Hello, I recently picked up a ASUS RT-BE82U router with AsusWRT v 3.0.0.6.102_39099. After setup without issues, I was watching the system log and noticed traffic which appears strange to me. It appears to be DHCP traffic, based on the ports 67 and 68 and the destination is 255.255.255.255. In addition, there is no OUT= and the MAC address first 6 pairs are listed as FF so is likely truly a broadcast. The remaining 8 pairs look like valid addressing--only too long for MAC addressing standards.
First thing strange is the MAC address shown being 14 pairs in length versus standard 6 pairs. I could find nothing on the internet about MAC addresses that are 14 pairs in length and the source. Secondly is the source IP being 30.46.144.1.
I am unable to determine where this is coming from. I was also unable to determine anything with wireshark captures as actually coming inbound which made me think it's some source internally within the firmware. This is not my ISP or at least so they say. When I contacted them, they said everything appears normal and working from their end. Even more odd--on occasion an actual ISP DHCP address, or at least one from their subnets and ending in a .1, also shows with far less frequency going to the same MAC of length 14 pairs that the 30.46.144.1 ip does. This broadcast from 30.46.144.1 is quite frequent and appears static.
My understanding is that we can only pick up dhcp traffic from our ISP and that other non-ISP subnets could not provide it to my router. But as mentioned this isn't reported as theirs by them when I called them or from web searches I did. When I searched the web for that IP, for what it's worth info from two different sites, it was reported owned by DoD. Perhaps they do or did own it I don't know. Perhaps the web data about IP ownership is old which most of it is, but nevertheless, why is it shown in my router?
In any case so I can understand what's occuring, I am wondering if someone who knows AsusWRT firmware or it's derivatives can tell me what exactly are the MAC addresses that are 14 pairs in length and what are they for? Are these ASUS virtual adapters? And also anything about the source of that IP? Is this IP hardcoded somewhere? And if it is DoD owned, why is it in my router?
There are two of the long MAC addresses I see--so far. I list the log transactions below. One is the one I described while there is one other one of 14 pairs. The first shows not going out, which makes sense for a broadcast, but the other is an eth0 out. Here is the first entry, but with my addressing x'd out for anonymization:
kernel: ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:xx:xx:xx:xx:xx:xx:xx SRC=30.46.144.1 DST=255.255.255.255 LEN=352 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=332 MARK=0x8000000
and here is the second which was not a broadcast traffic and appears outbound. The long MAC is unknown, but the IP outbound traffic appears normal or valid known traffic. In question is just the source of the long MAC address because my traffic is routing through it:
kernel: ACCEPT IN=br0 OUT=eth0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=<valid internal ip> DST=<valid external ip> LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=53170 DPT=443 SEQ=1856759468 ACK=0 WINDOW=0 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303060101080AEDA43EA20000000004020000) MARK=0x1
I thought maybe my cell phone using random private mac addressing might be triggering this frequent broadcasting, but I disabled that and no change.
I also thought maybe the internal dhcp server in the router was these long MAC addresses and they were internally derived virtual interfaces, but disabling dhcp had no effect either. The inbound 30.46.144.1 broadcasts continued. And by the ip range, it isn't a private local address from some random unknown dhcp service in my local lan because I have none.
Are these simply non-standard MAC addresses internally created by the firmware for the br0 interface? But the 2 long MAC addresses are different. I would think br0 only needed one.
I also called ASUS support, but they said they didn't have that level of information and to submit it within the router software, however when I went to explore that option they wanted a ton more of personal info and also highlighted doing so would not get an individual response--so what good is that?
Can someone who knows ASUS firmware shed some light on this please?
Thanks!
First thing strange is the MAC address shown being 14 pairs in length versus standard 6 pairs. I could find nothing on the internet about MAC addresses that are 14 pairs in length and the source. Secondly is the source IP being 30.46.144.1.
I am unable to determine where this is coming from. I was also unable to determine anything with wireshark captures as actually coming inbound which made me think it's some source internally within the firmware. This is not my ISP or at least so they say. When I contacted them, they said everything appears normal and working from their end. Even more odd--on occasion an actual ISP DHCP address, or at least one from their subnets and ending in a .1, also shows with far less frequency going to the same MAC of length 14 pairs that the 30.46.144.1 ip does. This broadcast from 30.46.144.1 is quite frequent and appears static.My understanding is that we can only pick up dhcp traffic from our ISP and that other non-ISP subnets could not provide it to my router. But as mentioned this isn't reported as theirs by them when I called them or from web searches I did. When I searched the web for that IP, for what it's worth info from two different sites, it was reported owned by DoD. Perhaps they do or did own it I don't know. Perhaps the web data about IP ownership is old which most of it is, but nevertheless, why is it shown in my router?
In any case so I can understand what's occuring, I am wondering if someone who knows AsusWRT firmware or it's derivatives can tell me what exactly are the MAC addresses that are 14 pairs in length and what are they for? Are these ASUS virtual adapters? And also anything about the source of that IP? Is this IP hardcoded somewhere? And if it is DoD owned, why is it in my router?
There are two of the long MAC addresses I see--so far. I list the log transactions below. One is the one I described while there is one other one of 14 pairs. The first shows not going out, which makes sense for a broadcast, but the other is an eth0 out. Here is the first entry, but with my addressing x'd out for anonymization:
kernel: ACCEPT IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:xx:xx:xx:xx:xx:xx:xx SRC=30.46.144.1 DST=255.255.255.255 LEN=352 TOS=0x00 PREC=0x00 TTL=64 ID=0 PROTO=UDP SPT=67 DPT=68 LEN=332 MARK=0x8000000
and here is the second which was not a broadcast traffic and appears outbound. The long MAC is unknown, but the IP outbound traffic appears normal or valid known traffic. In question is just the source of the long MAC address because my traffic is routing through it:
kernel: ACCEPT IN=br0 OUT=eth0 MAC=xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=<valid internal ip> DST=<valid external ip> LEN=64 TOS=0x00 PREC=0x00 TTL=63 ID=0 DF PROTO=TCP SPT=53170 DPT=443 SEQ=1856759468 ACK=0 WINDOW=0 RES=0x00 CWR ECE SYN URGP=0 OPT (020405B4010303060101080AEDA43EA20000000004020000) MARK=0x1
I thought maybe my cell phone using random private mac addressing might be triggering this frequent broadcasting, but I disabled that and no change.
I also thought maybe the internal dhcp server in the router was these long MAC addresses and they were internally derived virtual interfaces, but disabling dhcp had no effect either. The inbound 30.46.144.1 broadcasts continued. And by the ip range, it isn't a private local address from some random unknown dhcp service in my local lan because I have none.
Are these simply non-standard MAC addresses internally created by the firmware for the br0 interface? But the 2 long MAC addresses are different. I would think br0 only needed one.
I also called ASUS support, but they said they didn't have that level of information and to submit it within the router software, however when I went to explore that option they wanted a ton more of personal info and also highlighted doing so would not get an individual response--so what good is that?
Can someone who knows ASUS firmware shed some light on this please?
Thanks!
Last edited:
Yeah, I would normally leave off and randomly check, but I decided to watch just incoming for a few days after the install to see if anything weird or unexpected popped up and everything seemed good except those two unknowns I mention and I got stuck on them 
