MAC Address Appears to Change when Moving Device to VLAN



  • So I'm running 2.4.4-RELEASE-p3 and I'm just now moving over to VLANs. Before I had it all on one LAN so it's time to separate. I have everything on my network that is constant defined with Static IP.

    I would wait until they show up in the DHCP List then go add the static IP for them after identifying them.

    I would only ever have guests that popped up in DHCP which was nice because if something popped up, I knew it wasn't mine.

    Now that I've moved to VLANs I was recreating the static assignments but the MAC address when it first pops up is let's say a0:XX:YY:ZZ and then I assign the static IP. Then I see it pop up again and it's a2:XX:YY:ZZ. The last 6 are the exact same but the second digit changes (usually a zero to a two).

    I thought MAC addresses were assigned as unique IDs to the hardware and can't understand why all of a sudden they are changing. I dislike having all the random IP addresses but don't want to assign two IPs per device.

    Thoughts?



  • @Robertsonland

    That would be the Universal/Local bit, which is set to 1 for locally administered MAC addresses. That bit shouldn't be changing, unless you're assigning an address and it certainly shouldn't change just because it on a VLAN. The only significant difference between a VLAN frame and any other is the contents of the Ethertype/Length field. Is it just one device or more than one that this occurs with?

    I have been working with VLANs for several years and never seen that happen.



  • It's really odd as it's happening on multiple devices. I have thermostats, smart plugs, smart light bulbs, Sense Energy monitor. It's always that second bit. I had one go from ac to ae on a Smart Bulb.



  • @Robertsonland

    I assume you're enabling VLANs on pfSense. What about elsewhere on the network? Are you using a managed switch?
    What does Wireshark show?



  • Yes they are defined in PFSense and I have Unifi US-8-60W Switches along with UAC-AC-Pro APs with a Unifi Controller on which I defined VLANs using the VLAN ID from PFSense.



  • @Robertsonland

    So then, you should see VLAN frames between the switch and pfSense and untagged frames to the device. The devices shouldn't know anything about VLANs then. I expect that switch can support port mirroring, so you can use Wireshark to monitor the packets on either side of the switch.



  • Think you might have stepped outside my wheelhouse there. I've heard of Wireshark but not used it before. So you think it is the port on the switch doing something to alter it for the VLAN Tagging? hmmm

    I don't suppose there is any way to do a wildcard on the MAC address LOL



  • @Robertsonland

    I'm thinking that maybe the switch is changing that bit, though I have no idea why. Wireshark is a program that lets you capture and examing frames. PfSense includes Packet Capture, but that would only allow you to see traffic that's directly connected to pfSense.

    Also I'm curious about your comments on the changing address. As long as the MAC address is consistent, it shouldn't make any difference, but the way you stated the problem makes me think you're assuming the wrong thing. If you're using VLANs, then each one should have it's own subnet, which means any connected devices should have a different address than it would on a different VLAN. You also enable a DHCP server, with it's own address pool, on each VLAN. Is that what you're doing?



  • So yes I have

    • LAN

    • IOT VLAN (ID: 70 IP: 192.168.70.XX)

    • Guest VLAN (ID: 30 IP: 192.168.30.XX)

    So when I had my PFSense running with my old APs that didn't do VLANs and I had just the one lan I had static IPs set up for everything. So for example my Smart Bulb

    This was my static mapping:
    192.168.1.122 ac:84:c6:XX:XX:XX LB230

    I never saw a DHCP Dynamic IP used for the bulb ever and all was good. Now when I moved that bulb to the WiFi for IOT (ID 70) this is my static mapping in my IOT VLAN:
    192.168.70.52 ac:84:c6:XX:XX:XX LB230

    However when it hits my VLAN sometimes I see a DHCP Dynamic IP assigned:
    192.168.70.232 ae:84:c6:XX:XX:XX LB230

    So the ac turns to an ae but all the other numbers are the same. So the MAC isn't consistent and therefore it doesn't match up and it assigns a dynamic IP in the IOT VLAN



  • @Robertsonland

    By consistent, I meant on the VLAN. If that bit is always set on the VLAN, the address will not change. What that bit does on another VLAN is irrelevant.

    Since the bulbs apparently didn't have an IP address before, did the controller work only with MAC addresses? However, without knowing what's actually on the wire, it's hard to say what the issue is, though it may be the switch changing that bit.

    Still, as long as that bit is always set on the VLAN, you can just accept it and assign an IP address to the new MAC address. If a bulb gets moved to the main LAN, it will need a completely different address anyway, due to the different subnet.

    As I said, Wireshark is what you can use to examine packets on your network. With a managed switch, you can configure it to "mirror" a port to one where you have a computer running Wireshark. The traffic from the monitored port will also be copied to the mirror port, so that Wireshark can see it. It's well worth learning how to use Wireshark. I use it frequently and I even configured a cheap 5 port switch to act as a "data tap". I just insert the switch in an Ethernet connection and plug my notebook computer into the mirror port. Works very well.



  • So the DHCP is run by PFSense. The first time it assigned an IP it connected to the AP and the AP requested from PFSense an IP. I then saw it in the DHCP Status table. I added a new entry in the static mapping for IOT. Then I saw it again up top with a different MAC (off on that single digit). This was on the same vlan.

    So IP 192.168.70.52 worked with the ac MAC and it showed online. Then later it popped up with ae and the 192.168.70.232 which is in my dynamic set of IPs.

    I'll look at wireshark. I guess I'm not seeing how it can see on both sides of the switch but perhaps it's my limited knowledge. I just thought MAC addresses are hardware assigned and nothing could change them unless you had something "spoofing"

    Thanks for your help.



  • @Robertsonland said in MAC Address Appears to Change when Moving Device to VLAN:

    o the DHCP is run by PFSense. The first time it assigned an IP it connected to the AP and the AP requested from PFSense an IP. I then saw it in the DHCP Status table. I added a new entry in the static mapping for IOT. Then I saw it again up top with a different MAC (off on that single digit). This was on the same vlan.

    Assuming we're still talking about the bulbs, the AP has nothing to do with assigning the address. When you say you're seeing different MACs on the same VLAN (which is not what I thought you were saying earlier) are you always connecting via WiFi? Or sometimes via Ethernet? If this is the case and the MAC changes with how you connect, then the problem is with the AP. This is why it's essential to know where that bit is being changed.

    I'll look at wireshark. I guess I'm not seeing how it can see on both sides of the switch but perhaps it's my limited knowledge. I just thought MAC addresses are hardware assigned and nothing could change them unless you had something "spoofing"

    You can configure the mirroring so that you can first look at the bulb side and then the pfSense side, so that you can examine the difference. One way of capturing both at the same time is to use Packet Capture in pfSense at the same time as you're running Wireshark on the bulb side. Then you'd download the captured traffic, so that you can read it in Wireshark. An no, nothing should ever change the MAC, other than when an address is locally assigned and that can include spoofing. If either the switch or AP is changing the MAC then it's defective.

    Also, with Wireshark, you can configure it to filter on a wide variety of things, such as MAC or IP addresses, protocols and more. You can even combine things for more complex filtering, something that Packet Capture doesn't do well.

    So, give it a try and see what you can do with it. That's the best way to learn. There are also a Wireshark User Guide and Wireshark Wiki available.



  • This happens WiFi mostly (as that is what most of my IOT stuff is using to connect) thought I thought I saw it on my ROKUs as well but right now that is not happening to anything that is wired. There are 3 different APs that are having this happen though, not just a single one.

    How do I run Wireshark on the bulb side? would that require me to connect wirelessly to the same AP and then use Packet Capture on the PFSense side to see what happens?

    And since it doesn't happen with ALL wireless devices just some would it maybe not show me what I'm looking for?

    Thanks for the reference docs. I will look them over.



  • @Robertsonland

    To monttor the bulb side, you configure a mirror port to monitor the appropriate switch port. Then connect a computer running Wireshark to the mirror port. Packet capture can only monitor what it's directly connected to. So, it could monitor it's side of the switch, but not the bulb side. With Wireshark, you can see which devices have that bit changing and whether it's being done by the AP. You just have to poke around and look. You can use filters to help isolate the devices. For example, if you filter on IP, then only that device, regardless of what the MAC turns out to be, will be captured. While Wireshark comes with several filters, you can create your own or modify the existing ones to suit your needs. For example, I have created MAC address filters for every device I have. For example, here's one for my tablet's MAC address:
    ether host b0:6e:bf:19:bc:f4

    I could also filter on it's IPv4 address:
    host 172.16.0.93

    There are lots of different things to filter on. Have fun!


Log in to reply