Asus RT-AC68u block clients from connecting to network

[margentieri]

Hey guys, I have an interesting and very strange problem, and I am hoping someone here might be able to help (and if anyone can explain how this is even POSSIBLE, that'd be cool, although unnecessary).

TLDR version: I have a rouge MAC address on my network, and it is appearing HUNDREDS of times. It appears as a static LAN wired connection (not wireless), and this SINGLE MAC usually has over 240 instances recorded as being connected. The IP associated with this MAC seems to change at random, and sometimes even takes the IP of devices that have reserved IP's. This is preventing some legitimate network devices from being able to connect to the network. I need to BLOCK this MAC from even CONNECTING to my network in the first place; simply preventing the MAC address in question from accessing other devices on my LAN or from accessing the internet is not enough (i.e. I don't want to even see it on my network map of connected devices, I want the connection completely dropped before it can access my LAN).


First, let me begin by explaining my router setup, which is a bit unique. My ISP is Verizon FiOS, and I am receiving my internet access via MoCA (as compared to ethernet WAN, which I can't currently utilize since my house isn't wired with ethernet). I don't really want to use their router, but I have to utilize it as a WAN MoCA bridge, and since I want my Asus router to be "first", I have configured the FiOS router to function as a WAN MoCA bridge.

Here are details on how I have the FiOS and Asus routers configured:
See option 5, "double bridge": https://www.dslreports.com/faq/verizonfios/3.0_Networking
Direct link to FiOS router config: https://www.dslreports.com/forum/r27666920-How-to-Make-Actiontec-MI424WR-Revision-I-Rev-I-a-Network

In order to provide internet access to my STB's and a desktop PC that is connected via a LAN MoCA connection, as the above link explains, I have one of the LAN ports of my Asus connecting back into one of the LAN ports of the FiOS router ("pass-back" connection). This is where the problem arises.

I have had this setup for over a year, and there has been no problem. Starting about a month ago, when I have this "pass-back" connection hooked up, the rouge MAC appears. When I disconnect the pass-back (but leave everything else intact, meaning wireless works fine, but the STB's and other LAN MoCA clients are now offline), the rouge MAC disappears. I did a bit of research on the MAC address, and it appears like a Juniper Networks device (i.e. most likely something industrial). Additionally, if I leave the pass-back connection in place, but disconnect the coax connection coming into my house, the rouge MAC disappears again.

This tells me that somehow, a device EXTERNAL to my network is accessing my LAN, and is somehow appearing as a LOCAL WIRED device.

I have tried MAC filtering in parental controls, but that is only (I hope) blocking that device from communicating back out to the internet. I also tried a few iptables rules, but none had the desired effect.

Any ideas on how I can block this MAC from even connecting to my network at all? I'm thinking it would most likely involve an iptables rule that I just haven't been able to think of.

Also, if anyone has any idea, I'd be interested to learn how 1 MAC address can connect multiple times (I thought this wasn't possible?), and how a device external to my network can appear as a local wired device.

 

[pete y testing]

This is where the problem arises.

i will say this is a very strange setup but as i read it you cant connect anything to the Switch ports on Actiontec not available as LAN ports.

In order to provide internet access to my STB's and a desktop PC

so your desktop pc needs to be connected to 68u and not the FiOS router

see

CON:

•Moderate difficulty to setup.

•Unsupported by VZ. May require a HARD reset of the Actiontec to restore to factory defaults.

•Not all configuration information saved to config file. Some bridging information lost on a power fail.

•Switch ports on Actiontec not available as LAN ports.

•Does not support remote access to DVR or on-screen caller id (see note #3 above).

----------------------

so move the desktop to the 68u and see how it goes then as the info above suggests the way you have it connected is incorrect and will be causing the issue

 

[margentieri]

A few things Pete:

1) The only cable plugged into a LAN port of the Actiontec is the pass-back connection from the Asus, i.e. it is supplying an internet connection TO the Actiontec, not getting one from it. This step is REQUIRED in order to provide a LAN MoCA signal to the TV STB's. See the following steps:

"20. Plug the cable from Actiontec LAN Port 1 to your Routers WAN Port. Your router should be getting a WAN IP from Verizon. Test to make sure your WAN is established and that you can connect onto the internet, browse pages. Run a speed test to make sure everything is peachy.

*NOTE*: If your router did not get a WAN IP, you have a problem. I would recommend trying to re-trace your steps to see if you missed anything or just start all over and hard reset. :\

21. If everything worked out fine, connect a cable from your Router’s LAN Port 4 to the Actiontec LAN port 4."

2) I have had this setup for well over a year, and there has been no issue until now.

3) My current setup is STILL doing what I want, with the exception of this rouge MAC.

your desktop pc needs to be connected to 68u and not the FiOS router

so move the desktop to the 68u and see how it goes then as the info above suggests the way you have it connected is incorrect and will be causing the issue

4) My router and desktop are not and cannot be in the same room

5) My desktop is not connected to the FiOS router (at least not directly). My Asus router is directly connected to the Actiontec in 1 room, and my desktop is connected to a LAN MoCA bridge in another room. That bridge is a separate device entirely; it is not the Actiontec.

6) Your solution would not address the fact that the TV STB's HAVE TO be connected via coax (aka MoCA).

7) If my setup was incorrect, I would simply not have a network connection for the MoCA devices, but they do. Regardless, nothing about connecting my desktop to the Actiontec (which it is not) would explain how a rouge MAC address originating from outside my LAN, is connecting to my LAN.

The solution I need is how to block that MAC address, not what to change in my physical setup, as there is nothing wrong with that setup, and such a setup is required to meet my needs.

 

[ColinTaylor]

TLDR version: I have a rouge MAC address on my network, and it is appearing HUNDREDS of times. It appears as a static LAN wired connection (not wireless), and this SINGLE MAC usually has over 240 instances recorded as being connected.

Where is it appearing? What are these instances and where are they recorded? Can you provide a screen shot?

The IP associated with this MAC seems to change at random, and sometimes even takes the IP of devices that have reserved IP's. This is preventing some legitimate network devices from being able to connect to the network. I need to BLOCK this MAC from even CONNECTING to my network in the first place; simply preventing the MAC address in question from accessing other devices on my LAN or from accessing the internet is not enough (i.e. I don't want to even see it on my network map of connected devices, I want the connection completely dropped before it can access my LAN).

I don't claim to understand how MoCA works but it seems likely that this is the MAC address of either one of the Actiontec interfaces or possibly the ONT. MAC addresses don't travel outside their physical network segment so it must be something directly connected to your local network.

With the way you have your routers connected in a loop I'm not surprised you're seeing multiple IP's from the same MAC address. You might be seeing traffic from other Verizon customers connected to the same network segment as you. I suspect that if you do manage to block that MAC address you will find that nothing works.

 

[margentieri]

Where is it appearing? What are these instances and where are they recorded? Can you provide a screen shot?

It appears on the Network Map screen on the Client Status section (the icon to the left of the external storage section/button). I see all my devices plus that 1 rouge MAC, the rouge MAC having 240+ connections listed there. I attached a screenshot.

I don't claim to understand how MoCA works but it seems likely that this is the MAC address of either one of the Actiontec interfaces or possibly the ONT. MAC addresses don't travel outside their physical network segment so it must be something directly connected to your local network.

I hadn't considered the ONT, but I have confirmed that the MAC does not belong to the Actiontec or to the LAN MoCA bridge. It would be strange though that I would suddenly be seeing my ONT's MAC out of the blue after having no issues for months. Regardless, I have ruled out everything INSIDE from the ONT as being a possible offender. The rouge MAC is definitely coming from the ONT or beyond.

With the way you have your routers connected in a loop I'm not surprised you're seeing multiple IP's from the same MAC address. You might be seeing traffic from other Verizon customers connected to the same network segment as you.

I considered that it might be other customers on my local network segment, but I have channel privacy turned on (and that is also the default for all FiOS Actiontecs), so I ruled that out (unless this setting really isn't that effective at keeping that kind of traffic out? I know it's not a firewall, just a system to prevent cross talk). As for the pass-back connection causing loops, I have STP activated on the bridge I created on the Actiontec, which to my knowledge should (and has so far) prevent such loops.

I suspect that if you do manage to block that MAC address you will find that nothing works.

I would love the chance to find out if that is true or not. Right now, I just want to find a way to block this device from connecting to my network, which I know is possible on commercial devices through techniques such as Null Routing (aka Black Hole Routing), but idk how I would implement this on my device, or even if a null routing technique could be utilized against a specific MAC address.

Idk, this whole damn thing confuses the hell out of me. I didn't even think this kinda thing was possible!

 

[ColinTaylor]

I don't know enough about these devices to offer any meaningful advice. They appear to be layer 2 bridges onto the FiOS network.

Because you are seeing the MAC appear on your LAN it could be difficult to block. You could use iptables to stop it hitting the router but the traffic would still be on the LAN switch. Perhaps you could use ebtables to block it at the switch level.

It doesn't fill me with confidence when the person writing the guide you're following says "I have no idea how or why it works" and "If someone could shed some light as to why or can explain exactly how the Rev. I operates that would be awesome"

I'm sorry but I can't suggest anything further.