TL-WR850N - Unknow MAC in traffic stats, no records in syslog
Hello!
I have a TL-WR850N v2 router, Software version: 3.16.0 0.9.1 v6026.0, one WAN ipoe link, Wireless mode: WPA2-PSK AES, 11 symbols ASCII-key, two wireless clients, no one else knows the key. That night I noticed strange records in router's traffic statistics.
Statistics. today, 03.04.2021 in about 00:30:
192.168.0.100 and 192.168.0.101 and theirs MAC are known devices and mine, others IPs with the same MAC in unknown.
DHCPD range is set from 192.168.0.100, so as i can see 192.168.0.11 in the list I can assume it self-assigment IP, without using DHCP.
Statistics. today, 03.04.2021 in about 12:50:
12 hour later 192.168.0.103 added with the same unknown MAC with 4 packets.
In system log nothing, only WAN's Send REQUEST to server and Recv ACK from server.
MAC OUI says the unknown MAC is Cisco.
Any ideas?
Thanks.
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
This is a US Forum, and from what I can tell, that router isn't even availble in the US?
One thing I'd suggest, use MAC FILTERING (see Manual, https://static.tp-link.com/2018/201801/20180116/TL-WR850N_UG.pdf, section 4.3.6) to only allow the MAC's you know to access?
Also, do you have the GUEST network enabled, with no Security?
- Copy Link
- Report Inappropriate Content
Yes, I cant find TL-WR850N model in devices list when completing this topic but I suggest some US-model works on similar firmware and somebody can advice some ideas.
Currently I dont want to block this MAC by blacklisting or change the key, because I want to identify the problem first, what is that and why it happend. Also want to trace the time of this unknown device connection.
No Guest network, Multi-SSID disabled, WPS, WDS disabled, nobody has a physical access to the device.
- Copy Link
- Report Inappropriate Content
I understand, but this is Sat. in the US and the TP-Link moderator's might be the best ones to assist. They might not see this until Mon.
Some 'mesh' routers do have 'hidden' SSID's that are always on. Could be this is the case? Some NETWORK SCANNER s/w, like Acrylic can see those.
As a test. I'd use MAC FILTERING and then look in the ROUTER log as it should note a failed connect. It might provide more into. Also, the device trying to connect might give a warning.
Wondering if a nearby Mesh router it connecting or even trying too?
- Copy Link
- Report Inappropriate Content
It should be great if moderators can assist.
Not sure about mesh, I have experience with some Huawei routers with hidden SSIDs enabled by default, but AFAIK my WR850N doesnt have such feature. Tried to check with android wifi analyzer and cant find nothing suspicious or similar.
Another problem with a poor router syslog interface. It has only three options (I believe it has more in firmware, not shown in web browser): SYSTEM (router events), DHCPC (WAN Client), DHCPD (router daemon), have tried adding my android device to the black list, the only I get:
2021-04-03 16:36:00 | SYSTEM | Notification | Enable firewall |
and then
DHCPD | Notification | Recv REQUEST from 00:EE: MY DEVICE |
DHCPD | Notification | Send ACK to 192.168.0. MY IP |
device connected to router, obtain an IP from DHCPD and have no access to the network, but I dont recieve any warnings from system or firewall viewable in web interface.
Unknown device connection doesnt ask an IP from DCHPD so I cant trace it by such log level. Tried to install a remote syslog, set the lowest avaible logging level (Level7) but it shows the same information.
- Copy Link
- Report Inappropriate Content
If you have an unknown MAC address, you can google "mac address lookup" and find many services that will tell you what company uses that MAC prefix for most MAC addresses. For example for one of your prefixes D8:67:D9 is Cisco Systems
- Copy Link
- Report Inappropriate Content
ArcherC8 wrote
If you have an unknown MAC address, you can google "mac address lookup" and find many services that will tell you what company uses that MAC prefix for most MAC addresses. For example for one of your prefixes D8:67:D9 is Cisco Systems
It appears he did do that, all are the same, "MAC OUI says the unknown MAC is Cisco "
That is what made me think possibly a Mesh Router was trying to or actually did connect?
The TP-Link model he has appears to be for the Middle East I think? I looked at the manual, but nothing struck me as this being a Mesh capable router either?
As I looked over the User Manual (Link in an above reply), on page 61 is the CWMP Feature. It appears that feature 'may' use an IP Address (in the docuement by Cisco, https://www.cisco.com/c/en/us/td/docs/net_mgmt/broadband_access_center/3-10/administration/guide/Cisco_BAC310_Admin_Guide/Chap_12.pdf)? I'm now wondering IF that is the case, the external Server connecting and using an IP Address for LAN access? Never worked with CWMP so I'm just guessing here?
The router it seems is like mine too, it doesn't release the IP Address it assigns to a device, even after the device disconnects? I can see it now on my A20, daughter was here, her Apple phone and watch have an IP Address listed in DHCP. IP Address 192.168.0.192 and .112, not even sequential (pool is from 100 to 199). Lease time is 1440 or 24 hours. I guess it holds it then and would only release it when it needed an address and the oldest is re-used? My DHCP list shows me the Lease TIme left. OP's list didn't have a Lease Time from what I can tell, may those all happened within the timeframe for a lease and each connect gave a different IP Address?
That all assumes it is caused by CWMP? @sergezh, is CWMP enabled on the router?
- Copy Link
- Report Inappropriate Content
Information
Helpful: 0
Views: 850
Replies: 6
Voters 0
No one has voted for it yet.