odd "joined the network" alerts for one week a year
ChrisByrnes
Member Posts: 9
✭
Last year I started getting odd device alerts about some unidentified device joining but apparently never getting an IP address. they arrived roughly hourly and never with the same device address (samples below). No manufacturer associated with most of the addresses. After about a week they stopped happening. Welcome to 2020 - they are back. Example
42:44:9F:A8:C1:6D joined the network for the first time
2020 Feb 717:54
42:44:9F:A8:C1:6D left the network
2020 Feb 717:54
42:44:9F:A8:C1:6D entered the network
1
Answers
-
This is a tough one. Not much info to go on. Any mac address that starts with "X2", "X6", "XA", XE", where the "X" can be any hexadecimal number, is a "local" mac address. Meaning, it is a locally created one. Which router/gateway do you have, and do you have UPNP and/or the "guest network" enabled? Do you have any "smart" devices - lightbulbs, plugs, thermostat, etc?
1 -
yeah, all of the MACs are local. They seem never to repeat - all just apparently random within the local space. I do have a lot of low-cost IOT devices around the house, but they have all seemed to be well behaved to date. Who this happened last year my router was an old Apple high end unit but this year I am now on a Netgear Orbi wifi6 level (very new tech) set. I do have a guest network - I will try shutting that down. UPnP is off - I had it on for a while and much stranger things were happening: my firewall would report that my wife's iPhone was opening a port while her iPhone was turned off. Ghosts in the network?1
-
Here is a similar post, by another individual:The issue doesn't appear to be resolved, but, are you using a VPN, by chance? Are you using the Orbi router alone, or with (an)other satellite(s)?
0 -
Good catch; very similar. In my case they seem not to actually get IP addresses and they typically stay around less than one minute. It is 8AM here and since midnight I have had 17 such connections, all blocked now that I have set fingbox to block them. Turning off my guest network had no effect. The Orbi is a wifi6 mesh router with a base station and one satellite. In addition I have two cheap network extenders to allow for hard wired devices in odd locations. Directly attached to the base station is a printer, FingBox and a Firewalla firewall as well as a QNAP (linux) server. Since the Firewalla sees nothing of all this I assume these ghost devices are not some form of leakage from the ISP side. When these ghost devices popped up last year they behaved the same way for a few weeks nd then suddenly stopped. I am hoping the same thing occurs. But it really would be nice to be able to figure out what is causing this.1
-
Does the vendor show as "udhcp1.22.1", as in @Joedavis44 post? Have you tried completely turning off your QNAP NAS and see what happens?0
-
Yes, the NAS has been turned off for a week and new devices keep appearing.1
-
in my case - yes that is how the vendor shows. I have not powered off the server. I may try that, but Joe Davis would seem to indicate that is unlikely to help.0
-
Scooby, I don't know what the term "local MAC address" means. Can you please explain?0
-
There is a roughly 20 minute cycle to these appearances, with many gaps. The MAC never seems to repeat.Screen shot of the last day attached:
1 -
@Joedavis44, My apologies for not replying sooner. In another post, I learned from @OrangeBucket that MAC addresses can either be universally administrated addresses (UAA) or locally administrated addresses (LAA). From wikipedia, "A locally administered address is assigned to a device by a network administrator, overriding the burned-in address."
ref: https://en.wikipedia.org/wiki/MAC_address
Further researching, I learned that LAA MAC addresses will start with "X2", "X6", "XA", and "XE", where the "X" can represent any hexadecimal number.
ref: https://honeywellaidc.force.com/supportppr/s/article/Locally-Administered-MAC-addresses
As I'm sure you're aware, the first, three octets of an UAA MAC address identify the organization/manufacturer. However, if it is a LAA MAC address, it will not point to any manufacturer. If you try to turn the "universal" bit on, and the "local" bit off, it might help to find the UAA MAC, from the LAA MAC. (My router does that, when I turn my "guest network" on. It creates a "local" MAC, by switching those bits from the "universal" MAC). However, the MAC addresses posted, seem random - no pattern, and switching the bits doesn't yield any UAAs.
If you look at @ChrisByrnes post, above, and two of your posts, from your original question/discussion, you may notice that all of the MAC addresses are "local" ones. They all start with either "X2", "X6", "XA", or "XE". Something is creating them. If you were running a VM server on your NAS, or possibly a VPN server, that might explain the random MACs. But, that doesn't seem to be the case. And, as you turned your NAS off, makes the NAS unlikely. Still trying to find an answer to "What is creating or causing this issue?"
Both of you may want to look at this issue. It was with a Windows 10 device, that was updated to 1909, and had the Fing Desktop Beta app installed, but later removed. It seems a Fing service was not removed. Either of you had/done that?
https://community.fing.com/discussion/3106/windows-10-v1909-mac-randomization-on-boot
What's interesting, too, is how "udhcp1.22.1" shows up for the MACs.1 -
In my case I did have two Linux vm's in place - booted but not with any active requests . I do have a VM for WIN10 but it was suspended and never with any Fing app installed I have stopped the Linux machines and verified the Win10 as inactive. I will let you know of that somehow fixes this.1
-
WAIT! I just realized that tis stopped happening last night (Monday 2/10_ at 9:38PM Pacific time (my time zone). That is before I took any action. Just like last year - it comes, persists for a week or two and then vanishes into the night. Any guesses?0
Categories
- 5.8K All Categories
- 2.8K Ask about Connected Technology
- How To...
- 1.1K Devices & Security
- 1.6K Network Troubleshooting & Connectivity
- 114 General Discussion, Weird & Wonderful
- 45 Network Infrastructure
- 5.4K Ask about Fing
- 548 Fing Account Change Request
- 1.1K Fing Desktop
- 1.4K Fing App
- 1.7K Fingbox
- 534 Announcements, Beta Testing & Release Notes
- 160 Community Updates
- 29 Getting started
- 13 Community User Guides