Solved Strange DHCP source and MAC addresses showing 14 pairs

[Jojo]

The most unfortunate thing is that this unsolicited request is accepted by the firewall due to history of many "broken" DHCP servers at ISPs. Even though you're not running Merlin firmware, the code is probably the same in stock ASUS:

asuswrt-merlin.ng/release/src/router/rc/firewall.c at 5b063cb58066ffa9099bc4c1dd2b5a7d7d303760 · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

/* enable incoming packets from broken dhcp servers, which are sending replies
 * from addresses other than used for query, this could lead to lower level
 * of security, but it does not work otherwise (conntrack does not work) :-(
 */
switch (wan_proto) {
default:
        if (!(nvram_get_int(strcat_r(prefix, "dhcpenable_x", tmp)) || inet_addr_(wan_ip) == INADDR_ANY))
                break;
        /* fall-through */
case WAN_DHCP:
        fprintf(fp, "-A INPUT -p udp --sport 67 --dport 68 -j %s\n", logaccept);
        break;

yes that seems to describe the problem possibility quite well.

 

[Jojo]

Sorry .... it was a joke !!!

I obviously missed you with it !!!

I do tend to be helpful ... Honest !!!

No worries!

 

[ColinTaylor]

Yes, is strange since occasionally my routers GW IP (CORRECTION very similar to my GW IP) will also show as doing dhcp at the same time as the other IP transaction shows up. This is a brand new router, is there a problem with ASUS security and their firewall? I do not know how it could have been compromised to be honest except when it first got a public ip from the ISP. But what are the odds? Will flashing back to factory settings help? This has been done a couple times so I would have thought it would have been corrected but still exists. EDITED: I suppose this doesn't help to flash if it will just rehappen through the ISP?

There is nothing wrong with your router, it has not been compromised. This is normal behaviour for Asus routers with certain ISP's. My advice: turn off firewall logging and stop fretting over nothing.

 

[Jojo]

The most unfortunate thing is that this unsolicited request is accepted by the firewall due to history of many "broken" DHCP servers at ISPs. Even though you're not running Merlin firmware, the code is probably the same in stock ASUS:

asuswrt-merlin.ng/release/src/router/rc/firewall.c at 5b063cb58066ffa9099bc4c1dd2b5a7d7d303760 · RMerl/asuswrt-merlin.ng

Third party firmware for Asus routers (newer codebase) - RMerl/asuswrt-merlin.ng

github.com

/* enable incoming packets from broken dhcp servers, which are sending replies
 * from addresses other than used for query, this could lead to lower level
 * of security, but it does not work otherwise (conntrack does not work) :-(
 */
switch (wan_proto) {
default:
        if (!(nvram_get_int(strcat_r(prefix, "dhcpenable_x", tmp)) || inet_addr_(wan_ip) == INADDR_ANY))
                break;
        /* fall-through */
case WAN_DHCP:
        fprintf(fp, "-A INPUT -p udp --sport 67 --dport 68 -j %s\n", logaccept);
        break;

Unfortunately there doesn't seem to be a solution if the firewall is going to let it in.

 

[Jojo]

Thanks everyone for your help, input and advice! I know you are all busy people so thanks for taking the time to share your expertise! It is greatly appreciated!