cancel
Showing results for 
Search instead for 
Did you mean: 

How to block a MAC from connecting to GS-AX3000?

dpwhite
Level 9
I was working to try and resolve an entirely different issue and I happened to look at the list of DHCP leases shown in the System Log area of my GS-AX3000. I saw the following entry.

* 192.168.1.210 cc:4b:73:9a:90:a8 162:08:30

The IP address was immediately unfamiliar as I assign almost 100% of my devices manually. Looking in the system log I see entries like these


Sep 13 11:55:50 wlceventd: wlceventd_proc_event(527): eth6: Auth CC:4B:73:9A:90:A8, status: Successful (0), rssi:-20
Sep 13 11:55:50 wlceventd: wlceventd_proc_event(556): eth6: Assoc CC:4B:73:9A:90:A8, status: Successful (0), rssi:-20
Sep 13 11:55:53 wlceventd: wlceventd_proc_event(508): eth6: Disassoc CC:4B:73:9A:90:A8, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Sep 13 11:55:53 wlceventd: wlceventd_proc_event(508): eth6: Disassoc CC:4B:73:9A:90:A8, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Sep 16 09:39:51 wlceventd: wlceventd_proc_event(527): eth6: Auth CC:4B:73:9A:90:A8, status: Successful (0), rssi:-21
Sep 16 09:39:51 wlceventd: wlceventd_proc_event(556): eth6: Assoc CC:4B:73:9A:90:A8, status: Successful (0), rssi:-21
Sep 16 09:39:54 wlceventd: wlceventd_proc_event(508): eth6: Disassoc CC:4B:73:9A:90:A8, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0
Sep 16 09:39:54 wlceventd: wlceventd_proc_event(508): eth6: Disassoc CC:4B:73:9A:90:A8, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0


I don't know what this is. But I sure do not want it connecting and it makes me wonder... On my old Netgear R6400, I was able to specifically deny access entirely to one or more, given MAC addresses. I cannot seem to find such a function on my new Asus router. I must be missing something. Please help.

I also presume, but do not really KNOW, that a DHCP lease is not created until/unless a device successfully connects - meaning it has passed in valid credentials. Is this true? Or could this just be the result of someone's phone passing by with wifi on in the street?

Thanks
1,201 Views
11 REPLIES 11

Murph_9000
Level 14
Auth and Assoc successful makes me think it's successfully authenticating to the wireless network. DHCP shouldn't be possible to an unauthenticated client (in a closed network, open obviously allows anyone past the gate). It's almost certainly a device that has the pre-shared key. Something to note is that WPA is essentially insecure and deprecated; it should not be used or allowed on a secured network in 2022. If you do have fairly ancient devices that can only do WPA authentication (and not WPA2/WPA3), that's a problem that means you can kinda only have an insecure (WPA will prevent casual attempts to connect, but is no longer considered secure against a determined attacker) network if you want to keep those devices online. Set your authentication to either WPA2-Personal, WPA3-Personal, or WPA2/WPA3-Personal. WPA3 provides the best security, but is relatively new and you may well have devices that don't support it. Change your pre-shared key, as it's actively compromised if this unknown MAC really is an intruder (and not something like a member of the household that has an extra device, or a gadget you forgot about).

You should be able to setup MAC filtering on the router, although should note that MAC filtering where you only deny particular MAC addresses isn't a proper form of security. MAC addresses can be changed on the client end, and a determined attacker will just change to a new address to bypass a block. Filtering by only allowing known MAC addresses is the other option, and relatively secure, but it's another set of stuff to manage when you are adding/changing devices.

I don't have a GS-AX series to confirm it, but it should be the same as the GT-AX series. It's in the Wireless section (on the left), and the "Wireless MAC Filter" tab. On the GT series, firmware version 3.0.0.4.386_49556, you can find it at http://192.168.50.1/Advanced_ACL_Content.asp (substitute your router's IP in there, if it's different).

MAC block CC:4B:73 is allocated to "AMPAK Technology, Inc.", but that may not match the branding on the device (e.g. if they produce the chip/interface used by another company).

Murph_9000 wrote:
I don't have a GS-AX series to confirm it, but it should be the same as the GT-AX series. It's in the Wireless section (on the left), and the "Wireless MAC Filter" tab. On the GT series, firmware version 3.0.0.4.386_49556, you can find it at http://192.168.50.1/Advanced_ACL_Content.asp (substitute your router's IP in there, if it's different).


This worked for my AXE16000, even though I had to log in first. You're awesome!

Murph_9000 wrote:
Auth and Assoc successful makes me think it's successfully authenticating to the wireless network. DHCP shouldn't be possible to an unauthenticated client (in a closed network, open obviously allows anyone past the gate). It's almost certainly a device that has the pre-shared key. Something to note is that WPA is essentially insecure and deprecated; it should not be used or allowed on a secured network in 2022. If you do have fairly ancient devices that can only do WPA authentication (and not WPA2/WPA3), that's a problem that means you can kinda only have an insecure (WPA will prevent casual attempts to connect, but is no longer considered secure against a determined attacker) network if you want to keep those devices online. Set your authentication to either WPA2-Personal, WPA3-Personal, or WPA2/WPA3-Personal. WPA3 provides the best security, but is relatively new and you may well have devices that don't support it. Change your pre-shared key, as it's actively compromised if this unknown MAC really is an intruder (and not something like a member of the household that has an extra device, or a gadget you forgot about).

You should be able to setup MAC filtering on the router, although should note that MAC filtering where you only deny particular MAC addresses isn't a proper form of security. MAC addresses can be changed on the client end, and a determined attacker will just change to a new address to bypass a block. Filtering by only allowing known MAC addresses is the other option, and relatively secure, but it's another set of stuff to manage when you are adding/changing devices.

I don't have a GS-AX series to confirm it, but it should be the same as the GT-AX series. It's in the Wireless section (on the left), and the "Wireless MAC Filter" tab. On the GT series, firmware version 3.0.0.4.386_49556, you can find it at http://192.168.50.1/Advanced_ACL_Content.asp (substitute your router's IP in there, if it's different).

MAC block CC:4B:73 is allocated to "AMPAK Technology, Inc.", but that may not match the branding on the device (e.g. if they produce the chip/interface used by another company).

Thanks for the detailed and very helpful response...

1. I have found and employed reject mode of MAC Filtering for cc:4b:73:9a:90:a8 on both 2.4 and 5 GHz. My intent here is not really "security". It is to try and make sure that this device, whatever it is, cannot connect. In this way I MIGHT be able to find out if it really is something in my home that I have simply forgotten. By blocking it, I suspect something will stop working and it will eventually come to my attention. But this is a long shot as I am pretty detail oriented.

But 1 thing comes to mind suddenly and that is our power utility installed a new "smart meter" for our electricity on the 12th - one day prior to the 1st appearance of this MAC in my system log. While it was installed, I asked and was assured by the installer that the unit does NOT make use of my wifi and that it employs cell service to communicate with its home base. Perhaps this was fake news?

2. In the network map, I note that my router's security mode is currently WPA-Auto-Personal. However, in the Wireless section it shows WPA/WPA2 Personal. I think this was a default. From what you are saying, it sounds like I should try to eliminate WPA (without any number) entirely. I am not sure if this will break anything. But I can certainly try it. I do have some older devices but they aren't ancient. So what to choose? I see many options. Is WPA2-Personal adequate? Of WPA2/WPA3-Personal?

3. All of this has made me read a bit on DHCP and where it lies in the authentication/authorization process. In this discussion, a CISCO staff person says "For Wireless, it requires auth first before DHCP, unless the WLAN setup in open mode." I am not sure this is the total story but it makes sense to me. I wish I could find a more definitive answer.

Thanks for all!

Apple devices are able to share WiFi login details to other family member Apple devices. I could easily see someone sharing the WiFi and one gaining access that way. I don't have more than one Samsung in the household but I'd guess they have that feature as well....

A main function of the DHCP server is to assign an IP address that is not already used, and within the range allotted. Why it would be designed to do this for any unauthorized device wouldn't make sense to me.

WPA-2/WPA-3 Personal was default and I did not need to change it/what I would suggest trying...

WPA-Auto may be the concern. If a non-secured connection is attempted it maybe allows it?...

jzchen wrote:
Apple devices are able to share WiFi login details to other family member Apple devices. I could easily see someone sharing the WiFi and one gaining access that way. I don't have more than one Samsung in the household but I'd guess they have that feature as well....

A main function of the DHCP server is to assign an IP address that is not already used, and within the range allotted. Why it would be designed to do this for any unauthorized device wouldn't make sense to me.


I completely agree with your last statement. And if this is true (all I am saying is that I am not yet 100% sure) then I have had something actually log into my wifi and that is disconcerting.

There are no Apple devices here . One modern Samsung phone. One modern LG. So I doubt that sharing for credentials is happening. But this is the 1st I have heard of it.

When my wife goes out later today I will try changing the wifi security mode.

Thanks

dpwhite wrote:

When my wife goes out later today I will try changing the wifi security mode.
Thanks


So I have added the change to the wifi security making it WPA2-Personal (I got a warning when trying WPA2/WPA3-Personal). At first it appeared that all of my devices connected fine. But then I noticed that my Samsung Note I (N7000) was NOT connecting. It should be modern enough to support WPA2 but I decided to go back to WPA/WPA2-Personal and see. Even having done that AND removing the MAC filtering it will NOT connect. In the system log I see a never-ending series of this:


ep 17 12:57:40 wlceventd: wlceventd_proc_event(527): eth5: Auth 00:37:6D:4B:0A:6B, status: Successful (0), rssi:0
Sep 17 12:57:40 wlceventd: wlceventd_proc_event(556): eth5: Assoc 00:37:6D:4B:0A:6B, status: Successful (0), rssi:-61
Sep 17 12:57:42 wlceventd: wlceventd_proc_event(491): eth5: Deauth_ind 00:37:6D:4B:0A:6B, status: 0, reason: Station requesting (re)association is not authenticated with responding station (9), rssi:0
Sep 17 12:57:42 wlceventd: wlceventd_proc_event(508): eth5: Disassoc 00:37:6D:4B:0A:6B, status: 0, reason: Disassociated because sending station is leaving (or has left) BSS (8), rssi:0


It was fine before I started fiddling. Ach!

PS - Continuing to try and resolve this. Thought I would clean the dhcp leases and did the following via telnet:


killall dnsmasq
rm /var/lib/misc/dnsmasq.leases
service restart_dnsmasq


And that definitely cleared the leases. But that didn't help with the connection issues. I now find that the only way I can connect the Note I is to make the wifi OPEN. Obviously not gonna do that. But this demonstrates that the wifi radio on the Note I is working. It seems that the wifi authentication mechanism is not.

PSS - I can connect to my old Netgear R6400 v2 router from the Note N7000 and it is set up for WPA2-Personal. So something is definitely hosed-up in my new Asus. No idea what. I REALLY do not want to factory reset it and go through all the configuration.

I dug up the www.wi-fi.org certificate for GT-N7000 and it shows WPA 2....

There is a 2 part YouTube video on repairing Wi-Fi on it. Didn't stick around to watch the complete part 1.

Not exactly sure what is going on regarding it but it's a 10 yr old device but still certified for WPA 2....

This seems more geared towards IoT compatibility, but may be worth a look/shot:

https://www.asus.com/us/support/FAQ/1042475/