Unknown MAC Address on My WiFi

Joined
Jul 22, 2010
Messages
29,021
Location
PNW
I went into my modem/router user interface today to look around at my settings and to check for any firmware updates. I was also going to setup MAC address filtering, and when I enabled MAC filtering a pull down shows up that lists all the MAC addresses that the modem can currently see (both hardwired and WiFi devices). I accounted for all the MAC address (by verifying them against my devices) except for one that shows up. It shows up as: Unknown 30:14:4A:xx:xx:xx I also noticed that if I sat there and updated the list for a while, that this MAC address would disappear and reappear at times. Thought that was strange. I even ran ipconfig /all in a DOS window on both my computers and didn't see this MAC address. Only weird thing I found doing the ipconfig /all command was 4 instances of a "Tunnel adapter" (described as "Microsoft ISATAP adapter") all with the same MAC address (00-00-00-00-00-00-E0), but it says the "Media state" is 'disconnected'. I did some searching on the 'net and found that the device traces back to the "Wistron Neweb Corporation". Here's their website, which shows the products they make (look under "Products". http://www.wnc.com.tw/index.php [Linked Image] The power company recently put in a new digital wireless power meter, so I'm wondering if that's it. If so, how did it get on my network without someone putting it there knowing my network SSID and passkey? I looked at the face of the power meter and didn't see any kind of MAC address info. I think those power meters connect to cell phone towers anyway, so doubt it somehow got onto my WiFi network by itself. Here's a thread I found where someone else noticed the same thing of having Wistron Neweb Corporation MAC addresss show up, and they say they didn't install anything like that. https://www.reddit.com/r/techsupport/comments/copngb/wistron_neweb_corporation_on_my_wifi/ Is it possible that one of my devices has more than one MAC address and I can only see one of them? I'd like to account for this MAC address if possible ... otherwise who knows what it could be, hopefully not someone on my network that shouldn't be. Any ideas on this?
 
Joined
Jun 11, 2003
Messages
707
Location
Hedgesville, WV
It may be that your wireless router is always searching for nearby connections but they wont be allowed access without the password. You should be able to block that MAC and see if any of your devices loose connection. Also make sure your router is not broadcasting. It makes it more difficult if you bring in a new device but it stops outsiders from seeing your network.
 

ZeeOSix

Thread starter
Joined
Jul 22, 2010
Messages
29,021
Location
PNW
Originally Posted by DuckRyder
Alarm panel, tv, Blu-ray player, set top box... any "smart devices"?
I'm pretty much sure I've accounted for all my wireless devices. I went into all of my WiFi devices and verified what they showed for the MAC address. Also did a "ipconfig /all" on the Windows computers to verify if there were any hidden MAC addresses. I even turned them all on and off to verify they showed up and disappeared in my modem MAC address drop down, which they did. I just can't verity where this one MAC address is coming from.
 

ZeeOSix

Thread starter
Joined
Jul 22, 2010
Messages
29,021
Location
PNW
Originally Posted by samven
It may be that your wireless router is always searching for nearby connections but they wont be allowed access without the password. You should be able to block that MAC and see if any of your devices loose connection. Also make sure your router is not broadcasting. It makes it more difficult if you bring in a new device but it stops outsiders from seeing your network.
I turned my SSID broadcasting to Off yesterday. I also got the MAC address off the modem and it's not the unknown one I'm looking for. I'll go into the modem user interface and see if I can find any weird MAC address shown for the modem itself that matches.
 
Joined
Oct 30, 2002
Messages
41,131
Location
Great Lakes
Originally Posted by ZeeOSix
Is it possible that one of my devices has more than one MAC address and I can only see one of them? I'd like to account for this MAC address if possible ... otherwise who knows what it could be, hopefully not someone on my network that shouldn't be. Any ideas on this?
Just permanently ban that particular MAC address, and then see which one of your devices stops working. If they're all still working, then great - you've banned an intruder.
 

ZeeOSix

Thread starter
Joined
Jul 22, 2010
Messages
29,021
Location
PNW
So I just found something interesting that might be a clue. When I looked at the "Device Table" I do not see the Unknown 30:14:4A:xx:xx:xx MAC address. The Device Table says: "The list below displays all devices connected to your Local Area Network (LAN) with the connection type." So why doesn't the mystery MAC address show up in the Device Table? shrug
 

ZeeOSix

Thread starter
Joined
Jul 22, 2010
Messages
29,021
Location
PNW
I also looked at the "System Log" and didn't see any log entries for any MAC address of 30:14:4A:xx:xx:xx activity. I do however see some of my other MAC addresses logged - the ones that have been in use lately. The System Log only goes back about 12 hours though.
 

MolaKule

Staff member
Joined
Jun 5, 2002
Messages
22,198
Location
Iowegia - USA
Originally Posted by ZeeOSix
...The power company recently put in a new digital wireless power meter, so I'm wondering if that's it. If so, how did it get on my network without someone putting it there knowing my network SSID and passkey? I looked at the face of the power meter and didn't see any kind of MAC address info. I think those power meters connect to cell phone towers anyway, so doubt it somehow got onto my WiFi network by itself. Is it possible that one of my devices has more than one MAC address and I can only see one of them? I'd like to account for this MAC address if possible ... otherwise who knows what it could be, hopefully not someone on my network that shouldn't be. Any ideas on this?
No. The Advanced Metering Infrastructure (AMI) system uses a SmartHub arrangement and operates separately in the 200 MHz to 400 MHZ part of the spectrum with encryption. Could they possibly be applications uploaded internally from a local computer with those IP addresses just before shipment?
 
Last edited:

ZeeOSix

Thread starter
Joined
Jul 22, 2010
Messages
29,021
Location
PNW
Yes, I'm going to filter it out ... but I'm really wondering why it's showing up. Maybe OVERKILL might have an idea if he sees this thread. It's very strange that it shows up as a real-time detected MAC address, yet doesn't show up in the Device Table as being an active device.
 

Pew

Joined
Mar 12, 2018
Messages
1,467
Location
Illinois
Originally Posted by 03cvpi
When in doubt, Lock it out! Wistron makes a lot of Iot junk.
Definitely this. You'll find out if it's a device you use soon lol.
 

ZeeOSix

Thread starter
Joined
Jul 22, 2010
Messages
29,021
Location
PNW
The modem does have a MAC address on the label located on the bottom of the modem, but it never shows up in the modem's user interface as an active MAC address or in the Device Table. The modem also never shows up in a DOS 'ipconfig /all' command Don't know if it should - ?.
 

ZeeOSix

Thread starter
Joined
Jul 22, 2010
Messages
29,021
Location
PNW
OK, so I blocked the unknown MAC address to see if any of my devices show any issues. Funny thing is that there is no IP address associated with that MAC address. Is that normal, or another clue to what's going on? [Linked Image]
 

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
47,089
Location
Ontario, Canada
Originally Posted by samven
It may be that your wireless router is always searching for nearby connections but they wont be allowed access without the password. You should be able to block that MAC and see if any of your devices loose connection. Also make sure your router is not broadcasting. It makes it more difficult if you bring in a new device but it stops outsiders from seeing your network.
No, it doesn't. Hiding the SSID is at best, inconvenient, it does not make your network more secure.
 

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
47,089
Location
Ontario, Canada
Originally Posted by Quattro Pete
Originally Posted by ZeeOSix
Is it possible that one of my devices has more than one MAC address and I can only see one of them? I'd like to account for this MAC address if possible ... otherwise who knows what it could be, hopefully not someone on my network that shouldn't be. Any ideas on this?
Just permanently ban that particular MAC address, and then see which one of your devices stops working. If they're all still working, then great - you've banned an intruder.
Yep. Though based on the fact he's saying it is not getting an IP, it may be a device that has tried to associate (and failed) or one of his other devices does some bridging and this device was located within that bridge.
 

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
47,089
Location
Ontario, Canada
Originally Posted by ZeeOSix
I also looked at the "System Log" and didn't see any log entries for any MAC address of 30:14:4A:xx:xx:xx activity. I do however see some of my other MAC addresses logged - the ones that have been in use lately. The System Log only goes back about 12 hours though.
It's possible that this is the MAC of the device it is communicating with upstream on the WAN side, which is why there is no IP address associated with it.
 

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
47,089
Location
Ontario, Canada
Originally Posted by ZeeOSix
The modem does have a MAC address on the label located on the bottom of the modem, but it never shows up in the modem's user interface as an active MAC address or in the Device Table. The modem also never shows up in a DOS 'ipconfig /all' command Don't know if it should - ?.
No, if you do an arp -a you'll see the list of IP's and mac's your computer sees, ipconfig is only useful for seeing the hardware addresses (mac) of the adapters in your system.
 

OVERKILL

$100 Site Donor 2021
Joined
Apr 28, 2008
Messages
47,089
Location
Ontario, Canada
Keep in mind that both of these things you've implemented do not really make you any more secure. If somebody is skilled enough to get through WPA2-AES, they aren't going to be impeded by hiding the SSID (which takes seconds to determine) or MAC address filtering, as they'll just clone the MAC of an existing client that they've gleaned through a capture. You'd be far better served setting up a more hardened firewall, like a PFSense box, which would give you better insight into your LAN, and far more capable logging/inspection and filtering capability. While this is perhaps a fun learning exercise for you (and I'm not trying to dissuade you from learning!) one needs to understand the value of what one is doing in context. Because your device is an AIO, it makes, as you've discovered, things more difficult to distill out as to their origin. If you were using standalone components, this becomes much easier, particularly if you are using a managed switch.
 
Top