Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange address Shown in the dhcp leases

    Scheduled Pinned Locked Moved General pfSense Questions
    57 Posts 12 Posters 14.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      firefox
      last edited by

      I've checked
      No device in my network
      Have such address

      That's why I ask

      I blocked it again
      As before

      1 Reply Last reply Reply Quote 0
      • JailerJ Offline
        Jailer
        last edited by

        Yeah it's definitely not a device on my network, this is my home network and every device is accounted for.

        Could it possibly be my Dlink router that I'm using as an AP? DHCP is turned off on the router but the wireless does occasionally quit working, especially when it gets warmer out, requiring a power cycle to restore it.

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          Sorry but its has to be something on your network..

          Could be something like a media player, dvr, doubt its your dlink.. But sure..  When you delete the lease how long until it comes back?  Is it every 24 hours, every 1 hour, every 10 minutes?  Does it ping to that IP you gave it?

          What interface are you seeing it on?  Lan, Wan, Wireless?  You don't have a smart switch that shows you mac address table?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          1 Reply Last reply Reply Quote 0
          • JailerJ Offline
            Jailer
            last edited by

            Shows up on LAN, no smart switch. I'll have to check when I get home to see if it's back again. Had a power outage yesterday and as of last night it wasn't there.

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              Is your lan bridged to your wireless?  If showing up on your lan - clearly its on your network ;)

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07 | Lab VMs 2.8, 25.07

              1 Reply Last reply Reply Quote 0
              • JailerJ Offline
                Jailer
                last edited by

                No bridge, just DHCP disabled and static IP so it's working as an AP. pfsense is handling all the routing.

                Checked my leases and it's not there any more. I dunno, maybe something left over from one of the many VM's I've had running? I'm out of ideas.

                1 Reply Last reply Reply Quote 0
                • johnpozJ Offline
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  So your wireless is on the same network as your lan - ie bridged..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 25.07 | Lab VMs 2.8, 25.07

                  1 Reply Last reply Reply Quote 0
                  • JailerJ Offline
                    Jailer
                    last edited by

                    If that's what "bridged" means then yes. It is on the same subnet as LAN.

                    1 Reply Last reply Reply Quote 0
                    • F Offline
                      firefox
                      last edited by

                      @johnpoz:

                      Sorry but its has to be something on your network..

                      Could be something like a media player, dvr, doubt its your dlink.. But sure..  When you delete the lease how long until it comes back?  Is it every 24 hours, every 1 hour, every 10 minutes?  Does it ping to that IP you gave it?

                      What interface are you seeing it on?  Lan, Wan, Wireless?  You don't have a smart switch that shows you mac address table?

                      Here is a list of all the addresses on my network
                      1-27 are static addresses

                      and 43 is Dynamic address

                      If I shut down the DHCP
                      I assume he could not get access to the network
                      but Guests also can not

                      If I delete this address
                      After a while, it comes back
                      Can be after 10 minutes
                      Can be after two hours
                      Can be after 16 hours
                      No fixed time

                      You can not ping to it

                      PING 192.168.0.43 (192.168.0.43) 56(84) bytes of data.
                      From 192.168.0.2 icmp_seq=1 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=2 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=3 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=4 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=5 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=6 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=7 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=8 Destination Host Unreachable
                      From 192.168.0.2 icmp_seq=9 Destination Host Unreachable
                      
                      

                      I do not have a smart switch
                      i see this address on my LAN
                      i have WAN ,LAN, WIFI, and BRIDGE (lan and wifi)

                      I have 2 routers that serve as an access point
                      edimax 192.168.0.104
                      dlink 192.168.0.101
                      a network card on the pfsense also as AP (the wifi)
                      and one cisco access point (192.168.0.25)
                      all have fixed (static) IP
                      DHCP shut down in the routers

                      I went physically at home  to each device that connects to the network
                      And checked Mack addresses the same as in the DHCP leases

                      ![mac address.png](/public/imported_attachments/1/mac address.png)
                      ![mac address.png_thumb](/public/imported_attachments/1/mac address.png_thumb)

                      1 Reply Last reply Reply Quote 0
                      • T Offline
                        tim.mcmanus
                        last edited by

                        If you have a *NIX box on your network you can run nmap to do some network discovery and determine what is where.  I think there's also an nmap package for pfSense that would also scan your network and determine what is running where.  Very handy and powerful utility.

                        1 Reply Last reply Reply Quote 0
                        • F Offline
                          firefox
                          last edited by

                          what is "NIX box" ??

                          Know the package which is installed
                          It does not show anything

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by

                            Well without 3 different AP and wireless and wired on the same lan without a smart switch.. Yeah going to have a hard time tracking it down.

                            So your sure its showing up on your lan interface?  Or your just seeing it hit your dhcp server?  Why don't you sniff for the bootp packets..  This might give you some better clue to what the device in the details of the packet.

                            And you don't need a nix (unix/linux) box to run nmap, runs on windows just fine.  Not sure that would help - the OS identification isn't very good if you ask me.

                            So can not ping, but it arps??  So when you try and ping that IP, and you look in your arp table you see it?

                            Destination host unreach normally means it didn't arp..

                            So no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..

                            So is your wireless open, or secured..  Change your psk, if can not assoicate with your wireless its not possible for it to get a lease from your dhcp server.  If still happens could be one of your routers acting as AP..  Turn 1 off at a time until you don't get it showing up any more.

                            Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                            1 Reply Last reply Reply Quote 0
                            • F Offline
                              firefox
                              last edited by

                              So your sure its showing up on your lan interface?  Or your just seeing it hit your dhcp server?

                              i see it on the DHCP leases not in the dhcp server

                              Why don't you sniff for the bootp packets..  This might give you some better clue to what the device in the details of the packet.

                              how do i do that ?

                              So can not ping, but it arps??  So when you try and ping that IP, and you look in your arp table you see it?

                              no cant see it in the arp

                              there are all the options

                              Running: /usr/local/bin/nmap  -sP -PR '192.168.0.43'
                              Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:03 IDT
                              Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
                              Nmap done: 1 IP address (0 hosts up) scanned in 0.52 seconds
                              
                              Running: /usr/local/bin/nmap  -sS -P0 -sV -O '192.168.0.43'
                              Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:04 IDT
                              Nmap done: 1 IP address (0 hosts up) scanned in 2.95 seconds
                              
                              Running: /usr/local/bin/nmap  -sT '192.168.0.43'
                              Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:05 IDT
                              Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
                              Nmap done: 1 IP address (0 hosts up) scanned in 0.49 seconds
                              
                              Running: /usr/local/bin/nmap  -sS -P0 -sV -O '192.168.0.43'
                              Starting Nmap 6.40 ( http://nmap.org ) at 2015-06-16 17:06 IDT
                              Nmap done: 1 IP address (0 hosts up) scanned in 2.07 seconds
                              
                              

                              So no real AP, or smart switch - tracking down something like this can be tricky.. If you had a smart switch and real AP you could see where the mac is listed on physical port and what macs are trying to associate to your AP..

                              the cisco is real access point

                              So is your wireless open, or secured

                              my wireless is secured

                              If still happens could be one of your routers acting as AP..

                              my routers  are acting as AP as i said

                              Do you run any sort of visualization.. How did you check for the mac exactly on all your devices?

                              i went to every computer and tv and printer and lap top
                              and check (i go to setting Depending on the device And saw the mac address)

                              ![home.plex - Status DHCP leases - 2015-06-16_17.10.12.png](/public/imported_attachments/1/home.plex - Status DHCP leases - 2015-06-16_17.10.12.png)
                              ![home.plex - Status DHCP leases - 2015-06-16_17.10.12.png_thumb](/public/imported_attachments/1/home.plex - Status DHCP leases - 2015-06-16_17.10.12.png_thumb)
                              ![home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png](/public/imported_attachments/1/home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png)
                              ![home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png_thumb](/public/imported_attachments/1/home.plex - Diagnostics ARP Table - 2015-06-16_17.16.50.png_thumb)
                              ![Cisco IOS Series AP - 2015-06-16_17.18.38.png](/public/imported_attachments/1/Cisco IOS Series AP - 2015-06-16_17.18.38.png)
                              ![Cisco IOS Series AP - 2015-06-16_17.18.38.png_thumb](/public/imported_attachments/1/Cisco IOS Series AP - 2015-06-16_17.18.38.png_thumb)

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ Offline
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                diag, packet capture will allow you to sniff..  Pick your lan interface, UDP and either port 67 or 68 since these are the ports bootp/dhcp will be on.

                                Let it run until you see the lease show up with that weird mac in it, if you have a lot of dhcp on your network then you might need to change the 100 packet limit to 0 or something greater to catch the packets.

                                Then download it and check it wireshark.

                                example see attached - you can validate the discover is from the odd ball mac, and then look into the details of the packet and you might get some info that helps you identify what is actually asking for ip.

                                If you can not see it in arp, your not going to be able to nmap scan it.  Turn off your other AP, do you still get it - then look in the AP for associated clients..  If you change your psk, would seem unlikely the device could associate with your wireless and get an IP..  So either its an actual AP device asking for it, or something wired.

                                So are any of your machines running any visualization software?

                                dhcpexample.png
                                dhcpexample.png_thumb

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 25.07 | Lab VMs 2.8, 25.07

                                1 Reply Last reply Reply Quote 0
                                • F Offline
                                  firefox
                                  last edited by

                                  diag, packet capture will allow you to sniff..  Pick your lan interface, UDP and either port 67 or 68 since these are the ports bootp/dhcp will be on.

                                  Let it run until you see the lease show up with that weird mac in it, if you have a lot of dhcp on your network then you might need to change the 100 packet limit to 0 or something greater to catch the packets.

                                  you mean this in the image ?

                                  ![Screenshot from 2015-06-16 18:30:45.png](/public/imported_attachments/1/Screenshot from 2015-06-16 18:30:45.png)
                                  ![Screenshot from 2015-06-16 18:30:45.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-16 18:30:45.png_thumb)

                                  1 Reply Last reply Reply Quote 0
                                  • johnpozJ Offline
                                    johnpoz LAYER 8 Global Moderator
                                    last edited by

                                    What??  No diagnostics on your pfsense menu, packet capture.. You don't need to install any package to do sniffs.

                                    packetcapture.png
                                    packetcapture.png_thumb

                                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                                    If you get confused: Listen to the Music Play
                                    Please don't Chat/PM me for help, unless mod related
                                    SG-4860 25.07 | Lab VMs 2.8, 25.07

                                    1 Reply Last reply Reply Quote 0
                                    • F Offline
                                      firefox
                                      last edited by

                                      i try it with 67 and 68 port
                                      and the IP of the Weird mac address

                                      and i got Nothing

                                      ![Screenshot from 2015-06-17 07:04:38.png](/public/imported_attachments/1/Screenshot from 2015-06-17 07:04:38.png)
                                      ![Screenshot from 2015-06-17 07:04:38.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-17 07:04:38.png_thumb)

                                      1 Reply Last reply Reply Quote 0
                                      • johnpozJ Offline
                                        johnpoz LAYER 8 Global Moderator
                                        last edited by

                                        no I would not put in an IP.. If you delete the lease and it asks for a new one doesn't mean it gets one.. Don't put in an IP..

                                        And how long did you let it run??  Thought you said it could take 16 hour for it to show up??  Did a new lease show up?  After you deleted the current one?

                                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                                        If you get confused: Listen to the Music Play
                                        Please don't Chat/PM me for help, unless mod related
                                        SG-4860 25.07 | Lab VMs 2.8, 25.07

                                        1 Reply Last reply Reply Quote 0
                                        • F Offline
                                          firefox
                                          last edited by

                                          so i  need to delete the IP from the DHCP leases

                                          in the packet capture screen i should leave Host Address Empty
                                          in the port Enroll 67

                                          and let it run

                                          Then again, with the number 68  ?

                                          1 Reply Last reply Reply Quote 0
                                          • johnpozJ Offline
                                            johnpoz LAYER 8 Global Moderator
                                            last edited by

                                            Make sure you put in UDP and either port 67 or 68 would work.. see attached

                                            Yes I would delete the lease, so you know for sure if it shows up again or not, etc.

                                            Depending on how many dhcp clients and how long your default leases are, etc.. You might get some noise..  Which is why should prob set to 0 for how long to capture..  You can check it every few hours stop and download and start it again if you don't see anything in the leases table showing the odd mac…

                                            catchdhcpclient.png
                                            catchdhcpclient.png_thumb

                                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                                            If you get confused: Listen to the Music Play
                                            Please don't Chat/PM me for help, unless mod related
                                            SG-4860 25.07 | Lab VMs 2.8, 25.07

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.