The pfSense Store

Author Topic: MAC address 00:ab:00:00:00:00?  (Read 2732 times)

0 Members and 1 Guest are viewing this topic.

Offline yottabyte

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
MAC address 00:ab:00:00:00:00?
« on: April 07, 2012, 08:41:38 am »
I noticed something screwy happening with my pfSense late at night and after some mucking around I found this in my DHCP leases:

IP address       MAC address             Hostname     Start                               End                               Online     Lease Type
192.168.2.6     00:ab:00:00:00:00                           2012/04/03 03:07:33     1969/12/31 17:00:00     offline     active

I tried looking this up in System Logs but the GUI only lets me see maximum 2000 entries, and it seems that the DHCP portion was wiped after I rebooted the system.  I have accounted for all the DHCP leases, except for this one, and as you can see it is quite unusual.

Can this mean that someone cracked my WPA2 encryption and is using my WIFI with this spoofed MAC address?

Offline cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6333
  • Karma: +0/-0
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: MAC address 00:ab:00:00:00:00?
« Reply #1 on: April 07, 2012, 03:17:01 pm »
It could mean anything, no telling based on that description. Definitely a screwy MAC address but there are numerous possible reasons for that. Unlikely anyone cracked your WPA2 unless you're using a key like "password". That host show up in your ARP table?

Offline urbangear

  • Newbie
  • *
  • Posts: 11
  • Karma: +0/-0
    • View Profile
Re: MAC address 00:ab:00:00:00:00?
« Reply #2 on: May 08, 2012, 06:47:54 am »
i noticed it too

IP address           MAC address      Hostname   Start                            End                           Online   Lease Type
192.168.1.103    00:ab:00:00:00:00                2012/04/24 16:27:13    1970/01/01 08:00:00    offline    active



Offline jimp

  • Administrator
  • Hero Member
  • *****
  • Posts: 14998
  • Karma: +4/-0
    • View Profile
Re: MAC address 00:ab:00:00:00:00?
« Reply #3 on: May 08, 2012, 02:59:54 pm »
Might be interesting to see the contents of /var/dhcpd/var/db/dhcpd.leases and, if you can catch it, the DHCP logs from that request.
Need help fast? Commercial Support!

Co-Author of pfSense: The Definitive Guide. - Check the Doc Wiki for FAQs.

Do not PM for help!

Offline tzlwin

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: MAC address 00:ab:00:00:00:00?
« Reply #4 on: July 29, 2012, 11:26:19 am »
I have the same problem here. Status -DHCP lease

172.18.10.200    00:ab:00:00:00:00     2012/07/27 09:28:26    1970/01/01 06:30:00

It seems like never expired dhcp lease.

Offline tzlwin

  • Newbie
  • *
  • Posts: 13
  • Karma: +0/-0
    • View Profile
Re: MAC address 00:ab:00:00:00:00?
« Reply #5 on: July 29, 2012, 11:37:59 am »
I set this MAC to static IP and block this IP from accessing anything at Firewall Rules.
I can't even manually delete this DHCP lease. What a strange?  :o