Device connected but doesnt show anywhere (no lease?)

Started by oliviermyre, August 19, 2024, 06:10:33 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
August 19, 2024, 06:10:33 PM
So I have a device that is taking bandwidth, not much but it is active. It shows under reporting/traffic as device 10.1.3.251

I have vlan'd subnets: 10.1.1.* as the LAN, 10.1.2.*, 10.1.3.* and 10.1.4.* are vlans on a separate port on my opnsense device.

Now for the subnet "3" which is my business private network (2 is for IoT and 4 is for guests), most devices are hard mapped (dhcp ranges *.100 to *.199) and .10 to .99 are the dynamic dhcp leases if needed. What I dont understand is when I go to leases, I dont see anything that is 10.1.3.251, and I looked out on every physical device I know, and none have this IP... Also it cant be an outsider connecting to the network as I have setup a password that would take 12 years to decrypt... something like that.

How can I know which device is this ghostly 251 ? I cant have its Mac address or anything and it's taking bandwidth every 10 seconds to every minute (variable).

Thanks...

Running version 23.1.11_2 amd64 of OPNsense (if it could be version related issue?)
August 19, 2024, 06:49:33 PM #1 Last Edit: August 20, 2024, 10:26:50 AM by meyergru
What do you mean when you say "I cant have its Mac address or anything"?

If an IPv4 is actively using traffic over your OpnSense, even if it does not answer to ping requests, it still must be present in the ARP table... so try "arp -a | fgrep 10.1.3.251" and look up the MAC in a database like https://www.wireshark.org/tools/oui-lookup.html to find out the vendor. Then ask yourself which of your devices could be the culprit (unless it is a "private" MAC, since many iOS and Android devices use randomized MACs).

More often than not, things such as these are caused by IoT devices which are connected over WLAN. If you disable the WLAN, you can find it, if this should be the case.

Intel N100, 4 x I226-V, 16 GByte, 256 GByte NVME, ZTE F6005

1100 down / 800 up, Bufferbloat A+
August 19, 2024, 08:57:07 PM #2
An nmap scan can sometimes help too.
August 20, 2024, 09:30:53 AM #3
You can check as well the arp table from GUI.

Interfaces > Diagnostic > ARP

As it was told, if that device communicates, and your only Router/GW is OPNsense, it needs to have an ARP entry.

Regards,
S.
Networking is love. You may hate it, but in the end, you always come back to it.

OPNSense HW
APU2D2 - deceased
N5105 - i226-V | Patriot 2x8G 3200 DDR4 | L 790 512G - VM HA(SOON)
N100   - i226-V | Crucial 16G  4800 DDR5 | S 980 500G - PROD
August 20, 2024, 09:40:51 AM #4
First choice, before debugging: Establish a rule for ipv4 and one for ipv6 blocking all traffic for this magic device.
kind regards
chemlud
____
"The price of reliability is the pursuit of the utmost simplicity."
C.A.R. Hoare

felix eichhorns premium katzenfutter mit der extraportion energie

A router is not a switch - A router is not a switch - A router is not a switch - A rou....
Print
Go Up Pages1
User actions