Deco M5 - unknown network devices
I am using 12 Deco M5's in a single MESH in A/P mode. Smart DHCP is disabled, Fast Roaming is also disabled and Beamforming is enabled. All Deco's connect to my LAN via Ethernet.
The MESH runs very well but I am seeing a strange phenomena.
On our Reception 'node' there are a good number of unknown 'network device' (over 20) - and each has an DHCP allocated IP address, MAC address, and shows no network traffic (neither upload or download). The majority of these devices are connected using 5Ghz.
My questions are "What are these devices?" and "How do they get an IP address from my DHCP Server?" They are obviously not authorized on the network yet they are eating into our DHCP pool.
My guess is that there are many people using mobiles around and near our Reception area node and these mobiles are automatically trying to connect to our Wireless (mesh) - and somehow the Deco's are letting them through to our DHCP Server.
If I am right about this then there is a problem and something ought to be changed in the way the Deco's handle 'connect' requests from mobile devices to prevent such requests getting to the DHCP pool before they authenticate. I am concerned that, despite shortening the lease time, a good number of these devices are still showing as being "connected" when they obviously are not - and the DHCP pool will become exhausted at some point.
I would appreciate all comments & observations.
Thank you in advance.
Steve
- Copy Link
- Subscribe
- Bookmark
- Report Inappropriate Content
Let's assume for a moment that Deco mesh does what it is supposed to, which means it is giving IP addresses only to devices that successfully authenticated.
There is feature called "MAC Address Randomization" on Androids and Windows devices, also known on iPhone as "Private Wi-Fi Address." It is enabled by default on newer devices and makes smartphone generate random MAC address when connecting to WiFi network.
Do you have Guest Network enabled for visitors to you business? Having that might make issue worse as you will be having multiple visitors during the day (or passerby) who would connect to your Guest Network with random MAC address and then leave after short time. Which will explain multiple idle "unknown devices."
- Copy Link
- Report Inappropriate Content
Thanks for your reply. I checked and the Guest Network is not turned on.
At the moment the network is quiet (i.e. we are closed and there is no one in the office) yet the Deco App is showing me that there are 38 online clients at the moment. 12 of those will be the Deco's - the rest (26) are all the mysterious "network device" with IP's and no throughput.
I'm going to try enabling the Guest network, password-ed, and see if that stops this..
I am wondering if this must be a design flaw with the M5's?
Comments appreciated!
WindowsNT_Cork wrote
I am using 12 Deco M5's in a single MESH in A/P mode. Smart DHCP is disabled, Fast Roaming is also disabled and Beamforming is enabled. All Deco's connect to my LAN via Ethernet.
The MESH runs very well but I am seeing a strange phenomena.
On our Reception 'node' there are a good number of unknown 'network device' (over 20) - and each has an DHCP allocated IP address, MAC address, and shows no network traffic (neither upload or download). The majority of these devices are connected using 5Ghz.
My questions are "What are these devices?" and "How do they get an IP address from my DHCP Server?" They are obviously not authorized on the network yet they are eating into our DHCP pool.
My guess is that there are many people using mobiles around and near our Reception area node and these mobiles are automatically trying to connect to our Wireless (mesh) - and somehow the Deco's are letting them through to our DHCP Server.
If I am right about this then there is a problem and something ought to be changed in the way the Deco's handle 'connect' requests from mobile devices to prevent such requests getting to the DHCP pool before they authenticate. I am concerned that, despite shortening the lease time, a good number of these devices are still showing as being "connected" when they obviously are not - and the DHCP pool will become exhausted at some point.
I would appreciate all comments & observations.
Thank you in advance.
Steve
- Copy Link
- Report Inappropriate Content
Do not enable Guest Network - and if you already did, then disable it back. Having Guest Network enabled will not do any good: these mysterious devices are connected to your Main Network, obviously.
I would not be so sure they pass zero traffic, if you would like I'll tell you more about issues with Deco app bandwidth utilization reporting, but this is not the biggest concern now.
This is what you can do: tonight, or tomorrow night, after no one is in the office - change Deco Main Network password to something different. No need to be creative: just add 1-2 letters and digits to the end of current password, so it'll be easy to undo the change later. Then, force reboot of your Deco mesh through Deco app using Reboot All command in More/System/Reboot Deco. Tell nobody about password change and what the new password is.
If your theory is right, after the reboot these mysterious devices will reappear connected again. After all, you think they are getting IP without authentication, so it should not matter to them what is Main Network password.
If my theory is right, after password change and Deco mesh reboot, no "network devices" will appear again, because they need valid password to authenticate and they no longer have it. I expect zero devices connected by WiFi to Deco mesh after password change.
It might even help to find what these devices are, if people using them start complaining to you that suddenly they can't access WiFi at night.
Before the business opens at the morning, restore Main Network password back. If my theory was right, you'll then need to find how owners of these "network devices" got Main Network SSID/password.
- Copy Link
- Report Inappropriate Content
@WindowsNT_Cork How do you know "They are obviously not authorized on the network"?"
"UNKNOWN" simply means those devices choose to remain anonymous and did not provide their name to the DHCP server.
- Copy Link
- Report Inappropriate Content
The second character of those artificial MAC address is 2, 6, A or E.
And if the purpose of using such a MAC address is to remain anonymous, the device will obviously not provide its name to the DHCP server.
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
- Copy Link
- Report Inappropriate Content
WindowsNT_Cork wrote
Thank you for that. I can confirm that all the rogue devices follow the rule you mention. The point I was driving at is that they should not get an IP address unless they have joined the wireless network - so the problem must be coming from my internal (authorized) users.. I am beginning to wonder if MAC address randomization consumes far too many DHCP leases? It looks that way to me.
It is quite likely. Apple developers made this feature popular, then it were accepted by Android and Windows. Initially, random MAC address was generated once per SSID, but Apple went further and now could generate different random MAC addresses for a single SSID, thus adding even more to the problem they created in the first place.
If you are sure nobody leaked SSID/password to outsiders, this is just an annoyance you (like everyone else) will have to live with.
There is no universal solution for that issue. Obvious ones are reducing DHCP Lease Time (I'd recommend to under an hour) and if that not enough - increasing DHCP IP range.
Also, if it is household or business where you can have influence over users, you may be able to convince authorized users to disable MAC address randomization feature on their smartphones for your Deco Main Network SSID.
I have that done at my household, but of course business might be different.
You said you run Deco M5 in Access Point mode. Consider using Whitelist on your Router, which will let you to enforce requirement not to enable MAC address randomization. It'll also give you additional piece of mind that unauthorized users will not be able to gain access to your office WiFi network even if they do have correct SSID/password.
Of course, if your authorized users change mobile devices often, managing whitelist becomes a headache, but for a stable environment with concerns like you have I would recommend you to at least research this option. To repeat: whitelist will be your router feature, not Deco mesh feature.
- Copy Link
- Report Inappropriate Content
@Alexandre. It makes sense to generate different random MAC addresses for a single SSID. Otherwise it is easy enough for the owner of the network to detect that the same device is connecting again to the network.
- Copy Link
- Report Inappropriate Content
The Deco should only show a device as "connected to a Deco" as long as the device is actually connected to the wifi network. The device should promptly disappear from that list once it is disconnected.
The DHCP server should show a device until the DHCP lease expires.
If a device is showed as "connected" by the Deco, and is not present in the DHCP list, I would stop trusting the list showed by the Deco.
- Copy Link
- Report Inappropriate Content
Information
Helpful: 1
Views: 1216
Replies: 10