R7000 Log MAC address issue, can't locate?

A private MAC address is an address where the vendor has opted to register the OUI as private.  See this page for reference.  You can find the entry for OUI F0:A2:25 in the IEEE OUIs page.  Warning, it's a big file.

Note that a private MAC address is different from a locally administered MAC address.  A locally administered MAC address has the 2nd least significant bit set in the first octet.  See the details on Wikipedia.

At first, I thought that F0:A2:25:04:27:37 was a locally administered MAC address (it's not because the 2nd least significant bit is not set).  I know that Apple introduced the use of locally administered MAC addresses with iOS 8 in order to enhance privacy.  It's mentioned here and described in further detail here.  It turns out that iOS only uses a locally administered MAC address when probing for Wi-Fi networks, not when DHCPing for an IP address.  Plus, as I already stated, the address in question is not locally administered, so the mysterious device is probably not an Apple.

Did you look at the Attached Devices page?  If it's not currently attached, then that may explain why it's not showing up in Access Control.

If you are unable to find the device, then I think it's time to change your Wi-Fi passwords.  You should probably change the router's admin password just to be safe.  And make sure the guest network is disabled.

We can continue this e-mail if you wish, but I did search the list you referenced:

==========

F0-A2-25   (hex)		Private
F0A225     (base 16)		Private

==========

The Attached Devices of course it wouldn't be on there. However it doesn't show on ANY list (Attached, Allowed, or Blocked) on the Acess Control page either?

Interestingly I found I asked this same question awhile ago, here (old forum) and other places with no resolution:

https://forum1.netgear.com/t5/Nighthawk-WiFi-Routers/Questions-about-my-LOG-entries/td-p/509827

http://www.dslreports.com/forum/r29729174-R7000-Log-entry-questions?group=noreply

http://www.amazon.com/gp/help/customer/forums/ref=cs_hc_g_pl?ie=UTF8&forumID=Fx1SKFFP8U1B6N5&cdThrea...

The common denominator here is the FireTV stick.

What CAN be connected to the Router...

The Blocked list has a single device, a phone from the ISP's tech from when he was last here.

The difference between those Dec. 2014 reports and today is I was on W8.1 then and there was a way to remove the spurious phone from appearing via a Service change I found.

I suspect, but can't confirm it is related to the FireTV stick. That appears to be the start of that appearing I think?

I am assuming Access Control being turned on will help identify the device as it tries to connect. It should be blocked. Why twice at almost the same time each day (old references above have the same time if you take Daylight Savings time into consideration).

Should add that Guest Network is OFF and was NEVER on as well as the WPS PIN being OFF.

The iPad's do renew their leases before the odd one occurs:

[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Sunday, Oct 11,2015 03:59:38
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Sunday, Oct 11,2015 03:24:39
[DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Sunday, Oct 11,2015 03:13:24
[DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Sunday, Oct 11,2015 03:06:55

Those are the .2 and .4 addresses. However there is a time difference so I don't think we could relate the .6's to each iPad.

[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Saturday, Oct 10,2015 03:59:37
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Saturday, Oct 10,2015 03:24:39
[DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Saturday, Oct 10,2015 03:02:39
[DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Saturday, Oct 10,2015 02:52:09

Only that it does happen after each iPad gets the lease renewal.

I've decided to add F0:A2:25:04:27:37 to the BLOCKED list and see what happens rather than wait for Access Control to put something in the log. I guess it is possible that a neighbor's device found my signal stronger and tried to connect but the time makes me think that wouldn't be the case? However the neighbor's bedroom is probably closer to my router than his is (I've helped him on occassion and know where his router is. Still it would be impossible for him to connect without my password(s). He's never been here connecting either. Would a Phone's MAC address be registered to the vendor too?

As a test if the blocking doesn't show me something tomorrow morning I think I'll disconnect the FireTV. At that hour ONLY the 2 iPad's and the FireTV are powered on. We do have a SmartTV but that is off but I guess there is the possibility of it doing it even if off as AC is connected?

I really don't think it is outside my house though?

Or give the Fire TV a static ip address and see what shows up in the logs..

You can find the MAC address of the FireTV in Settings > System > About > Network. Your SmartTV should also display its MAC address in one of its menus.  SmartTVs are like many Internet appliances; they are never really off unless totally unplugged.

If you will recall, you and I had discussed previously that Access Control is applied AFTER DHCP.  So, you can go ahead and add F0:A2:25:04:27:37 to the BLOCKED list, but it's not going to eliminate it from the router's log.

If this MAC address does not belong to either your FireTV or SmartTV, then I'll reiterate my recommendation for you to change your Wi-Fi passwords.

Already thought of that and did that long ago:

Interesting as I looked back on the logs I've got from 8/22/2015. It did NOT happen before 9/8/2015. The FireTV Stick was used on a few times though, twice since 9/8, and on the days it was used (the stick) that MAC Address doesn't appear in the log? In all the logs I've NOT seen that MAC Address and the FireTV's (10:AE:60:57:25:06) in the same log? Wonder if it has 2 functions using different IP and MAC addresses?

Check SmartTV and FireTV, MAC addresses are as listed in the device list.

The FireTV was updated in Aug., before this stuff started to appear.

Suspect it could be the neighbor's phone finding my signal stronger and trying for renew?

You have a weird FireTV.  The OUI for mine is 74:75:48, which is registered to Amazon.  Mine was also updated in August.

Your neighbor's phone would be able to renew only if it had your Wi-Fi password.

Yes, mine is 10:AE:60 which shows as PRIVATE. I'm guessing you bought yours direct from Amazon, had you account set on it as well. We got ours from Best Buy. Maybe that is how Amazon can tell where you got it? Different MAC's for different sellers?

Well it seems odd but again I got that same MAC connecting at the same 2 times. The LOG doesn't tell me if it did or didn't connect though so I assume it did connect.

I messed around with the SmartTV's connection to see what would happen with a bad pass phrase:

[DHCP IP: (192.168.1.5)] to MAC address 0C:89:10:84:61:9C, Sunday, Oct 11,2015 12:16:06
[Admin login] from source 192.168.1.30, Sunday, Oct 11,2015 12:14:39
[WLAN access rejected: incorrect security] from MAC 0C:89:10:84:61:9C, Sunday, Oct 11,2015 12:14:06
[WLAN access rejected: incorrect security] from MAC 0C:89:10:84:61:9C, Sunday, Oct 11,2015 12:13:55
[WLAN access rejected: incorrect security] from MAC 0C:89:10:84:61:9C, Sunday, Oct 11,2015 12:13:45
[Admin login] from source 192.168.1.30, Sunday, Oct 11,2015 11:37:02

So the log does show some attempts to connect EVEN if the device is allowed.

Don't know why the 2 specific times the device is either trying to connect or does connect?

[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Monday, Oct 12,2015 03:59:28
[DHCP IP: (192.168.1.6)] to MAC address F0:A2:25:04:27:37, Monday, Oct 12,2015 03:24:39

Always around the same time, never connected when I get up around 7AM or so? It IS in my blocked list too but the log doesn't seem to tell me much. Only things connected AND sleeping at that time are the iPad's. Every other device is powered off?

Odd that the time stays around the same, even from Dec. 2014? The iPad's shift time they renew all the time.

[DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Sunday, Oct 11,2015 03:13:24
[DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Sunday, Oct 11,2015 03:06:55

[DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Saturday, Oct 10,2015 03:02:39
[DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Saturday, Oct 10,2015 02:52:09

[DHCP IP: (192.168.1.2)] to MAC address 1C:AB:A7:F0:61:EB, Friday, Oct 09,2015 02:48:09
[DHCP IP: (192.168.1.4)] to MAC address A4:67:06:57:DD:0E, Friday, Oct 09,2015 02:45:56

Makes no sense, they is nothing that device can do but use my Inet connection.

I don't even know which SSID it is on? I guess I'll change the pass phrase and see if I get reject from it?