 for how long to capture.. You can check it every few hours stop and download and start it again if you don't see anything in the leases table showing the odd mac…
