Text only | Text with Images

OPNsense Forum

English Forums => Zenarmor (Sensei) => Topic started by: LuPaMo on June 04, 2024, 03:00:09 PM

Title: Device HW Address IP4:xxx rather than MAC address
Post by: LuPaMo on June 04, 2024, 03:00:09 PM
I've had a few intermittent problems with this, whereby previously trusted devices (correctly identified by its MAC address) are showing as "New" devices. Upon further inspection, their HW address is no longer the MAC address but identified as "IP4:xxx.xxx.xxx.xxx" where the X's match the devices assigned IP address.

Any ideas on whats causing this?
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: LuPaMo on June 04, 2024, 03:01:24 PM
This the the "New" device with the incorrect HW address
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: LuPaMo on June 04, 2024, 03:02:57 PM
The original trusted device entry;
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: sy on June 04, 2024, 03:58:17 PM
Hi,

Could device have Randomize MAC activated? Can you create a filter with its MAC Address and check if it has any TCP or UDP session?
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: LuPaMo on June 04, 2024, 04:29:22 PM
Hi,

Ive checked the device settings and doesnt appear to have an option for random MAC.  In the OPNSense ARP table the IP + MAC address appear correct, as does the UniFi controller for the AP its connected to.

Filtering on the device, it has open sessions (which are blocked as its not a trusted device).

Cheers,
Luke
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: LuPaMo on June 04, 2024, 06:53:23 PM
To add, for the active session(s); its showing the device ID is the IP4:xx, but the HW address is correct
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: sy on June 04, 2024, 07:04:23 PM
Hi,

If you remove the untrusted one, does it come back?


Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: LuPaMo on June 04, 2024, 07:20:29 PM
Hi,

Yep, comes back after a minute or so
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: sy on June 05, 2024, 07:02:13 PM
Hi,

Please share a report by following the instructions in the below link

https://www.zenarmor.com/docs/support/reporting-bug
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: LuPaMo on June 05, 2024, 07:13:03 PM
Done - thanks for your assistance on this
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: sy on June 07, 2024, 07:13:25 PM
Hi,

We have investigated the issue. Zenarmor engine has a logic to identify Router. It causes this issue. With 1.18, we will ship an improvement for this. This logic will be disabled in default to prevent this false positive status.
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: wernerk on December 08, 2024, 11:02:22 AM
Seems that now with 1.18.4, the same issue is still very active.
I'm getting lots of false detections with ip4:xxx instead of mac-addresses over and over again.
Since you mentioned routers - I'm currently using Synology SRM Mesh network with RT6600ax, WRX560 and MR2220ac. Quite some of these entries, partially with IP6 addresses only, were detected to be "Synology" devices.

Currently I just ignore the new devices and every few days select them all and delete them.
It's just not great...

update: also sent most recent example using "send feedback" within console.
Title: Re: Device HW Address IP4:xxx rather than MAC address
Post by: sy on December 09, 2024, 01:54:00 PM
Hi,

Thanks for sharing the logs. Your logs will be investigated and update on the ticket.
Text only | Text with Images