Unknown MAC Address in logs

jtiz

Occasional Visitor
Block it and wait for the squeals.
See original post… i already tried blocking the mysterious MAC address via “wireless MAC filter” reject list, and when I applied the changes, both bands of WiFi went completely down. No wireless devices were able to connect until I reversed this filter. I had to plug directly into the router via LAN Ethernet to disable the filter and get WiFi working again for everyone.
 

BobD

Regular Contributor
See original post… i already tried blocking the mysterious MAC address via “wireless MAC filter” reject list, and when I applied the changes, both bands of WiFi went completely down. No wireless devices were able to connect until I reversed this filter. I had to plug directly into the router via LAN Ethernet to disable the filter and get WiFi working again for everyone.
go to Network Map > Client Status and click on the image associated with the offending device. Then block the internet for that device. If it is an intruder there for the internet then they might go away.
I looked at the wireless filter and couldn't work out if it is a whitelist or a blacklist. I assume a blacklist but ASUS don't say unless it's in the manual.
 

jtiz

Occasional Visitor
go to Network Map > Client Status and click on the image associated with the offending device. Then block the internet for that device. If it is an intruder there for the internet then they might go away.
I looked at the wireless filter and couldn't work out if it is a whitelist or a blacklist. I assume a blacklist but ASUS don't say unless it's in the manual.
Once you select "enable wireless MAC filter", you can select whether you'd like to create an "accept" or "reject" list. I created a reject list and added this MAC address, but lost wifi to all devices.

As far as checking Network Map > Client Status (or Network Map > Client List), this MAC address doesn't show up under either because it doesn't have an associated IP.
 

ozzieg

New Around Here
What devices are wired into your network, which may provide networking functions, like access points or repeaters ?
It sounds like there may be another access point or old router, connected by Ethernet, which is reverting to 802.11b to support older clients based on configuration, not necessarily based on active ‘b’ clients. Perhaps your device connects to that radio so when you disable its MAC, you get dropped.
 

Skiron

Occasional Visitor
I just looked at my mac address list of my devices and out of 25 odd only one starts with D4: - it is my daughter-in- laws Android Huawei Y6 phone (my Y7 is totally different). You haven't got an old one lying around anywhere?
 

unsynaps

Senior Member
The quick synopsis is look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address.

I'm a bit of an ass and have this in my dnsmasq.cfg.add file.

Code:
# random MAC
dhcp-host=02:*:*:*:*:*,ignore
dhcp-host=06:*:*:*:*:*,ignore
dhcp-host=0A:*:*:*:*:*,ignore
dhcp-host=0E:*:*:*:*:*,ignore
dhcp-host=12:*:*:*:*:*,ignore
dhcp-host=16:*:*:*:*:*,ignore
dhcp-host=1A:*:*:*:*:*,ignore
dhcp-host=1E:*:*:*:*:*,ignore
dhcp-host=22:*:*:*:*:*,ignore
dhcp-host=26:*:*:*:*:*,ignore
dhcp-host=2A:*:*:*:*:*,ignore
dhcp-host=2E:*:*:*:*:*,ignore
dhcp-host=32:*:*:*:*:*,ignore
dhcp-host=36:*:*:*:*:*,ignore
dhcp-host=3A:*:*:*:*:*,ignore
dhcp-host=3E:*:*:*:*:*,ignore
dhcp-host=42:*:*:*:*:*,ignore
dhcp-host=46:*:*:*:*:*,ignore
dhcp-host=4A:*:*:*:*:*,ignore
dhcp-host=4E:*:*:*:*:*,ignore
dhcp-host=52:*:*:*:*:*,ignore
dhcp-host=56:*:*:*:*:*,ignore
dhcp-host=5A:*:*:*:*:*,ignore
dhcp-host=5E:*:*:*:*:*,ignore
dhcp-host=62:*:*:*:*:*,ignore
dhcp-host=66:*:*:*:*:*,ignore
dhcp-host=6A:*:*:*:*:*,ignore
dhcp-host=6E:*:*:*:*:*,ignore
dhcp-host=72:*:*:*:*:*,ignore
dhcp-host=76:*:*:*:*:*,ignore
dhcp-host=7A:*:*:*:*:*,ignore
dhcp-host=7E:*:*:*:*:*,ignore
dhcp-host=82:*:*:*:*:*,ignore
dhcp-host=86:*:*:*:*:*,ignore
dhcp-host=8A:*:*:*:*:*,ignore
dhcp-host=8E:*:*:*:*:*,ignore
dhcp-host=92:*:*:*:*:*,ignore
dhcp-host=96:*:*:*:*:*,ignore
dhcp-host=9A:*:*:*:*:*,ignore
dhcp-host=9E:*:*:*:*:*,ignore
dhcp-host=A2:*:*:*:*:*,ignore
dhcp-host=A6:*:*:*:*:*,ignore
dhcp-host=AA:*:*:*:*:*,ignore
dhcp-host=AE:*:*:*:*:*,ignore
dhcp-host=B2:*:*:*:*:*,ignore
dhcp-host=B6:*:*:*:*:*,ignore
dhcp-host=BA:*:*:*:*:*,ignore
dhcp-host=BE:*:*:*:*:*,ignore
dhcp-host=C2:*:*:*:*:*,ignore
dhcp-host=C6:*:*:*:*:*,ignore
dhcp-host=CA:*:*:*:*:*,ignore
dhcp-host=CE:*:*:*:*:*,ignore
dhcp-host=D2:*:*:*:*:*,ignore
dhcp-host=D6:*:*:*:*:*,ignore
dhcp-host=DA:*:*:*:*:*,ignore
dhcp-host=DE:*:*:*:*:*,ignore
dhcp-host=E2:*:*:*:*:*,ignore
dhcp-host=E6:*:*:*:*:*,ignore
dhcp-host=EA:*:*:*:*:*,ignore
dhcp-host=EE:*:*:*:*:*,ignore
dhcp-host=F2:*:*:*:*:*,ignore
dhcp-host=F6:*:*:*:*:*,ignore
dhcp-host=FA:*:*:*:*:*,ignore
dhcp-host=FE:*:*:*:*:*,ignore
 

jtiz

Occasional Visitor
The quick synopsis is look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address.

I'm a bit of an ass and have this in my dnsmasq.cfg.add file.

Code:
# random MAC
dhcp-host=02:*:*:*:*:*,ignore
dhcp-host=06:*:*:*:*:*,ignore
dhcp-host=0A:*:*:*:*:*,ignore
dhcp-host=0E:*:*:*:*:*,ignore
dhcp-host=12:*:*:*:*:*,ignore
dhcp-host=16:*:*:*:*:*,ignore
dhcp-host=1A:*:*:*:*:*,ignore
dhcp-host=1E:*:*:*:*:*,ignore
dhcp-host=22:*:*:*:*:*,ignore
dhcp-host=26:*:*:*:*:*,ignore
dhcp-host=2A:*:*:*:*:*,ignore
dhcp-host=2E:*:*:*:*:*,ignore
dhcp-host=32:*:*:*:*:*,ignore
dhcp-host=36:*:*:*:*:*,ignore
dhcp-host=3A:*:*:*:*:*,ignore
dhcp-host=3E:*:*:*:*:*,ignore
dhcp-host=42:*:*:*:*:*,ignore
dhcp-host=46:*:*:*:*:*,ignore
dhcp-host=4A:*:*:*:*:*,ignore
dhcp-host=4E:*:*:*:*:*,ignore
dhcp-host=52:*:*:*:*:*,ignore
dhcp-host=56:*:*:*:*:*,ignore
dhcp-host=5A:*:*:*:*:*,ignore
dhcp-host=5E:*:*:*:*:*,ignore
dhcp-host=62:*:*:*:*:*,ignore
dhcp-host=66:*:*:*:*:*,ignore
dhcp-host=6A:*:*:*:*:*,ignore
dhcp-host=6E:*:*:*:*:*,ignore
dhcp-host=72:*:*:*:*:*,ignore
dhcp-host=76:*:*:*:*:*,ignore
dhcp-host=7A:*:*:*:*:*,ignore
dhcp-host=7E:*:*:*:*:*,ignore
dhcp-host=82:*:*:*:*:*,ignore
dhcp-host=86:*:*:*:*:*,ignore
dhcp-host=8A:*:*:*:*:*,ignore
dhcp-host=8E:*:*:*:*:*,ignore
dhcp-host=92:*:*:*:*:*,ignore
dhcp-host=96:*:*:*:*:*,ignore
dhcp-host=9A:*:*:*:*:*,ignore
dhcp-host=9E:*:*:*:*:*,ignore
dhcp-host=A2:*:*:*:*:*,ignore
dhcp-host=A6:*:*:*:*:*,ignore
dhcp-host=AA:*:*:*:*:*,ignore
dhcp-host=AE:*:*:*:*:*,ignore
dhcp-host=B2:*:*:*:*:*,ignore
dhcp-host=B6:*:*:*:*:*,ignore
dhcp-host=BA:*:*:*:*:*,ignore
dhcp-host=BE:*:*:*:*:*,ignore
dhcp-host=C2:*:*:*:*:*,ignore
dhcp-host=C6:*:*:*:*:*,ignore
dhcp-host=CA:*:*:*:*:*,ignore
dhcp-host=CE:*:*:*:*:*,ignore
dhcp-host=D2:*:*:*:*:*,ignore
dhcp-host=D6:*:*:*:*:*,ignore
dhcp-host=DA:*:*:*:*:*,ignore
dhcp-host=DE:*:*:*:*:*,ignore
dhcp-host=E2:*:*:*:*:*,ignore
dhcp-host=E6:*:*:*:*:*,ignore
dhcp-host=EA:*:*:*:*:*,ignore
dhcp-host=EE:*:*:*:*:*,ignore
dhcp-host=F2:*:*:*:*:*,ignore
dhcp-host=F6:*:*:*:*:*,ignore
dhcp-host=FA:*:*:*:*:*,ignore
dhcp-host=FE:*:*:*:*:*,ignore
Second character in this mysterious MAC address is a 4.
 

Martinski

Regular Contributor
...
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)

In my Wireless Log, I also see the same MAC address always listed under 2.4ghz, but it has no IP, Tx/Rx rate, connection time, etc. Under Streams, it does show 3(b), but i have no devices that'd fit this description.
I'm curious. What's the output of the following command typed in a terminal window (e.g. SSH session)?

Code:
cat /proc/net/arp | grep -i "D4:A6:51"
 

Ranger802004

Regular Contributor
In my General Log, I see many reported events of an unknown MAC address being authorized and deauthorized every few seconds:

Mar 2 21:09:26 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:28 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:28 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)

In my Wireless Log, I also see the same MAC address always listed under 2.4ghz, but it has no IP, Tx/Rx rate, connection time, etc. Under Streams, it does show 3(b), but i have no devices that'd fit this description. It says manufacturer is Tuya Smart, but once again, no devices that could fit that description that are unaccounted for.

I've already tried removing smart home devices one by one and it remains once everything else is disconnected. Also, when I reboot or reset my router, it shows up immediately - before most other clients re-appear.

I even tried creating a Wireless MAC filter to reject this one MAC address, but when I did that, I lost wifi connectivity to ALL of my wifi devices (on 5ghz and 2.4ghz). I needed to plug my laptop into LAN via ethernet to re-access the internet and router GUI, and revert that wireless MAC filter.

Therefore, I THINK that this MAC address may not be a device/client on my network, but may have something to do with the router's 2.4ghz antenna (since it shows 3 stream in wireless log, which matches the 2.4ghz radio stream capacity).

However, not sure if this is accurate/possible, and no idea how to get rid of this unknown MAC address from my wireless log and general log.

If i change general log level to "warning" the logs disappear, but the MAC address ALWAYS remains under wireless log.

Please help me get rid of this!

Asus AX86U running the latest version of Asuswrt-Merlin firmware. However, this issue has persisted through multiple versions of firmware.

Thanks in advance!
Start looking at their site and look at what they make.

 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top