Rogue AP with unknown MAC Identifier

There are 4x4 hidden SSID's used by the Orbi Backhaul, those networks usually have MAC addresses similar to the ones broadcasting the clinet networks with the first or last 2 characters in the MAC different. Are you referring to those?

I would use a wifi scanner to see whats going in your surroundings:

https://itunes.apple.com/us/app/network-analyzer-lite-wifi/id562315041?mt=8
http://www.nirsoft.net/utils/wifi_information_view.html
https://www.acrylicwifi.com/en/wlan-software/wlan-scanner-acrylic-wifi-free/
https://lizardsystems.com/wi-fi-scanner/screenshots.php
http://nutsaboutnets.com
http://www.metageek.com/products/inssider/

Is Guest Network enabled by chance? 

---

@SimonBelgium wrote:

I've been using the RBS50+RBS50 for some time now, and a while ago one of my security devices alerted me there was a rogue AP in the area broadcasting on my SSID.

When I researched the MAC identifier, there is no known manufacturer. It starts with 92:3B:...

 

I thought it was just a local scriptkiddie, and that he/she would give up after a few days.

 

As there's no change, and I still get the alerts, I took some time looking into it, and it seems there are in fact 2 rogue APs, with MAC addresses very close to my actual 2 routers.

 

Is this some obscure component from Netgear? I can't any reference to it, nor is the MAC address listed anywhere online or in the ORBI web interface.

 

Can anyone shed any light into it? Or do I need to drive around to create a WiFi coverage map of the neighborhood to track this idiot down?

 

(Latest firmware etc of course)

---

Seriously? Why would they not list those in the web interface?

How can I identify which ones are the actual "hidden" MACs? Yes they are VERY close to the actual MACs

---

@SimonBelgium wrote:

Yes they are VERY close to the actual MACs

---

Then I would say that these are your backhaul wifi channels.

Thanks guys,

Is there any documentation on the use of those virtual MACs for the backchannel? 

There isn't from what I can tell. 

When I installed the new V2.2.1.210 firmware on 10/12/18, I started seeing a weird device showing up.  The Orbi's Attached Devices admin page identified it as a Cadant device, and when I checked the IP address it matched the range for a Comcast server upstream of me.  At the same time I started having a bunch of DHCP issues, with my SB6141 modem trying to supply some 192.168.100.X addresses on the network and the Orbi supplying the expected 192.168.1.X range.  I power cycled everything (cable modem, Orbis and ethernet switches) and haven't seen the Cadant device for a few days.

Good luck!

SB6141>RBR40>(wired)RBS40 w/30+ devices attached total

If you updated to recent FW v.210, try enabling Daisy Chain. Some have mentioned that this seems to be working in reverse order, enabling means disabled actually. Hoping NG support can have a look at this. So try this out as well.
https://community.netgear.com/t5/Orbi/Firmware-2-2-1-210-and-connection-problems-Skybell/m-p/1649275...

If you see this again, try this next time:

https://community.netgear.com/t5/Orbi/Firmware-2-2-1-210-released-as-of-10-3-18/m-p/1647303/highligh...

---

@RickDias wrote:

When I installed the new V2.2.1.210 firmware on 10/12/18, I started seeing a weird device showing up.  The Orbi's Attached Devices admin page identified it as a Cadant device, and when I checked the IP address it matched the range for a Comcast server upstream of me.  At the same time I started having a bunch of DHCP issues, with my SB6141 modem trying to supply some 192.168.100.X addresses on the network and the Orbi supplying the expected 192.168.1.X range.  I power cycled everything (cable modem, Orbis and ethernet switches) and haven't seen the Cadant device for a few days.

 

Good luck!

 

SB6141>RBR40>(wired)RBS40 w/30+ devices attached total

---