1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Someone MAC spoof and access my Network? Double ARP with diff IP Range

Discussion in 'General Wireless Discussion' started by Kusuri, Dec 24, 2017.

  1. Kusuri

    Kusuri Occasional Visitor

    May 30, 2012
    So I'm currently troubleshooting my ISP's proprietary router (which I believe is built around a Cisco ME 4600, I found that the CLI commands are similar) due to a problem with the 2.4GHz signal, which stops responding after a few days.

    After trying everything (different channels, SSIDs etc) I'm now trying to use WPA/WPA2 TKIP + AES instead of simply WPA2 + AES. It is only temporary (I refuse to accept less security as a "solution"), so I could at least report it's a bug (if that's the case and not just a HW fault of my unit), but I'm still paranoid so I've been regularly checking the ARP table.

    Today I've noticed an oddity in that same ARP table:
    While all devices were in the 192.168.1.x/24 IP range given by the router's DHCP there was one in 10.x.x.x/8 range.
    The device in question was also sharing the exact same MAC address of another device that already had its proper 192.168.1.x LAN IP.

    Could the 10.x.x.x had been a different device spoofing the other's MAC address or was this just possible normal behavior? Had never seen it happen before, at least not before I made the security change, be it coincidence or not (then again I wasn't paying so much attention to the ARP table before)...

    EDIT: Through some searches I was actually able to find some possible clarification to this, saying that it's related to Android and Mobile Data connection. Is that right? The device in question still has Mobile Data enabled, but the 10.x.x.x IP hasn't re-appeared.
    Last edited: Dec 24, 2017