ASUSWRT device tracker tracking unknown MAC from WAN?

TheNotSoSmartHome · October 17, 2018, 8:33pm

So I have successfully gotten the ASUSWRT device tracker working with my instillation but I am finding that a unknown device MAC is being detected and tracked in known_devices.yaml.

I have isolated the MAC to the WAN port of the router and noticed that the firewall appears to be dropping the traffic.

known_devices.yaml

00015cxxxxxx:
  hide_if_away: false
  icon:
  mac: 00:01:5C:xx:xx:xx
  name: 00015cxxxxxx
  picture:
  track: true

syslog.txt with firewall logging set to drop

Oct 15 21:46:40 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:28 SRC=185.153.196.17 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=231 ID=62634 PROTO=TCP SPT=43384 DPT=18000 SEQ=1451944326 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Oct 15 21:47:08 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:28 SRC=185.169.230.80 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=244 ID=54321 PROTO=TCP SPT=43341 DPT=14007 SEQ=687622162 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 15 21:48:47 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:4a SRC=196.52.43.51 DST=xxx.xxx.xxx.xxx LEN=74 TOS=0x00 PREC=0x20 TTL=239 ID=54321 PROTO=UDP SPT=56507 DPT=5353 LEN=54 
Oct 15 21:49:28 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:28 SRC=139.59.8.175 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=234 ID=33848 PROTO=TCP SPT=59952 DPT=32231 SEQ=2080678563 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Oct 15 21:49:51 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:28 SRC=185.153.196.21 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=231 ID=32622 PROTO=TCP SPT=58960 DPT=3656 SEQ=1544170074 ACK=0 WINDOW=1024 RES=0x00 SYN URGP=0 
Oct 15 21:50:04 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:28 SRC=178.128.175.98 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=237 ID=54321 PROTO=TCP SPT=36493 DPT=23 SEQ=2168006744 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 
Oct 15 21:50:49 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:4c SRC=185.195.201.148 DST=xxx.xxx.xxx.xxx LEN=76 TOS=0x00 PREC=0x20 TTL=241 ID=54321 PROTO=UDP SPT=57239 DPT=123 LEN=56 
Oct 15 21:51:08 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:28 SRC=120.210.159.87 DST=xxx.xxx.xxx.xxx LEN=40 TOS=0x00 PREC=0x20 TTL=46 ID=19716 PROTO=TCP SPT=14285 DPT=5555 SEQ=1169513340 ACK=0 WINDOW=10448 RES=0x00 SYN URGP=0 
Oct 15 21:51:22 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:2d SRC=196.52.43.98 DST=xxx.xxx.xxx.xxx LEN=45 TOS=0x00 PREC=0x20 TTL=236 ID=54321 PROTO=UDP SPT=50062 DPT=47808 LEN=25 
Oct 15 21:52:16 kernel: DROP IN=vlan2 OUT= MAC=08:62:66:xx:xx:xx:00:01:5C:xx:xx:xx:08:00:45:20:00:44 SRC=216.218.206.103 DST=xxx.xxx.xxx.xxx LEN=68 TOS=0x00 PREC=0x20 TTL=55 ID=54655 DF PROTO=UDP SPT=1825 DPT=111 LEN=48

It appears that this is invalid requests to the router (MAC’s are only 12 octets) whereas the router is showing 36 octets and the unknown MAC is in the middle. I could see 24 octets being reported (Source Address and Destination Address) but don’t get the 36.

Is anyone else seeing this?

reef-actor · October 18, 2018, 10:05am

Cadant Inc. make cable modems, do you have one of those connected?

TheNotSoSmartHome · October 19, 2018, 10:43pm

I have a Arris SB6183 which acquired Cadant Inc. but the MAC of the Cable Modem does not match the one on the router.

The MAC does not show up in any DHCP list or connected deviced in the route webpage and only fount it after enabling the firewall “drop” logging.

The other issue I see if the MAC is related to the modem, why would the ASUSWRT component be tracking any device on the WAN port?

kb5zuy · November 11, 2018, 8:46am

asuswrt is seeing the cable modem MAC address - in your case 00:01:5C:xx:xx:xx. It is getting the mac from the “ip neigh” command. Try running “ip neigh” on the router and see if your external (public) ip of your router (handed out by your ISP to the ASUS) is shown with the MAC address of the cable modem. This is the case with my setup.

The device tracker can detect if the cable modem is dsconnected from your router - ie - loss of the internet. So, it is a good thing.

The new release 0.82.0 with asyncssh includes some (overly) verbose logging at the INFO level showing the commands the asuswrt component is running on your router (assuming you are using ssh access to your asus - you should be).

See below. the lines with Command: show the command being executed on the router. Sorry for the double timestamp - this is from the syslog output.

Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=124] Requesting new SSH session
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=124]   Command: for dev in `nvram get wl_ifnames`; do wl -i $dev assoclist; done
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=124] Received exit status 0
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=124] Received channel close
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=124] Channel closed
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=125] Requesting new SSH session
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=125]   Command: arp -n
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=125] Received exit status 0
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=125] Received channel close
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=125] Channel closed
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=126] Requesting new SSH session
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=126]   Command: ip neigh
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=126] Received exit status 0
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=126] Received channel close
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=126] Channel closed
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=127] Requesting new SSH session
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=127]   Command: cat /var/lib/misc/dnsmasq.leases
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=127] Received exit status 0
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=127] Received channel close
Nov 11 08:28:33 mondo hass[9150]: 2018-11-11 08:28:33 INFO (MainThread) [asyncssh] [conn=0, chan=127] Channel closed