System Log shows Roku device rapidly switching MAC address
-
I have a pfSense router that I use along with tp-link mesh WiFi (in access point mode). On my network I must have close to 100 IoT devices including heat pumps, light bulbs, switches, power meters, and various sensors. I am running Home Assistant.
Occasionally I experience my devices frequently disconnecting from the WiFi, and when that happens, I go to the pfSense logs to see if I can understand any activity. I usually look at the system log.This happened a few days ago and this is what I found in the system log.
There are hundreds of lines in the log like this for the one device whose ip address is 1.137. About 15 lines appear each hour.
It turns out the device is a fairly new Roku that I have on one TV. When I block this device with my Deco tp-link app or I unplug it this issue goes away.
I am a novice and don't know what this means. I know that IOS devices can randomize their MAC addresses, but I don't think Roku devices do. And in this case, it is switching back and forth between the same two MAC addresses. I understand one of them (it is the Roku MAC address) but I don't know the other one.
A similar problem has arisen before with one of my Amazon Echo dots. I never solved it -- that device is unplugged and in a box.Would appreciate any insight.
-
@sinemaker this normally points to duplicate IP. When you disconnect your roku - does .137 still ping?
That 48:3f:da is Espressif Inc - they make iot devices, etc..
-
@johnpoz
Good question. The answer is no. I can ping the Roku when connected. I just disconnected the Roku from power and now I get nothing back when I ping that 1.137 address.(At the moment I have plugged the Roku back in and, again, can ping it but the problematic entry in the system log has not yet returned.)
I have some IoT devices that sleep (to save energy) then wake up to report data then go back to sleep. These would be difficult to ping and could cause an ip conflict. But I don't find one of these devices with the right MAC address
Maybe there is another IoT device that behaves similarly (mostly sleeps and wakes up to report data) that I don't know about.
-
@sinemaker you need to figure out what the device is - and you would need to see that non roku mac in the pfsense arp table.. If it still has the roku mac in it - then yeah .137 wouldn't answer if off
You could clear your arp table and then try pinging the .137 to see if it populates with that non roku mac. Then try to figure out what it is, could do some port scanning to see if answers on an ports and gives away any hints, etc.
If wired and you had a smart switch you could track down the mac to what port its connected too.. But yeah wireless is difficult to track down..
You could block that non roku mac on your wifi - and then see what doesn't work going forward..
Or maybe it is wired? Do you have wired devices and a smart switch?
-
@johnpoz Your suggestions and comments have led me close to solving the problem. You are right, this is due to a conflicting ip address. It turns out that I have about 10 different temperature sensors (some Govee, some made using tasmota with a D1mini board) that do not remain connected to the WiFi. They mostly go to sleep and wake up periodically to send data. Apparently one or more of them are using the same ip addresses as some other IoT devices (like my Roku) that stay connected to the LAN all the time. So when my sensor wakes up every 5 min or so, briefly sends data to my Home Assistant computer for 5-10 seconds, then goes back to sleep -- well, this is what triggers those lines in my system log.
I am slowly trying to chase these sleeping devices down and assign them static ip addresses so that these won't be assigned to another device while they are sleeping.
I was able to shift the tasmota T/H sensors to the fixed ip's that I gave them but for some reason my Govee sensors just don' show up in the ARP table. It appears they are still using the old DHCP ip addresses and I cannot get them to release them and use the new static ip's I set up in the router.
For now I have just disconnected these from the WiFi to see what happens.
Thank you for all your help. -
@sinemaker so I had a thermostat that once it got an IP from dhcp, it never bothered to ever ask again and renew that lease it just kept it forever - which yeah can lead to same sort of problem your having.. I found out it was doing that by trying to set a reservation for an IP in dhcp server, and it never getting it..
I had to basically wipe the network config off the thing, then when it reconnected it got its reservation - and I watched it for quite some time in never once actually sent a renew for that lease, etc..
So yeah some of these iot devices have some really bad network stacks.
-
@johnpoz said in System Log shows Roku device rapidly switching MAC address:
some of these iot devices have some really bad network stacks.
Ha that is an understatement! Behold these thermostats I have that generate a MAC address based on their IP address....
-
@stephenw10 WTF???? you mean you set their IPs to match the last part of the mac?
-
Nope I mean I set the IP and the device uses that to set it's own MAC address! My mind was blown when I discovered that. #funtimes
-
@stephenw10 that is insane.. I had a device that had a multicast mac set on it, company screw up.. It could work - but it could also cause some problems. It was a networking bridge for electric consumption meter, current cost by envi if I recall.. Had to be 10 years ago, I remember it working until I moved it something other than a dumb switch - then I ran into issues.. I remember having to do something with igmp snooping.
