NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Solved
R7000 Log MAC address issue, can't locate?
I keep seeing this MAC address in my e-mailed log, F0:A2:25:04:27:37, and it is NOT in my list of ALLOWED devices or ATTACHED DEVICES for the router? From the logs sent: [DHCP IP: (192.168.1.6)...
Changed them but I'm wondering if it could be the USB drive attached to the Router? I use it as a Media Server (DLNA). However that has a different MAC address, c4:04:15:29:8f:3d, and I've never seen that in the log? The drive 'share' doesn't have a MAC address though.
Test will be tomorrow morning I guess?
Just discovered a Kindle that was sleeping...
Also I just looked at the log, IT IS HERE somewhere?
[Admin login] from source 192.168.1.30, Monday, Oct 12,2015 12:00:06
[WLAN access rejected: incorrect security] from MAC 2C:44:FD:61:46:24, Monday, Oct 12,2015 12:00:06
[WLAN access rejected: incorrect security] from MAC 10:AE:60:57:25:06, Monday, Oct 12,2015 12:00:05
[WLAN access rejected: incorrect security] from MAC 78:AC:C0:5C:FC:B8, Monday, Oct 12,2015 12:00:05
[WLAN access rejected: incorrect security] from MAC F0:A2:25:04:27:37, Monday, Oct 12,2015 12:00:05
[WLAN access rejected: incorrect security] from MAC 2C:44:FD:61:46:24, Monday, Oct 12,2015 12:00:05
[WLAN access rejected: incorrect security] from MAC 10:AE:60:57:25:06, Monday, Oct 12,2015 12:00:04
[WLAN access rejected: incorrect security] from MAC 78:AC:C0:5C:FC:B8, Monday, Oct 12,2015 12:00:04
[WLAN access rejected: incorrect security] from MAC F0:A2:25:04:27:37, Monday, Oct 12,2015 12:00:04
[WLAN access rejected: incorrect security] from MAC 2C:44:FD:61:46:24, Monday, Oct 12,2015 12:00:04Now as I change the passphrase to allow devices to connect I should be able to determine WHO it is?
Yeah, it was the Kindle... sheesh:
Allowed it and it connected...
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Monday, Oct 12,2015 12:12:47
Who knew?
A private MAC address is an address where the vendor has opted to register the OUI as private. See this page for reference. You can find the entry for OUI F0:A2:25 in the IEEE OUIs page. Warning, it's a big file.
Note that a private MAC address is different from a locally administered MAC address. A locally administered MAC address has the 2nd least significant bit set in the first octet. See the details on Wikipedia.
At first, I thought that F0:A2:25:04:27:37 was a locally administered MAC address (it's not because the 2nd least significant bit is not set). I know that Apple introduced the use of locally administered MAC addresses with iOS 8 in order to enhance privacy. It's mentioned here and described in further detail here. It turns out that iOS only uses a locally administered MAC address when probing for Wi-Fi networks, not when DHCPing for an IP address. Plus, as I already stated, the address in question is not locally administered, so the mysterious device is probably not an Apple.
Did you look at the Attached Devices page? If it's not currently attached, then that may explain why it's not showing up in Access Control.
If you are unable to find the device, then I think it's time to change your Wi-Fi passwords. You should probably change the router's admin password just to be safe. And make sure the guest network is disabled.
Should add that Guest Network is OFF and was NEVER on as well as the WPS PIN being OFF.
The iPad's do renew their leases before the odd one occurs:
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Sunday, Oct 11,2015 03:59:38 [DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Sunday, Oct 11,2015 03:24:39 [DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Sunday, Oct 11,2015 03:13:24 [DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Sunday, Oct 11,2015 03:06:55
Those are the .2 and .4 addresses. However there is a time difference so I don't think we could relate the .6's to each iPad.
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Saturday, Oct 10,2015 03:59:37 [DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Saturday, Oct 10,2015 03:24:39 [DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Saturday, Oct 10,2015 03:02:39 [DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Saturday, Oct 10,2015 02:52:09
Only that it does happen after each iPad gets the lease renewal.
I've decided to add F0:A2:25:04:27:37 to the BLOCKED list and see what happens rather than wait for Access Control to put something in the log. I guess it is possible that a neighbor's device found my signal stronger and tried to connect but the time makes me think that wouldn't be the case? However the neighbor's bedroom is probably closer to my router than his is (I've helped him on occassion and know where his router is. Still it would be impossible for him to connect without my password(s). He's never been here connecting either. Would a Phone's MAC address be registered to the vendor too?
As a test if the blocking doesn't show me something tomorrow morning I think I'll disconnect the FireTV. At that hour ONLY the 2 iPad's and the FireTV are powered on. We do have a SmartTV but that is off but I guess there is the possibility of it doing it even if off as AC is connected?
I really don't think it is outside my house though?
Or give the Fire TV a static ip address and see what shows up in the logs..
Already thought of that and did that long ago:
Interesting as I looked back on the logs I've got from 8/22/2015. It did NOT happen before 9/8/2015. The FireTV Stick was used on a few times though, twice since 9/8, and on the days it was used (the stick) that MAC Address doesn't appear in the log? In all the logs I've NOT seen that MAC Address and the FireTV's (10:AE:60:57:25:06) in the same log? Wonder if it has 2 functions using different IP and MAC addresses?
You can find the MAC address of the FireTV in Settings > System > About > Network. Your SmartTV should also display its MAC address in one of its menus. SmartTVs are like many Internet appliances; they are never really off unless totally unplugged.
If you will recall, you and I had discussed previously that Access Control is applied AFTER DHCP. So, you can go ahead and add F0:A2:25:04:27:37 to the BLOCKED list, but it's not going to eliminate it from the router's log.
If this MAC address does not belong to either your FireTV or SmartTV, then I'll reiterate my recommendation for you to change your Wi-Fi passwords.
Check SmartTV and FireTV, MAC addresses are as listed in the device list.
The FireTV was updated in Aug., before this stuff started to appear.
Suspect it could be the neighbor's phone finding my signal stronger and trying for renew?
You have a weird FireTV. The OUI for mine is 74:75:48, which is registered to Amazon. Mine was also updated in August.
Your neighbor's phone would be able to renew only if it had your Wi-Fi password.
