NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.

Forum Discussion

IrvSp's avatar
IrvSp
Master
Oct 11, 2015
Solved

R7000 Log MAC address issue, can't locate?

I keep seeing this MAC address in my e-mailed log, F0:A2:25:04:27:37, and it is NOT in my list of ALLOWED devices or ATTACHED DEVICES for the router? From the logs sent: [DHCP IP: (192.168.1.6)...
Advanced Features
Firmware
Security
  • IrvSp's avatar
    IrvSp
    Oct 12, 2015

    Changed them but I'm wondering if it could be the USB drive attached to the Router? I use it as a Media Server (DLNA). However that has a different MAC address, c4:04:15:29:8f:3d, and I've never seen that in the log? The drive 'share' doesn't have a MAC address though.

     

    Test will be tomorrow morning I guess?

     

    Just discovered a Kindle that was sleeping...

     

    Also I just looked at the log, IT IS HERE somewhere?

     

    [Admin login] from source 192.168.1.30, Monday, Oct 12,2015 12:00:06
    [WLAN access rejected: incorrect security] from MAC 2C:44:FD:61:46:24, Monday, Oct 12,2015 12:00:06
    [WLAN access rejected: incorrect security] from MAC 10:AE:60:57:25:06, Monday, Oct 12,2015 12:00:05
    [WLAN access rejected: incorrect security] from MAC 78:AC:C0:5C:FC:B8, Monday, Oct 12,2015 12:00:05
    [WLAN access rejected: incorrect security] from MAC F0:A2:25:04:27:37, Monday, Oct 12,2015 12:00:05
    [WLAN access rejected: incorrect security] from MAC 2C:44:FD:61:46:24, Monday, Oct 12,2015 12:00:05
    [WLAN access rejected: incorrect security] from MAC 10:AE:60:57:25:06, Monday, Oct 12,2015 12:00:04
    [WLAN access rejected: incorrect security] from MAC 78:AC:C0:5C:FC:B8, Monday, Oct 12,2015 12:00:04
    [WLAN access rejected: incorrect security] from MAC F0:A2:25:04:27:37, Monday, Oct 12,2015 12:00:04
    [WLAN access rejected: incorrect security] from MAC 2C:44:FD:61:46:24, Monday, Oct 12,2015 12:00:04

     

    Now as I change the passphrase to allow devices to connect I should be able to determine WHO it is?

     

    Yeah, it was the Kindle... sheesh:

     

     

    Capture.JPG

     

    Allowed it and it connected...

     

    [DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Monday, Oct 12,2015 12:12:47

     

    Who knew?

TheEther's avatar
TheEther
Guru
Oct 11, 2015

A private MAC address is an address where the vendor has opted to register the OUI as private.  See this page for reference.  You can find the entry for OUI F0:A2:25 in the IEEE OUIs page.  Warning, it's a big file.

 

Note that a private MAC address is different from a locally administered MAC address.  A locally administered MAC address has the 2nd least significant bit set in the first octet.  See the details on Wikipedia.

 

At first, I thought that F0:A2:25:04:27:37 was a locally administered MAC address (it's not because the 2nd least significant bit is not set).  I know that Apple introduced the use of locally administered MAC addresses with iOS 8 in order to enhance privacy.  It's mentioned here and described in further detail here.  It turns out that iOS only uses a locally administered MAC address when probing for Wi-Fi networks, not when DHCPing for an IP address.  Plus, as I already stated, the address in question is not locally administered, so the mysterious device is probably not an Apple.

 

Did you look at the Attached Devices page?  If it's not currently attached, then that may explain why it's not showing up in Access Control.

 

If you are unable to find the device, then I think it's time to change your Wi-Fi passwords.  You should probably change the router's admin password just to be safe.  And make sure the guest network is disabled.

IrvSp's avatar
IrvSp
Master
Oct 11, 2015

Should add that Guest Network is OFF and was NEVER on as well as the WPS PIN being OFF.

 

The iPad's do renew their leases before the odd one occurs:

 

[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Sunday, Oct 11,2015 03:59:38
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Sunday, Oct 11,2015 03:24:39
[DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Sunday, Oct 11,2015 03:13:24
[DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Sunday, Oct 11,2015 03:06:55

Those are the .2 and .4 addresses. However there is a time difference so I don't think we could relate the .6's to each iPad.

 

[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Saturday, Oct 10,2015 03:59:37
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Saturday, Oct 10,2015 03:24:39
[DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Saturday, Oct 10,2015 03:02:39
[DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Saturday, Oct 10,2015 02:52:09

Only that it does happen after each iPad gets the lease renewal.

 

I've decided to add F0:A2:25:04:27:37 to the BLOCKED list and see what happens rather than wait for Access Control to put something in the log. I guess it is possible that a neighbor's device found my signal stronger and tried to connect but the time makes me think that wouldn't be the case? However the neighbor's bedroom is probably closer to my router than his is (I've helped him on occassion and know where his router is. Still it would be impossible for him to connect without my password(s). He's never been here connecting either. Would a Phone's MAC address be registered to the vendor too?

 

As a test if the blocking doesn't show me something tomorrow morning I think I'll disconnect the FireTV. At that hour ONLY the 2 iPad's and the FireTV are powered on. We do have a SmartTV but that is off but I guess there is the possibility of it doing it even if off as AC is connected?

 

I really don't think it is outside my house though?