What's new

Unknown MAC Address in logs

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

Block it and wait for the squeals.
See original post… i already tried blocking the mysterious MAC address via “wireless MAC filter” reject list, and when I applied the changes, both bands of WiFi went completely down. No wireless devices were able to connect until I reversed this filter. I had to plug directly into the router via LAN Ethernet to disable the filter and get WiFi working again for everyone.
 
See original post… i already tried blocking the mysterious MAC address via “wireless MAC filter” reject list, and when I applied the changes, both bands of WiFi went completely down. No wireless devices were able to connect until I reversed this filter. I had to plug directly into the router via LAN Ethernet to disable the filter and get WiFi working again for everyone.
go to Network Map > Client Status and click on the image associated with the offending device. Then block the internet for that device. If it is an intruder there for the internet then they might go away.
I looked at the wireless filter and couldn't work out if it is a whitelist or a blacklist. I assume a blacklist but ASUS don't say unless it's in the manual.
 
go to Network Map > Client Status and click on the image associated with the offending device. Then block the internet for that device. If it is an intruder there for the internet then they might go away.
I looked at the wireless filter and couldn't work out if it is a whitelist or a blacklist. I assume a blacklist but ASUS don't say unless it's in the manual.
Once you select "enable wireless MAC filter", you can select whether you'd like to create an "accept" or "reject" list. I created a reject list and added this MAC address, but lost wifi to all devices.

As far as checking Network Map > Client Status (or Network Map > Client List), this MAC address doesn't show up under either because it doesn't have an associated IP.
 
What devices are wired into your network, which may provide networking functions, like access points or repeaters ?
It sounds like there may be another access point or old router, connected by Ethernet, which is reverting to 802.11b to support older clients based on configuration, not necessarily based on active ‘b’ clients. Perhaps your device connects to that radio so when you disable its MAC, you get dropped.
 
I just looked at my mac address list of my devices and out of 25 odd only one starts with D4: - it is my daughter-in- laws Android Huawei Y6 phone (my Y7 is totally different). You haven't got an old one lying around anywhere?
 
The quick synopsis is look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address.

I'm a bit of an butt and have this in my dnsmasq.cfg.add file.

Code:
# random MAC
dhcp-host=02:*:*:*:*:*,ignore
dhcp-host=06:*:*:*:*:*,ignore
dhcp-host=0A:*:*:*:*:*,ignore
dhcp-host=0E:*:*:*:*:*,ignore
dhcp-host=12:*:*:*:*:*,ignore
dhcp-host=16:*:*:*:*:*,ignore
dhcp-host=1A:*:*:*:*:*,ignore
dhcp-host=1E:*:*:*:*:*,ignore
dhcp-host=22:*:*:*:*:*,ignore
dhcp-host=26:*:*:*:*:*,ignore
dhcp-host=2A:*:*:*:*:*,ignore
dhcp-host=2E:*:*:*:*:*,ignore
dhcp-host=32:*:*:*:*:*,ignore
dhcp-host=36:*:*:*:*:*,ignore
dhcp-host=3A:*:*:*:*:*,ignore
dhcp-host=3E:*:*:*:*:*,ignore
dhcp-host=42:*:*:*:*:*,ignore
dhcp-host=46:*:*:*:*:*,ignore
dhcp-host=4A:*:*:*:*:*,ignore
dhcp-host=4E:*:*:*:*:*,ignore
dhcp-host=52:*:*:*:*:*,ignore
dhcp-host=56:*:*:*:*:*,ignore
dhcp-host=5A:*:*:*:*:*,ignore
dhcp-host=5E:*:*:*:*:*,ignore
dhcp-host=62:*:*:*:*:*,ignore
dhcp-host=66:*:*:*:*:*,ignore
dhcp-host=6A:*:*:*:*:*,ignore
dhcp-host=6E:*:*:*:*:*,ignore
dhcp-host=72:*:*:*:*:*,ignore
dhcp-host=76:*:*:*:*:*,ignore
dhcp-host=7A:*:*:*:*:*,ignore
dhcp-host=7E:*:*:*:*:*,ignore
dhcp-host=82:*:*:*:*:*,ignore
dhcp-host=86:*:*:*:*:*,ignore
dhcp-host=8A:*:*:*:*:*,ignore
dhcp-host=8E:*:*:*:*:*,ignore
dhcp-host=92:*:*:*:*:*,ignore
dhcp-host=96:*:*:*:*:*,ignore
dhcp-host=9A:*:*:*:*:*,ignore
dhcp-host=9E:*:*:*:*:*,ignore
dhcp-host=A2:*:*:*:*:*,ignore
dhcp-host=A6:*:*:*:*:*,ignore
dhcp-host=AA:*:*:*:*:*,ignore
dhcp-host=AE:*:*:*:*:*,ignore
dhcp-host=B2:*:*:*:*:*,ignore
dhcp-host=B6:*:*:*:*:*,ignore
dhcp-host=BA:*:*:*:*:*,ignore
dhcp-host=BE:*:*:*:*:*,ignore
dhcp-host=C2:*:*:*:*:*,ignore
dhcp-host=C6:*:*:*:*:*,ignore
dhcp-host=CA:*:*:*:*:*,ignore
dhcp-host=CE:*:*:*:*:*,ignore
dhcp-host=D2:*:*:*:*:*,ignore
dhcp-host=D6:*:*:*:*:*,ignore
dhcp-host=DA:*:*:*:*:*,ignore
dhcp-host=DE:*:*:*:*:*,ignore
dhcp-host=E2:*:*:*:*:*,ignore
dhcp-host=E6:*:*:*:*:*,ignore
dhcp-host=EA:*:*:*:*:*,ignore
dhcp-host=EE:*:*:*:*:*,ignore
dhcp-host=F2:*:*:*:*:*,ignore
dhcp-host=F6:*:*:*:*:*,ignore
dhcp-host=FA:*:*:*:*:*,ignore
dhcp-host=FE:*:*:*:*:*,ignore
 
The quick synopsis is look at the second character in a MAC address, if it is a 2, 6, A, or E it is a randomized address.

I'm a bit of an butt and have this in my dnsmasq.cfg.add file.

Code:
# random MAC
dhcp-host=02:*:*:*:*:*,ignore
dhcp-host=06:*:*:*:*:*,ignore
dhcp-host=0A:*:*:*:*:*,ignore
dhcp-host=0E:*:*:*:*:*,ignore
dhcp-host=12:*:*:*:*:*,ignore
dhcp-host=16:*:*:*:*:*,ignore
dhcp-host=1A:*:*:*:*:*,ignore
dhcp-host=1E:*:*:*:*:*,ignore
dhcp-host=22:*:*:*:*:*,ignore
dhcp-host=26:*:*:*:*:*,ignore
dhcp-host=2A:*:*:*:*:*,ignore
dhcp-host=2E:*:*:*:*:*,ignore
dhcp-host=32:*:*:*:*:*,ignore
dhcp-host=36:*:*:*:*:*,ignore
dhcp-host=3A:*:*:*:*:*,ignore
dhcp-host=3E:*:*:*:*:*,ignore
dhcp-host=42:*:*:*:*:*,ignore
dhcp-host=46:*:*:*:*:*,ignore
dhcp-host=4A:*:*:*:*:*,ignore
dhcp-host=4E:*:*:*:*:*,ignore
dhcp-host=52:*:*:*:*:*,ignore
dhcp-host=56:*:*:*:*:*,ignore
dhcp-host=5A:*:*:*:*:*,ignore
dhcp-host=5E:*:*:*:*:*,ignore
dhcp-host=62:*:*:*:*:*,ignore
dhcp-host=66:*:*:*:*:*,ignore
dhcp-host=6A:*:*:*:*:*,ignore
dhcp-host=6E:*:*:*:*:*,ignore
dhcp-host=72:*:*:*:*:*,ignore
dhcp-host=76:*:*:*:*:*,ignore
dhcp-host=7A:*:*:*:*:*,ignore
dhcp-host=7E:*:*:*:*:*,ignore
dhcp-host=82:*:*:*:*:*,ignore
dhcp-host=86:*:*:*:*:*,ignore
dhcp-host=8A:*:*:*:*:*,ignore
dhcp-host=8E:*:*:*:*:*,ignore
dhcp-host=92:*:*:*:*:*,ignore
dhcp-host=96:*:*:*:*:*,ignore
dhcp-host=9A:*:*:*:*:*,ignore
dhcp-host=9E:*:*:*:*:*,ignore
dhcp-host=A2:*:*:*:*:*,ignore
dhcp-host=A6:*:*:*:*:*,ignore
dhcp-host=AA:*:*:*:*:*,ignore
dhcp-host=AE:*:*:*:*:*,ignore
dhcp-host=B2:*:*:*:*:*,ignore
dhcp-host=B6:*:*:*:*:*,ignore
dhcp-host=BA:*:*:*:*:*,ignore
dhcp-host=BE:*:*:*:*:*,ignore
dhcp-host=C2:*:*:*:*:*,ignore
dhcp-host=C6:*:*:*:*:*,ignore
dhcp-host=CA:*:*:*:*:*,ignore
dhcp-host=CE:*:*:*:*:*,ignore
dhcp-host=D2:*:*:*:*:*,ignore
dhcp-host=D6:*:*:*:*:*,ignore
dhcp-host=DA:*:*:*:*:*,ignore
dhcp-host=DE:*:*:*:*:*,ignore
dhcp-host=E2:*:*:*:*:*,ignore
dhcp-host=E6:*:*:*:*:*,ignore
dhcp-host=EA:*:*:*:*:*,ignore
dhcp-host=EE:*:*:*:*:*,ignore
dhcp-host=F2:*:*:*:*:*,ignore
dhcp-host=F6:*:*:*:*:*,ignore
dhcp-host=FA:*:*:*:*:*,ignore
dhcp-host=FE:*:*:*:*:*,ignore
Second character in this mysterious MAC address is a 4.
 
...
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)

In my Wireless Log, I also see the same MAC address always listed under 2.4ghz, but it has no IP, Tx/Rx rate, connection time, etc. Under Streams, it does show 3(b), but i have no devices that'd fit this description.
I'm curious. What's the output of the following command typed in a terminal window (e.g. SSH session)?

Code:
cat /proc/net/arp | grep -i "D4:A6:51"
 
In my General Log, I see many reported events of an unknown MAC address being authorized and deauthorized every few seconds:

Mar 2 21:09:26 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:28 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:28 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)

In my Wireless Log, I also see the same MAC address always listed under 2.4ghz, but it has no IP, Tx/Rx rate, connection time, etc. Under Streams, it does show 3(b), but i have no devices that'd fit this description. It says manufacturer is Tuya Smart, but once again, no devices that could fit that description that are unaccounted for.

I've already tried removing smart home devices one by one and it remains once everything else is disconnected. Also, when I reboot or reset my router, it shows up immediately - before most other clients re-appear.

I even tried creating a Wireless MAC filter to reject this one MAC address, but when I did that, I lost wifi connectivity to ALL of my wifi devices (on 5ghz and 2.4ghz). I needed to plug my laptop into LAN via ethernet to re-access the internet and router GUI, and revert that wireless MAC filter.

Therefore, I THINK that this MAC address may not be a device/client on my network, but may have something to do with the router's 2.4ghz antenna (since it shows 3 stream in wireless log, which matches the 2.4ghz radio stream capacity).

However, not sure if this is accurate/possible, and no idea how to get rid of this unknown MAC address from my wireless log and general log.

If i change general log level to "warning" the logs disappear, but the MAC address ALWAYS remains under wireless log.

Please help me get rid of this!

Asus AX86U running the latest version of Asuswrt-Merlin firmware. However, this issue has persisted through multiple versions of firmware.

Thanks in advance!
Start looking at their site and look at what they make.

 
In my General Log, I see many reported events of an unknown MAC address being authorized and deauthorized every few seconds:

Mar 2 21:09:26 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:28 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:28 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:30 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(469): eth6: Deauth_ind D4:A6:51:30:C4:94, status: 0, reason: Unspecified reason (1)
Mar 2 21:09:31 wlceventd: wlceventd_proc_event(505): eth6: Auth D4:A6:51:30:C4:94, status: Successful (0)

In my Wireless Log, I also see the same MAC address always listed under 2.4ghz, but it has no IP, Tx/Rx rate, connection time, etc. Under Streams, it does show 3(b), but i have no devices that'd fit this description. It says manufacturer is Tuya Smart, but once again, no devices that could fit that description that are unaccounted for.

I've already tried removing smart home devices one by one and it remains once everything else is disconnected. Also, when I reboot or reset my router, it shows up immediately - before most other clients re-appear.

I even tried creating a Wireless MAC filter to reject this one MAC address, but when I did that, I lost wifi connectivity to ALL of my wifi devices (on 5ghz and 2.4ghz). I needed to plug my laptop into LAN via ethernet to re-access the internet and router GUI, and revert that wireless MAC filter.

Therefore, I THINK that this MAC address may not be a device/client on my network, but may have something to do with the router's 2.4ghz antenna (since it shows 3 stream in wireless log, which matches the 2.4ghz radio stream capacity).

However, not sure if this is accurate/possible, and no idea how to get rid of this unknown MAC address from my wireless log and general log.

If i change general log level to "warning" the logs disappear, but the MAC address ALWAYS remains under wireless log.

Please help me get rid of this!

Asus AX86U running the latest version of Asuswrt-Merlin firmware. However, this issue has persisted through multiple versions of firmware.

Thanks in advance!
Hi jitiz,

I am facing the exact same problem. Did you figure out yours?

My router is AX88U running latest Merlin 386.8 firmware.

Leon
 
I also get this, also a Tuya Smart device. When blocking it by Mac address about a week ago of course the spam stopped. However looking my in router log just now I see a new Mac address started to do the exact same thing on August 20th, all night long. This device also belongs to Tuya Smart.

It is not one of my devices. I do have a connected Tuya Smart device which seems to be integrated in my Blaupunkt vacuum cleaner so that's fine. I've had it for years as well so that's not the culprit for sure. Probably some neighbor that added IoT devices, but to me it does not explain the 'spam' connect to a WiFi network. Why would it automatically try to authenticate over and over?
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top