Device HW Address IP4:xxx rather than MAC address

Started by LuPaMo, June 04, 2024, 03:00:09 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
June 04, 2024, 03:00:09 PM
I've had a few intermittent problems with this, whereby previously trusted devices (correctly identified by its MAC address) are showing as "New" devices. Upon further inspection, their HW address is no longer the MAC address but identified as "IP4:xxx.xxx.xxx.xxx" where the X's match the devices assigned IP address.

Any ideas on whats causing this?
June 04, 2024, 03:01:24 PM #1
This the the "New" device with the incorrect HW address
June 04, 2024, 03:02:57 PM #2
The original trusted device entry;
June 04, 2024, 03:58:17 PM #3
Hi,

Could device have Randomize MAC activated? Can you create a filter with its MAC Address and check if it has any TCP or UDP session?
June 04, 2024, 04:29:22 PM #4
Hi,

Ive checked the device settings and doesnt appear to have an option for random MAC.  In the OPNSense ARP table the IP + MAC address appear correct, as does the UniFi controller for the AP its connected to.

Filtering on the device, it has open sessions (which are blocked as its not a trusted device).

Cheers,
Luke
June 04, 2024, 06:53:23 PM #5
To add, for the active session(s); its showing the device ID is the IP4:xx, but the HW address is correct
June 04, 2024, 07:04:23 PM #6
Hi,

If you remove the untrusted one, does it come back?


June 04, 2024, 07:20:29 PM #7
Hi,

Yep, comes back after a minute or so
June 05, 2024, 07:02:13 PM #8
Hi,

Please share a report by following the instructions in the below link

https://www.zenarmor.com/docs/support/reporting-bug
June 05, 2024, 07:13:03 PM #9
Done - thanks for your assistance on this
June 07, 2024, 07:13:25 PM #10
Hi,

We have investigated the issue. Zenarmor engine has a logic to identify Router. It causes this issue. With 1.18, we will ship an improvement for this. This logic will be disabled in default to prevent this false positive status.
December 08, 2024, 11:02:22 AM #11 Last Edit: December 08, 2024, 11:17:19 AM by wernerk
Seems that now with 1.18.4, the same issue is still very active.
I'm getting lots of false detections with ip4:xxx instead of mac-addresses over and over again.
Since you mentioned routers - I'm currently using Synology SRM Mesh network with RT6600ax, WRX560 and MR2220ac. Quite some of these entries, partially with IP6 addresses only, were detected to be "Synology" devices.

Currently I just ignore the new devices and every few days select them all and delete them.
It's just not great...

update: also sent most recent example using "send feedback" within console.
December 09, 2024, 01:54:00 PM #12
Hi,

Thanks for sharing the logs. Your logs will be investigated and update on the ticket.
Print
Go Up Pages1
User actions