Text only | Text with Images

OPNsense Forum

English Forums => General Discussion => Topic started by: oliviermyre on August 19, 2024, 06:10:33 PM

Title: Device connected but doesnt show anywhere (no lease?)
Post by: oliviermyre on August 19, 2024, 06:10:33 PM
So I have a device that is taking bandwidth, not much but it is active. It shows under reporting/traffic as device 10.1.3.251

I have vlan'd subnets: 10.1.1.* as the LAN, 10.1.2.*, 10.1.3.* and 10.1.4.* are vlans on a separate port on my opnsense device.

Now for the subnet "3" which is my business private network (2 is for IoT and 4 is for guests), most devices are hard mapped (dhcp ranges *.100 to *.199) and .10 to .99 are the dynamic dhcp leases if needed. What I dont understand is when I go to leases, I dont see anything that is 10.1.3.251, and I looked out on every physical device I know, and none have this IP... Also it cant be an outsider connecting to the network as I have setup a password that would take 12 years to decrypt... something like that.

How can I know which device is this ghostly 251 ? I cant have its Mac address or anything and it's taking bandwidth every 10 seconds to every minute (variable).

Thanks...

Running version 23.1.11_2 amd64 of OPNsense (if it could be version related issue?)
Title: Re: Device connected but doesnt show anywhere (no lease?)
Post by: meyergru on August 19, 2024, 06:49:33 PM
What do you mean when you say "I cant have its Mac address or anything"?

If an IPv4 is actively using traffic over your OpnSense, even if it does not answer to ping requests, it still must be present in the ARP table... so try "arp -a | fgrep 10.1.3.251" and look up the MAC in a database like https://www.wireshark.org/tools/oui-lookup.html to find out the vendor. Then ask yourself which of your devices could be the culprit (unless it is a "private" MAC, since many iOS and Android devices use randomized MACs).

More often than not, things such as these are caused by IoT devices which are connected over WLAN. If you disable the WLAN, you can find it, if this should be the case.

Title: Re: Device connected but doesnt show anywhere (no lease?)
Post by: cookiemonster on August 19, 2024, 08:57:07 PM
An nmap scan can sometimes help too.
Title: Re: Device connected but doesnt show anywhere (no lease?)
Post by: Seimus on August 20, 2024, 09:30:53 AM
You can check as well the arp table from GUI.

Interfaces > Diagnostic > ARP

As it was told, if that device communicates, and your only Router/GW is OPNsense, it needs to have an ARP entry.

Regards,
S.
Title: Re: Device connected but doesnt show anywhere (no lease?)
Post by: chemlud on August 20, 2024, 09:40:51 AM
First choice, before debugging: Establish a rule for ipv4 and one for ipv6 blocking all traffic for this magic device.
Text only | Text with Images