Hi  @ZoloNN 

 Here are the possible reasons:

• Inconsistent Data Statistics Range
  • The statistics of the Controller's Known clients and Clients may adopt different criteria, resulting in different numbers and mismatches with the Router's statistical results.
• Different Data Update Frequencies
  • The Controller and the Router may have different data update mechanisms, resulting in statistics at different time points, making the statistical results inconsistent. For instance, the Controller may update more slowly, while the Router's SNMP or Nmap scan results are the latest, thus resulting in different numbers of clients.
  • Different tools may have different network detection mechanisms and frequencies, leading to differences in the client information they capture during statistics. For example, Nmap's Quick Scan may be more capable of detecting newly joined clients in a timely manner than SNMP, resulting in a higher statistical number of Nmap.
• Network Environment Complexity
  • Some clients in the network may be in an unstable state at certain times, such as intermittent connections or being temporarily blocked by firewalls or security policies, and different statistical tools handle such clients differently. For example, the Controller may exclude temporarily unavailable clients from statistics, while Nmap's Quick Scan may consider them as online clients.
  • The mixture of static IPs and DHCP-assigned IPs in the network may cause confusion, and different tools handle these IPs differently, resulting in different statistical results. Meanwhile, the lack of a clear DHCP-assigned IP list may lead to inaccurate client number statistics because it is not clear which clients are newly assigned via DHCP.
• Differences in Statistical Algorithms and Filtering Rules
  • The Controller may have its own client identification and filtering rules, while the Router's SNMP or Nmap has different algorithms. For example, the Controller may filter out some clients that it deems inactive or not meeting specific conditions, while SNMP may count them in the statistics.
  • Different tools may not handle duplicate counting of the same client properly. For example, some tools may consider a client that disconnects briefly and reconnects as a new client, while others may not.

Side note: this topic is not a feature request. Next time, you'd better go to router block to get a faster and more professional answer.

Hi @Vincent-TP 

I fully understand, that Controller can be not always on latest numbers, but I definitely can't understand, why the client list on router directly isn't up to date.

and what I can't absolutely understand, why there is no table with actual DHCP leases. even the (excuse my french) stupidest 20$ home router can do this and I've tried address this here, and later my similar observation here - which has no replies, just 157 views. that's the reason why I've put my question here to catch the attention (sorry for that). 

current numbers from Site 1:

Nmap: 75 devices, where 32 are from DHCP range

Router SNMP query: 33 devices, where 17 are from DHCP range

regarding your remarks about network complexity, the networks are "plain" one IP subnet networks without firewall in-between, cross-connected via pfSense site2site WireGuard (reason for usage of pfSense is here)

my suggestion is to make the router's DHCP list accessible at least via SNMP. 

Hi @ZoloNN

You scanned via Nmap, did you scan the whole subnet including the remote VPN site?

Run show arp and see what it reports. That should be the real local devices. You should get a clear view from that. Other tools are not accurate.

ARP contains the cache. I don't know how ASUS/merlin processes that. At least, I don't think they show the clients based on ARP.

Hi @Clive_A,

Clive_A wrote

You scanned via Nmap, did you scan the whole subnet including the remote VPN site?

 

Run show arp and see what it reports. That should be the real local devices. You should get a clear view from that. Other tools are not accurate.

ARP contains the cache. I don't know how ASUS/merlin processes that. At least, I don't think they show the clients based on ARP.

RE Nmap scan:

yes, 've scanned whole subnets in form of "192.168.xx.0/23"

RE arp cache:

arp has nothing to do with DHCP! arp protocol is initiated only when router wants to communicate with device, or device with router. and I definitely doubt, that any router makes regularly arp discovery of network.......

currently nmap detects on Site 1 73 active IPs, "show arp" outputs 31 hosts (including hosts with static IPs and upstream ISP router)

looking around the controller UI I've found, that router notifies the controller about every IP assigned via DHCP (Site Menu -> Logs -> Events -> Device), so the controller has all the information needed to show this info in separate table - like (not only) the Asus does.

all DCCP servers must keep track of all assigned IPs with remaining validity time, so there is IMHO absolutely no reason to hide it from admins

BTW: I'm freelance Windows Server and VMware admin 

Hi @ZoloNN

Thanks for posting in our business forum.

ZoloNN wrote

Hi @Clive_A,

Clive_A wrote

You scanned via Nmap, did you scan the whole subnet including the remote VPN site?

 

Run show arp and see what it reports. That should be the real local devices. You should get a clear view from that. Other tools are not accurate.

ARP contains the cache. I don't know how ASUS/merlin processes that. At least, I don't think they show the clients based on ARP.

 

RE Nmap scan:

yes, 've scanned whole subnets in form of "192.168.xx.0/23"

 

RE arp cache:

arp has nothing to do with DHCP! arp protocol is initiated only when router wants to communicate with device, or device with router. and I definitely doubt, that any router makes regularly arp discovery of network.......

currently nmap detects on Site 1 73 active IPs, "show arp" outputs 31 hosts (including hosts with static IPs and upstream ISP router)

looking around the controller UI I've found, that router notifies the controller about every IP assigned via DHCP (Site Menu -> Logs -> Events -> Device), so the controller has all the information needed to show this info in separate table - like (not only) the Asus does.

all DCCP servers must keep track of all assigned IPs with remaining validity time, so there is IMHO absolutely no reason to hide it from admins

 

BTW: I'm freelance Windows Server and VMware admin 

You have VPN sites and NMAP scanned the whole subnet, that's not correct. If you need to know the exact active number of the clients, set the lease time to a small value. And ARP would be the most updated and accurate way to find that out.

As you are some LINUX admin, you should know that LINUX usually uses ARP to view the connections. Not some client table.

And Openwrt-based system keeps the DHCP clients in the list while it is not even there. It has been a "feature" for WRT and it would only be flushed when the lease time is done. WRT is also a LINUX-based system. The system is customized based on the WRT.

This seems to be a legacy from the WRT if you get the result that a client is no longer connected but still displayed in the client.

I think ASUS is not based on OpenWRT. I recall they flash to Merlin. Not gonna work with the WRT. I use ASUS but I only find Merlin for update. Not really see WRT on ASUS.

Client number is not synced and some devices may not even have an IP displayed. That's been the case for years.

Mainly because the device lease time is not over. And there is a delay in the controller and router sync which you are already aware.

73 active IPs, can you identify some of the IPs that does show up in the arp? Will that cross-refer to the situation I explained?

ARP table is not showing anywhere on the system. I don't think you have an ARP table on the ASUS as well. ARP is layer 2 based and though it has something to do with the IP it does not really should be displayed on the router.

hi @Clive_A ,

regarding WRT: WRT is an linux-based firmware firstly introduced by Linksys on WRT54G router. and since Linksys has released his source code under GNU, there are more WRT-based firmwares, like openWRT, DD-WRT, Tomato - and AsusWRT. mostly all Asus routers since WL-500 series uses their own WRT fork with their own GUI. Asus-Merlin is based on the AsusWRT with some added features. lot of Asus routers can be found in both openWRT and DD-WRT router databases, there is only some problem with some  older WiFi radios, as there is no GNU driver for them, only binary blobs, so only basic 2.4GHz functionality is there

back then I had at home an WL-500gP V2 router running DD-WRT with 3G dongle backup connection. then RT-N66U, RT-AC66U and finally RT-AC66U_B1 all running Merlin FW.

the beauty of WRT is, that on Asus routers you was able to install additional packages from OpenWRT via SSH

so yes, Asus uses WRT and do not restrict the SSH access to some "funny shell"

but back to our issue:

Nmap shows all the devices which are pingable/have some open port(s). so this is a snapshot in time, what is on the network.

I scan only LAN subnets, VPN devices are always in different subnet (for site2site I use WireGuard using pfSense as ER605 doesn't yet allow FQDN in peer definition, for client access the ER605 buid-in OpenVPN).

I do not need to know the exact active client number, I need to be able to address by IoT devices by their hostname, which is currently not possible  - see here .

my primary DNS is AD-integrated one and IoT devices are not able to update their records (like Windows machines do) due small memory/code size.

I do not care if the device is online or not - I need just to get the hostname-IP assignment table from the router.

And as I've found out, not all active DHCP clients can be found on any list provided either by controller or via SNMP, which makes the management and monitoring of IoT devices almost impossible....... or any other device not able to update their DNS records in any DNS server

Hi @ZoloNN 

Thanks for posting in our business forum.

ZoloNN wrote

hi @Clive_A ,

 

regarding WRT: WRT is an linux-based firmware firstly introduced by Linksys on WRT54G router. and since Linksys has released his source code under GNU, there are more WRT-based firmwares, like openWRT, DD-WRT, Tomato - and AsusWRT. mostly all Asus routers since WL-500 series uses their own WRT fork with their own GUI. Asus-Merlin is based on the AsusWRT with some added features. lot of Asus routers can be found in both openWRT and DD-WRT router databases, there is only some problem with some  older WiFi radios, as there is no GNU driver for them, only binary blobs, so only basic 2.4GHz functionality is there

back then I had at home an WL-500gP V2 router running DD-WRT with 3G dongle backup connection. then RT-N66U, RT-AC66U and finally RT-AC66U_B1 all running Merlin FW.

the beauty of WRT is, that on Asus routers you was able to install additional packages from OpenWRT via SSH

so yes, Asus uses WRT and do not restrict the SSH access to some "funny shell"

 

 

but back to our issue:

 

 

Nmap shows all the devices which are pingable/have some open port(s). so this is a snapshot in time, what is on the network.

I scan only LAN subnets, VPN devices are always in different subnet (for site2site I use WireGuard using pfSense as ER605 doesn't yet allow FQDN in peer definition, for client access the ER605 buid-in OpenVPN).

 

I do not need to know the exact active client number, I need to be able to address by IoT devices by their hostname, which is currently not possible  - see here .

my primary DNS is AD-integrated one and IoT devices are not able to update their records (like Windows machines do) due small memory/code size.

I do not care if the device is online or not - I need just to get the hostname-IP assignment table from the router.

 

And as I've found out, not all active DHCP clients can be found on any list provided either by controller or via SNMP, which makes the management and monitoring of IoT devices almost impossible....... or any other device not able to update their DNS records in any DNS server

 

 

That derives from the title and the issue here.

But in my experience with the WRT, as long as the DHCP's least time is not over, they'll always be displayed in the DHCP list or client list. That's pretty dumb even though I have left the place.

Not all active DHCP clients are displayed in the controller, that's because the sync from the router/switch/AP is delayed. The list takes some time to refresh. And due to the LLDP, some devices may not be displayed as they are not reported back.

I believe if you Nmap in the LAN, not the whole overlapped subnet, without the VPN interference, it should display all the available clients. The number you see in the Client should not have a serious difference.

This delay or mismatch in the client list seems impossible to resolve. For regular computers, the client can display properly, at least in the lab, I have all active computers listed. I think it could be a problem with the IoT.

As for my home, I clustered the IoT to a different router. But for the core router, all are phones and computers, they have been displayed in the client very well.

As you have tried or may have WRT-based models, try your IoT connecting to them and will they display the client list on their system stably? If they don't, that's a problem with the IoT where they might lack certain protocols to maintain a proper display on the routers.

Clive_A wrote

 

But in my experience with the WRT, as long as the DHCP's least time is not over, they'll always be displayed in the DHCP list or client list. That's pretty dumb even though I have left the place.

 

Not all active DHCP clients are displayed in the controller, that's because the sync from the router/switch/AP is delayed. The list takes some time to refresh. And due to the LLDP, some devices may not be displayed as they are not reported back.

 

I believe if you Nmap in the LAN, not the whole overlapped subnet, without the VPN interference, it should display all the available clients. The number you see in the Client should not have a serious difference.

 

This delay or mismatch in the client list seems impossible to resolve. For regular computers, the client can display properly, at least in the lab, I have all active computers listed. I think it could be a problem with the IoT.

As for my home, I clustered the IoT to a different router. But for the core router, all are phones and computers, they have been displayed in the client very well.

 

As you have tried or may have WRT-based models, try your IoT connecting to them and will they display the client list on their system stably? If they don't, that's a problem with the IoT where they might lack certain protocols to maintain a proper display on the routers.

Hi  @Clive_A 

Re DHCP: 1st of all, this is how DHCP is intended to work: keeping list of MAC-IP-assignments till end of lease time, except when DHCP client sends DHCPRELEASE request. when the lease is about to expire, active clients ask for IP (and other parameters) again ensuring client cet the same IP as he already has.

from monitoring point of view this is important, as you need hostname/IP to monitor any device. 

• if the client is in DHCP list:
  • is reachable - OK
  • is unreachable - generate alarm (and the client was for sure reachable in time less than lease time)
• isn't in DHCP list
  • client is offline for more than lease time of DHCP server

please note, that even the cheapest 15€ nonWRT routers can display the DHCP lease list and resolve their hostnames..........

currently I don't have any ASUS router active, a I have replaced them with two ER605 due end of support. I'm not tired of life to expose unsupported router to the internet. but I can setup an another network in my lab to test it and will come back to you.

Re IoT: the devices are quite simple and the network capabilities are quite restricted.

but what they for sure can: get IP and DNS entries from DHCP, transmit hostname in DHCP request and renew the IP lease. they usually cannot renew DNS registration in any DNS server except the router's one which is in synced via DHCP server (this standard feature is missing in ER605!). and the usually don't talk to internet, so there is no reason to be found in router's ARP cache due cache timeout (typically 15-45 secs for windows and 60 for linux) - they talk to the router only once per DHCP lease time to renew the IP.

Re Nmap: I scan only the LAN subnet. and as you can see, the numbers are different. on ANY list there are mix of static and DHCP assigned clients - but not all of them.

on the other hand, I do not expect from the controller numbers to be up-to-date in fraction of seconds (nor minutes) - this should be the case when querying the router via SNMP as in this case the router is the single point of truth.

so again: I suggest to make the DHCP list accessible and implement the internal DNS server into the Omada ER605 routers