Rogue device on the network?

scilek

I recently set up a new router for a small office. Among many devices that needed to reconfigured, there was this TP-Link TL-WA801ND V4 access point. I set the IP manually to 172.16.0.4. A moment ago, I took a look at system logs and ran into something strange:

Jan 2 10:02:05 	kernel 		arp: 172.16.0.4 moved from 50:c7:bf:3d:4b:47 to 50:c7:bf:3d:4b:48 on em0
Jan 2 09:48:26 	kernel 		arp: 172.16.0.4 moved from 50:c7:bf:3d:4b:48 to 50:c7:bf:3d:4b:47 on em0 

Now, please correct me if I am mistaken.

1. The arp moved message suggests that two separate hosts declare the same IP.
2. The fact that the two MAC addresses are consecutive suggests that one belongs to the Wi-Fi card and the other to the bridge interface built in the said device.

Am I to understand that there is something going wrong with the device firmware? If I am mistaken, what is the cause? If I am not, is there anything I can do to remedy this situation?

JKnott

@scilek

I have the same device, though an earlier version. According to the config, it uses the same MAC whether you connect via the wired or wireless side. That is the only MAC address from that device you should see. When you go into the AP status page, does it show 1 or 2 MAC addresses?

scilek

Here:

I see the wired and the wireless interfaces share the same MACs. That is not normal, is it?

JKnott

@scilek said in Rogue device on the network?:

I see the wired and the wireless interfaces share the same MACs. That is not normal, is it?

Yes, I have the same thing on mine. Don't forget, that's for the management interface, so it should be the same for either side. There will be another MAC for the WiFi side, but it's only used for the actual RFconnection and wouldn't normally be visible on the LAN side.

BTW, unless you need b or g, configure that AP for n only. Configuring for earlier versions than you need will only decrease performance, especially with b. This is due to the mechanism used to ensure compatibility between versions. With g & n, the header is sent at lower speed, so that other g devices can hear it and allow time for the transmission. With b, the situation is much worse, as the modulation is incompatible between b and everything else, so the devices will send a b frame to reserve the needed time and then send the actual g or n frame.

scilek

The Wi-Fi is already set to "n only" mode. I am sorry, but what you say does not explain why the IP address moves from one MAC to another. Is there anything I should worry about here?

JKnott

@scilek

I don't know why you're getting 2 MAC addresses. Given they're sequential, they are likely from the same device. What does Packet Capture show. One thought, do you have a static mapping configured for that address, but with the wrong MAC?
Also, that capture of the AP status shows modes b,g & n listed, which means you have all of those enabled. Mine shows n only. I have configured it that way, as all my devices are capable of using n. You can change the mode on the Wireless Settings page.

scilek

I don't know why you're getting 2 MAC addresses.

Because of some weird issue in the firmware?

Given they're sequential, they are likely from the same device.

That has to be the case.

What does Packet Capture show.

I have not captured any packets so far, but I will.

One thought, do you have a static mapping configured for that address, but with the wrong MAC?

I do have a static mapping for MAC address: 50:c7:bf:3d:4b:48 .

Also, that capture of the AP status shows modes b,g & n listed, which means you have all of those enabled. Mine shows n only. I have configured it that way, as all my devices are capable of using n. You can change the mode on the Wireless Settings page.

Mea maxima culpa! Setting corrected now.