A Mystery

We all love a mystery. Here is mine.

Until it died yesterday I used to use OPNsense as my gateway to the internet. It also provided a guest wifi network, VLANed without any access to my internal network. I found an unknown device being allocated an IP address on that guest network and blocked it within the DHCP server in OPNsense. I could see 24/7 every 15 minutes its attempt to obtain an IP address.

When the OPNsense box died I switched to using my ISP's router and the guest network was history. Within minutes the mystery device (with Intel MAC address) had requested an IP address from my pihole. It tried to register the hostname of an existing but offline pc. It did not appear to use my pihole's DNS. To block it I have created a group, assigned no adlists to it, added a single RegEx filter .\.. and assigned that to the group. I then created a client with its MAC address and assigned it to the blocking group.

In DHCP I have assigned it an unroutable address outside my network and deleted the DHCP allocation. I now await the DHCP allocation to expire. Yes I have walked round 2 buildings examining every power socket looking for something I have forgotten about. All 21 devices on my network are accounted for and I have no usb wifi adapters hidden behind any PCs.

Is there anything else I can do.

Are you running any software that might create a macvlan?

no. I am allergic to macs

The Mac hardware and software (i.e. Apple) is quite different than software that creates virtual LAN's (i.e. macvlan).

1 Like

What was the criteria which determined whether a device was on the internal network or the guest network?

Depending on the answer to the previous q, am I right to say this would seem to suggest it must be either:

  • a wired device which was previously on the guest network by virtue of not being part of whatever OPNsense rules gave access to the internal network for authorised clients, and which is now simply "on the network". Or...
  • a wireless device which was previously on the dedicated guest wifi network SSID but which has previously been on (and remembered) this ISP router wifi SSID, and so is now still able to connect.

Do you have any other Intel MAC addresses on your network? Perhaps one of those is presenting as two interfaces for some reason related to how it works.

The nuclear option is to schedule downtime and take all devices offline except for the router, a client and Pi-hole, and use Settings > Flush network table to remove the existing table, and then review Tools > Network to confirm that it is not present.

If it is still present then at least you can start to track it down. Disable wifi (assuming Pi-hole is wired) and go from there. If it's wired then it must be physically findable in your two buildings.

If you're running Linux then you may find the package iptraf-ng useful. It can monitor traffic in promiscuous mode on the wired ethernet on a Rasspberry Pi.

If you're running WIndows there are a load of useful free tools – in particular network monitoring tools – at https://www.nirsoft.net

If your OPNsense was your gateway, what machine is acting as your router/gateway now?

On that device, when configuring your wifi network, did you configure a new wifi password?

If so, that would imply that your rogue device is using a wired connection.

If not, then I'd propose that you change the wifi password on your router and your wifi clients now, one-by-one, in an effort to reveal if the rogue device would indeed be a legit device (e.g. one with a dual-band wifi adapter, which may have separate NICs for 2GHz/5Ghz bands where you perhaps were only aware of one).

Lots of questions.
I have no other Intel mac addresses. My ISP router was in modem mode feeding my OPNsense server. My ISP router is now in router mode.
My internal network is on untagged VLAN1 on managed switches. and a wifi access point. My guest network was the same wifi access point with a SSID on VLAN20. The access point was on a switch port configured as untagged VLAN1, tagged VLAN20. The guest network interface on OPNsense was connected to the switch on untagged VLAN20. There was no leakage between VLAN1 & VLAN20 as pihole diagnostics never saw DHCP offers from OPNsense.
One of my neighbours knew the guest network password as years ago their phone line was out and I helped them out. When I saw the rogue device I assumed they had resurrected an old device so blocked it on the DHCP server. They never knew the complex password for my internal network. The rogue device is now thanks to pihole's DHCP stuck with an unusable address.
I think my next step will be to put a laptop in the same address range and see what NMAP sees. I could set up port mirroring on my switch and see what port it is on if it responds to pings from the laptop. Maybe setup snmp on my access point. This all would be so much easier with proper cisco gear instead of cheap switches.
DHCP lease time is now reduced to 1 hour.

I knew I would be kicking myself when I found it. Despite all interfaces on my OPNsense box having static addresses, it is periodically making DHCP requests. I guess it or a package I have installed on it is doing what pihole diagnostics does - test for the existance of DHCP servers on the network. I had wondered why I had the requests but absolutely no visible traffic from the address offered.

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.