My Peplink Balance 200 works great. Recently, I found a device on the network that I do not recognize. While we have guests using the network at this time the device was not on the guest VLAN but the internal user VLAN. The name and MAC address were blank in the Client List report. There is no report of this device connected via WiFi so it must be on one of the ethernet ports in my switch setup.
I was able to get a MAC address, which started with prefix 3A:9D:82. The router reports the vender ID as “null” and I cannot find any manufacturer with this MAC address prefix.
I’ve sent up “deny” rules for this MAC address (outbound and internal firewalls) as a precaution.
The mystery here is why the device has a MAC address not linked to any manufacturer. What might explain this? Are there other actions I should take?
Thanks. Yes, of course, I’ll try to locate the actual device but this may have to wait until I am onsite. Meanwhile, the steps taken will (1) reduce the potential damage and (2) may cause the user or device to start complaining about lack of internet access, thus simplifying the search problem.
There’s a bit of a paradox with MAC filtering where malicious actors are concerned. If the snooper knows your MAC and they’re spoofing, then your logs will be lying to you, because they will be posing as legit devices. If you don’t filter by MAC, then you might see the MAC of an intruder on the network.
There’s other ways of IDing a device/user, and if no bad guys or creepy neighbors are involved than MAC filtering is better than nothing I suppose.
Also, if you download a directory of vendors (Wireshark’s site has one), you’ll see a lot of dead equipment and comments written by who knows who. It’s possible the router does not recognize the internet-thing because it’s very new, or very old.
Here’s some entries that don’t help anything:
000009 powerpipes?
0080E3 Coral? # Coral (?)
Lots of “Private”
Begs the question, who’s auditing MAC manufacturer names? Someone at ICANN? Not relevant to your question at all but…