Unknown wired MAC address getting DHCP lease

Hi, I have a case where an unknown MAC address is getting a lease on my network. It is wired connection because it comes from VLAN / address range that is only configured for wired connections.

Running

brctl showmacs br-lan

does not show this address, same if I look on MAC tables of additional switch connected to the router.

Any idea what this might be? I have excluded all devices that I have connected to the router or to the switch.
What is strange is that this MAC address appeared few days ago and keeps renewing the lease despite not being possible to be found in MAC tables or pinged.

Desktop virtual machine?

Or maybe someone connected to you from outside?)) Check by chance you can have remote access to the router

Everything closed on the outside, nmap confirms that. It may be some virtual device from my NAS for example, but I cannot locate it. Plus, it is strange that it gets DHCP address but then is flushed out off ARP table. It would be great to have the possibility to capture which physical port DHCP request comes from.

I've seen similar things, even with some of my wired devices. A VM could do this, as could some other operating systems which may do MAC address randomization even on ethernet interfaces.

Since you know it must be wired, you could start a persistent ping on one device and then unplug the others one at a time until the pings fail. Or, just block at MAC/IP address and see what breaks.

2 Likes

Thanks, that's what I did for the moment - blocked that MAC on firewall. So far everything works... Lease should renew in ~5 hours, will see.

Ping itself does not give an answer so either a device is on only from time to time or does not respond to ping.

Try arping, not ping.

1 Like

Check your phones and tablets, especially those from Apple. They are notorious for randomizing MAC addresses, which is often set by default.

The OP indicated that the device is wired, so it's unlikely to be a phone or tablet (unless they have an ethernet adapter for said devices). But, it still could be a laptop/desktop PC with the same randomized MAC strategy via ethernet.

1 Like

If there are (additional-) AP(s) involved, any wireless system might show up as wired on the DHCPd. So that's not really conclusive, unless you power off all APs but the router/ dhcpd itself.

2 Likes

As @psherman has correctly underlined, I am sure this is wired connection because all wifi interfaces are bound to a different VLAN and different address range.
For those who are curious, and also for those helping me with ideas (thanks!), an update:
After blocking MAC address (drop on firewall) DHCP lease did not renew.
It is, however, quite obvious that the device is still trying.
It cannot be a MAC address of a device I consciously use, because all those have static assignments, this includes VMs and intelligent switches.
If I happen to find what is it, before the thread is closed for no activity, I will post it here.
Thanks to everybody for hints, especially to those who did read the case carefully :slight_smile: