Client List reporting duplicate IP addresses for same name


#1

I have two Balance 20s running the latest version of the firmware at two different locations. Both have been in place for years so I am pretty familiar with them. When I look at one of them the client list is always an accurate representation of the network.

On the trouble one I often see the same computer name assigned to different IP addresses. My guess is this is a problem on the network, not the Balance 20, but I don’t know where to start looking. It has been going on a long time, but only recently has hampered my ability to pinpoint heavy talkers.

As far as I can tell the Peplink is the only DHCP server on the network. The DHCP IP range is 192.168.1.210-192.168.1.250 255.255.255.0 I have 28 devices with a DHCP reservation under that range. Lease time is 4 hours.WINS servers is not enabled and there is no Extended DHCP option, Bonjour Service or static routes.DNS Proxy Settings are on.

Right now one of the devices with a reservation with the name AlanPC shows in the client list 7 times with other MAC and IP addresses. If I connect to any of the other addresses they are other devices that are legitimately on the network using one of the other DHCP reservations.

All of the PCs on the network are Windows 10. Cameras on the network are mostly Foscam devices with some form of Linux on them. WiFi devices are Peplink devices or ASUS. I have verified the settings on all of these devices and nothing seems inconsistent. There are no true WiFi bridges on the network, but there are outdoor WiFi transmitters and receivers made by Ayrmesh with no DHCP servers on them. There are a couple of Direct TV boxes on the network and to the best of my knowledge their network settings are fine.

Today for the first time ever I see 1.1.1.1 in the client list. It’s MAC address does not match any of the HCP reservations. I have never seen 1.1.1.1 before, but when I started typing this it had the name AlanPC and has since changed to one of the other devices names and back to AlanPC just while I type. The last time the Client List refreshed 1.1.1.1 was gone completely then the next refresh it was back.

The site is an hour from my house on a large donkey rescue sanctuary where I volunteer so it is a big challenge to do something like turn all devices off then restart them 1 at a time to see which one causes the problem to come back.

Does anyone have any advice on what I can look at to trouble shoot this? I only know enough to be dangerous here.


#2

These wouldn’t happen to be Apple devices would they? Apple uses a strategy of “stealing” mac addresses to assist with their devices sleep settings. Apple TVs, Apple Airports, and macs will be nominated as “the awake one” and will take the other mac addresses of devices that are asleep. The nominated device will be a proxy for any requests while it is asleep and will wake it up if needed by giving the MAC address back. It is a dumb strategy and why I ditched all of my Apple networking gear.

The way to fix it is to disable sleep mode on the Apple TVs and set static IPs on all your Apple devices.


#3

There aren’t any Apple devices on site, but thanks for the suggestion.


#4

Another thought - is there any hyper-v or VMware machines running on AlanPC? Those technologies allow you to create virtual network interfaces.

It may be worth the hour drive to go see what is going on. It could be someone probing your network or a virus infected machine.

You should open a support case and have the Peplink folks take a peek at the diagnostic report - they may have some ideas.


#5

Also, take a peek at this http://www.revolutionwifi.net/revolutionwifi/2011/03/explaining-dhcp-server-1111.html


#6

No VMware. I do have remote access to it. It is just an older Windows PC I have running W10. I will check into how I can open a ticket, thanks


#7

Good luck - that is a very strange behavior. When you sort it out - please post back. I am curious as to what would cause this.

The Directv devices are pretty crazy. If they are like my DTV equipment - they actually have three networks in them. An internal network that goes through the coax, then the IP network that you put them in, and finally an autoconfigured IP space (169.254.x.x). Every now and again, it will good up and send packets out from the 169 network.

The problem with standards is that they are left to interpretation. I am looking up that airespace stuff - seems pretty cool - do you like it?


#8

The Ayrmesh Transmitter gives me a lot of distance outdoors. I have camera on the property that connect directly to it and at a house where the caretakers live I have a Ayrmesh receiver giving them access in the house. Across the street I have another receiver giving a barn access.I have another receiver in their feedroom. The Internet connection is hooked to the Ayrmesh Transmitter. Ayrmesh is a no brainer to setup since it is meant for rural property including tractors in a field. You basically setup an account and log each one into it then they configure things on their own.

There are now competing solutions that take more configuration, but also give you more control vs. all of the automatic stuff.


#9

On the site that has an accurate client list - do you have this mesh wifi network? Would AlanPC be roaming out in the fields by chance?

From the little bit of reading I have done today, it looks like this might be due to the WLAN controller for the mesh network coupled with a wireless client moving from one WAP to another.

You can start a packet capture on the Balance20 and then see if you can identify what is going on. Fair warning - looking at IP packet captures ain’t fun, nor is it easy. Do a search on this forum and you will find good instructions.

Holler back if you have questions.


#10

I really appreciate all of the ideas. Alanpc is a clunky old desktop not going anyplace. No mesh network anyplace. The accurate Peplink is at home on a different network. I should have clarified that I mentioned it only because I made sure the settings matches except the IP addresses so I am blaming something on the network, not the router.

I did take your advice and open a ticket with Peplink sending them a dump.


#11

One more possibility - someone has set up a windows machine with internet connection sharing or Internet bridging in Windows.

According to this article - http://m.windowscentral.com/how-set-and-manage-network-bridge-connection-windows-10 - the MAC address of each device is passed to the router. Since you have extra addresses in your range - they would get an address. Since the laptop is acting as a proxy, it may be responding to any getHostName requests for any IP addresses behind it.

I also see that the host IP would have to be static if internet access was required for the host PC. That could explain the 1.1.1.1 - someone pulling an oopsie.

What does the remote location say when you ask them about it? You could always change the wireless password and systematically disperse it. Give one person the password, wait a day - give the second the password, wait a day, etc. if you wanted to be non-disruptive, set up a second SSID and move folks over one at a time with time in between to see if the rogue entries appear.

If it were me, I would probably start by calling and asking for a dude named Alan. If anyone goes by that name, I would ask him what he was doing.


#12

Just to make sure I didn’t have a bridge connection I logged into each Windows PC and checked. All clear.
Nobody on site fiddles with the settings, they wouldn’t know how so if something is screwed up it is a mistake I made.

They do have a separate guest SSID.

This morning there are 3 instances AlanPC and 7 instances of a camera device name showing in the Peplink client status page. The IP addresses are all for other valid devices that are in the reservation list and the MAC addresses are correct for each of those IP addresses. Just the name is screwed up.


#13

I would do a packet capture and focus on ARP requests and responses to see if you can see anything out of the ordinary. I believe that is how the client list is populated.

Very bizarre behavior indeed.


#14

Now that I think about this, I feel foolish. ARP is for Mac to IP translation. How does Peplink determine host names? Obviously, if there is a DHCP reservation or DNS entry, it can use that; but what protocol is used to get it dynamically? Is it using NetBios?


#15

I don’t know, but Peplink support was on remotely today. They are getting
back on tomorrow so hopefully some answers soon.