Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange address Shown in the dhcp leases

    Scheduled Pinned Locked Moved General pfSense Questions
    57 Posts 12 Posters 14.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F Offline
      firefox
      last edited by

      this address Shown in the dhcp leases

      What is this ???
      ![Screenshot from 2015-06-11 19:33:00.png](/public/imported_attachments/1/Screenshot from 2015-06-11 19:33:00.png)
      ![Screenshot from 2015-06-11 19:33:00.png_thumb](/public/imported_attachments/1/Screenshot from 2015-06-11 19:33:00.png_thumb)

      1 Reply Last reply Reply Quote 0
      • D Offline
        doktornotor Banned
        last edited by

        And? What's strange about 192.168.0.34? Or you mean the MAC? Everyone can set their MAC to anything they want in seconds, including invalid values.

        1 Reply Last reply Reply Quote 0
        • JailerJ Offline
          Jailer
          last edited by

          I have the same entry, different IP and it's set to never expire. It's not any device in my network.

          1 Reply Last reply Reply Quote 0
          • MikeV7896M Offline
            MikeV7896
            last edited by

            Maybe a VM on one of your computers? I don't have that MAC showing up in my list…

            The S in IOT stands for Security

            1 Reply Last reply Reply Quote 0
            • JailerJ Offline
              Jailer
              last edited by

              checking now but even if it is why would it be set to never expire?

              1 Reply Last reply Reply Quote 0
              • F Offline
                firefox
                last edited by

                i dont have VM
                and i mean the MAC
                and the status  cltt 3

                what is  cltt 3    ??

                1 Reply Last reply Reply Quote 0
                • johnpozJ Online
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  prob got some kind of corruption in the leases db.. just delete it..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 25.07

                  1 Reply Last reply Reply Quote 0
                  • F Offline
                    firefox
                    last edited by

                    It come back
                    this time Listed cltt 5 not 3

                    Could it be that someone is trying to get in to the network
                    Wirelessly ??

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ Online
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Why don't you look in the actual file for what it shows for the end date, and see what we have..

                      example
                      [2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leases

                      lease 192.168.2.216 {
                        starts 6 2015/06/13 12:04:00;
                        ends 3 2015/06/17 12:04:00;
                        cltt 6 2015/06/13 12:04:00;
                        binding state active;
                        next binding state free;
                        rewind binding state free;
                        hardware ethernet ac:fd:ec:62:34:97;
                        uid "\001\254\375\354b4\227";
                        client-hostname "Johns-Phone";

                      cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date?  I would also track down what device it is, that is clearly an ODD mac..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 25.07

                      1 Reply Last reply Reply Quote 0
                      • F Offline
                        firefox
                        last edited by

                        how do i see this file

                        i did ssh to the Machine (Reminds me person of interest)
                        and Paste this /var/dhcpd/var/db: cat dhcpd.leases

                        i got this
                        /var/dhcpd/var/db:: Too many arguments.

                        1 Reply Last reply Reply Quote 0
                        • D Offline
                          divsys
                          last edited by

                          i did ssh to the Machine (Reminds me person of interest)
                          and Paste this /var/dhcpd/var/db: cat dhcpd.leases

                          try:
                          cd /var/dhcpd/var/db
                          cat dhcpd.leases

                          or:
                          cat /var/dhcpd/var/db/dhcpd.leases

                          or:

                          less /var/dhcpd/var/db/dhcpd.leases

                          These are basic FreeBSD commands.
                          There are many primers/HowTos on the commands and how/when to use them available with a quick Google search.

                          -jfp

                          1 Reply Last reply Reply Quote 0
                          • F Offline
                            firefox
                            last edited by

                            this is what i got

                            # The format of this file is documented in the dhcpd.leases(5) manual page.
                            # This lease file was written by isc-dhcp-4.2.6
                            
                            lease 192.168.0.30 {
                              starts 1 2015/05/25 04:04:19;
                              ends 1 2015/05/25 06:04:19;
                              tstp 1 2015/05/25 06:04:19;
                              cltt 1 2015/05/25 04:04:19;
                              binding state free;
                              hardware ethernet 00:1c:85:0d:1d:68;
                              uid "\001\000\034\205\015\035h";
                            }
                            lease 192.168.0.31 {
                              starts 3 2015/05/27 12:43:26;
                              ends 3 2015/05/27 14:43:26;
                              tstp 3 2015/05/27 14:43:26;
                              cltt 3 2015/05/27 12:43:26;
                              binding state free;
                              hardware ethernet 54:35:30:b1:da:f5;
                              uid "\001T50\261\332\365";
                            }
                            lease 192.168.0.32 {
                              starts 0 2015/05/31 19:16:46;
                              ends 0 2015/05/31 21:16:46;
                              tstp 0 2015/05/31 21:16:46;
                              cltt 0 2015/05/31 19:16:46;
                              binding state free;
                              hardware ethernet 94:35:0a:23:07:f3;
                              uid "\001\2245\012#\007\363";
                            }
                            lease 192.168.0.33 {
                              starts 4 2015/06/04 06:42:41;
                              ends 5 2015/06/05 06:42:41;
                              tstp 5 2015/06/05 06:42:41;
                              cltt 4 2015/06/04 06:42:41;
                              binding state free;
                              hardware ethernet 0c:74:c2:e1:78:f9;
                              uid "\001\014t\302\341x\371";
                            }
                            lease 192.168.0.36 {
                              starts 4 2015/06/11 15:39:16;
                              ends 4 2015/06/11 17:39:16;
                              tstp 4 2015/06/11 17:39:16;
                              cltt 4 2015/06/11 15:39:16;
                              binding state free;
                              hardware ethernet f8:d1:11:16:4b:d9;
                            }
                            lease 192.168.0.35 {
                              starts 4 2015/06/11 15:41:11;
                              ends 4 2015/06/11 17:41:11;
                              tstp 4 2015/06/11 17:41:11;
                              cltt 4 2015/06/11 15:41:11;
                              binding state free;
                              hardware ethernet 00:1b:38:46:27:6b;
                            }
                            lease 192.168.0.37 {
                              starts 4 2015/06/11 15:41:19;
                              ends 4 2015/06/11 17:41:19;
                              tstp 4 2015/06/11 17:41:19;
                              cltt 4 2015/06/11 15:41:19;
                              binding state free;
                              hardware ethernet 00:1c:bf:11:dc:62;
                            }
                            lease 192.168.0.42 {
                              starts 5 2015/06/12 08:38:46;
                              ends 5 2015/06/12 10:38:46;
                              tstp 5 2015/06/12 10:38:46;
                              cltt 5 2015/06/12 08:38:46;
                              binding state free;
                              hardware ethernet 94:35:0a:23:07:f3;
                              uid "\001\2245\012#\007\363";
                            }
                            server-duid "\000\001\000\001\034c\215 \000\002\263\013\253.";
                            
                            
                            1 Reply Last reply Reply Quote 0
                            • H Offline
                              hda
                              last edited by

                              @firefox:

                              Could it be that someone is trying to get in to the network. Wirelessly ??

                              If you are suspicious about (wireless) connections, then do ACL, explicitly allow MAC addresses (therefore deny the undefined) in your AP.

                              1 Reply Last reply Reply Quote 0
                              • F Offline
                                firefox
                                last edited by

                                what is ACL ?

                                1 Reply Last reply Reply Quote 0
                                • H Offline
                                  hda
                                  last edited by

                                  Access Control List(s)

                                  In pfSense have look at Services: DHCP server [MAC Address Control]

                                  1 Reply Last reply Reply Quote 0
                                  • F Offline
                                    firefox
                                    last edited by

                                    @johnpoz:

                                    Why don't you look in the actual file for what it shows for the end date, and see what we have..

                                    example
                                    [2.2.2-RELEASE][root@pfSense.local.lan]/var/dhcpd/var/db: cat dhcpd.leases

                                    lease 192.168.2.216 {
                                      starts 6 2015/06/13 12:04:00;
                                      ends 3 2015/06/17 12:04:00;
                                      cltt 6 2015/06/13 12:04:00;
                                      binding state active;
                                      next binding state free;
                                      rewind binding state free;
                                      hardware ethernet ac:fd:ec:62:34:97;
                                      uid "\001\254\375\354b4\227";
                                      client-hostname "Johns-Phone";

                                    cltt stands for Client Last Transaction Time, not sure why its showing that vs the end date?  I would also track down what device it is, that is clearly an ODD mac..

                                    Where the last line ```
                                    client-hostname "Johns-Phone";

                                    
                                    It is not registered anything in the output of the command (in my computer)
                                    
                                    and now it is cltt 6
                                    
                                    

                                    lease 192.168.0.43 {
                                      starts 6 2015/06/13 21:31:09;
                                      ends never;
                                      cltt 6 2015/06/13 21:31:09;
                                      binding state active;
                                      next binding state free;
                                      rewind binding state free;
                                      hardware ethernet 00🆎00:00:00:00;

                                    
                                    How exactly do I use with this ACL option
                                    
                                    I have to enroll all Mac addresses of all computers on the network
                                    One by one comma separated
                                    
                                    it says partial MAC addresses
                                    Which part ?
                                    1 Reply Last reply Reply Quote 0
                                    • M Offline
                                      motionthings
                                      last edited by

                                      edit3
                                      My post was about wireless security, and did not belong here.
                                      I'll not be offended if it gets deleted. http://pastebin.com/QaGHXbU4
                                      /edit 3

                                      edit2
                                      Looks like @cmb has a really good answer. Thanks :-)
                                      /edit2

                                      Intel Core i3, 8GB RAM, 2x Intel Gigabit NIC's.
                                      CURRENT network: https://cacoo.com/diagrams/1Fh6EcMdZLjGq3zj
                                      Planned network: https://cacoo.com/diagrams/y2rMw37kzlzcHzZy
                                      Read BOFH (Bastard Operator From Hell): http://bofh.ntk.net/BOFH/index.php

                                      1 Reply Last reply Reply Quote 0
                                      • H Offline
                                        hda
                                        last edited by

                                        @firefox:

                                        …
                                        it says partial MAC addresses
                                        Which part ?

                                        http://www.gcstech.net/macvendor/index.php?node=macsea

                                        1 Reply Last reply Reply Quote 0
                                        • C Offline
                                          cmb
                                          last edited by

                                          That's a BOOTP lease, which is why it looks weird.

                                          Hostnames are only there where the client sends one. It not having one isn't unusual, especially for the types of devices that do BOOTP.

                                          There are very limited devices that use BOOTP. Generally they're very old (1990s era printers for instance), or atypical embedded devices. It could be some broken device as well.

                                          It seems to be a semi-active device, or at least your time of last contact (cltt) seems to update. If you have a managed switch, try tracking down that MAC address' port and see what's plugged into it. If you don't have a managed switch it'll be harder to track down, though not too difficult if you have a small network. Unplug most things, see if it's still updating. Add things back one by one. See when that comes back. Or just try reaching the device to see what it's running. A nmap scan with OS identification enabled might be telling.

                                          1 Reply Last reply Reply Quote 0
                                          • C Offline
                                            cmb
                                            last edited by

                                            @Jailer:

                                            checking now but even if it is why would it be set to never expire?

                                            BOOTP leases never expire.

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.