Can someone explain the random MAC Addresses in Syslog? Should I be concerned?

[cooloutac]

Thing is, none of these clients show up in the DCHP lease list. Or in the active clients. Or in the offline clients. Is this a bug or something? Like if it was actually connected to the network wouldn't it be showing there?

This is what I would assume man. in the mobile app you can see offline devices which basically lists everything that was once connected if not shown in the current client list. Anything that ever once connected will be listed there and greyed out and you can click on them and check the mac's. Have a look there. You can also delete all related settings on the router for each specific device there, say a certain device on your network is having issues connecting. Or if you want the router to forget its settings. Or just delete it off the list and see if they reappear. I can't find a similar way to do this from the web gui interestingly enough. I don't like the idea of using a mobile app for security purposes but it comes in handy and is convenient.

I 2nd the idea to put whitelist macfilter on which might help you sanitize it. MY windows and android devices don't use random macs. but what I also do is hide the ssid along with mac filtering setting them up to connect to hidden device. then mac and ip bind each 5g device in the router settings. I do this simply because I use merlin policy rules and want the wan devices to not change ip and it also helps to keep things organized and accounted for. You will also probably lessen random connections by hiding it.

I do have a linux laptop that at first randomized the mac address and the router will identify it as "anonymous" device in the offline list because it had no hostname either I guess. Or it recognized the same hostname changing mac's. But that will become flooded too. The router usually will keep the same ip for the same mac, but on very rare occasions it will change, which is why I use the binding option.

On another note I got over 30 wifi devices on my network sometimes and my logs are flooded with entries like yours. If you search around they drive alot of people nuts. I think they are debug entries that shouldn't even be showing and I wouldn't doubt they show wrong. I also see mac's I don't recognize alot and just assume its my neighbors or people walking by. I just ignore them now lol. Only time I focus on them, is when I see a single device flooding it over and over. then I will investigate. For example i saw one specific mac really flooding it once, found out it was my viziocast tv that does it when eco mode is on. Otherwise I pay them no mind.

 

[FanaticLight7]

This is what I would assume man. in the mobile app you can see offline devices which basically lists everything that was once connected if not shown in the current client list. Anything that ever once connected will be listed there and greyed out and you can click on them and check the mac's. Have a look there. You can also delete all related settings on the router for each specific device there, say a certain device on your network is having issues connecting. Or if you want the router to forget its settings. Or just delete it off the list and see if they reappear. I can't find a similar way to do this from the web gui interestingly enough. I don't like the idea of using a mobile app for security purposes but it comes in handy and is convenient.

I 2nd the idea to put whitelist macfilter on which might help you sanitize it. MY windows and android devices don't use random macs. but what I also do is hide the ssid along with mac filtering setting them up to connect to hidden device. then mac and ip bind each 5g device in the router settings. I do this simply because I use merlin policy rules and want the wan devices to not change ip and it also helps to keep things organized and accounted for. You will also probably lessen random connections by hiding it.

I do have a linux laptop that at first randomized the mac address and the router will identify it as "anonymous" device in the offline list because it had no hostname either I guess. Or it recognized the same hostname changing mac's. But that will become flooded too. The router usually will keep the same ip for the same mac, but on very rare occasions it will change, which is why I use the binding option.

On another note I got over 30 wifi devices on my network sometimes and my logs are flooded with entries like yours. If you search around they drive alot of people nuts. I think they are debug entries that shouldn't even be showing and I wouldn't doubt they show wrong. I also see mac's I don't recognize alot and just assume its my neighbors or people walking by. I just ignore them now lol. Only time I focus on them, is when I see a single device flooding it over and over. then I will investigate. For example i saw one specific mac really flooding it once, found out it was my viziocast tv that does it when eco mode is on. Otherwise I pay them no mind.

I hope so lol. In a couple of posts earlier I was a little paranoid about some random D-Link device I found on my network a few days after installing this router. I'm 100% sure that's not any of our devices and it looked like it was some sort of range extender that somehow got connected to the network. This was in the offline device list.

Does this router have any vulnerabilities? I know about WPS being insecure and I forgot to turn it off right away when I installed it. Just wondering if someone could have used a WPS hack, but I'm not sure. I thought that many newer routers would have WPS throttling in place to prevent brute force attacks.

 

[cooloutac]

It is still recommended to turn wps off pretty sure its still considered the most vulnerable thing on even new routers. I don't like how it is turned on to hook up the aimesh but you should immediately turn it off afterwards. check the ai protection tab make sure you don't have anything else on that shouldn't be. Setup https for the webgui, maybe change the password, and setup access restriction. mac ip bind the device you want admin access. setup mac filtering. You can delete all settings for that device in the offline list. I don't blame you for being paranoid about that. just keep an eye out and make sure it doesn't come back. If it was offline chances are it was just some random device got connected during setup and never connected again.

 

[FanaticLight7]

It is still recommended to turn wps off pretty sure its still considered the most vulnerable thing on even new routers. I don't like how it is turned on to hook up the aimesh but you should immediately turn it off afterwards. check the ai protection tab make sure you don't have anything else on that shouldn't be. Setup https for the webgui, maybe change the password, and setup access restriction. mac ip bind the device you want admin access. setup mac filtering. You can delete all settings for that device in the offline list. I don't blame you for being paranoid about that. just keep an eye out and make sure it doesn't come back. If it was offline chances are it was just some random device got connected during setup and never connected again.

Yup I did turn of WPS after I saw that device a few months ago but didn't change my passwords stupidly. Didn't realize they could just get WPA2 passwords through WPS, but i figured blocking the device would be enough.

Is there a way to further reduce signal strength on the router? I turned off the 2.4Ghz band and the 5Ghz still goes a bit too far out on the street. I wouldn't mind turning it down further. I the tried the TX power adjustment setting but read some threads saying that this might not do anything due to US FCC laws and such?

 

[cooloutac]

Yup I did turn of WPS after I saw that device a few months ago but didn't change my passwords stupidly. Didn't realize they could just get WPA2 passwords through WPS, but i figured blocking the device would be enough.

Is there a way to further reduce signal strength on the router? I turned off the 2.4Ghz band and the 5Ghz still goes a bit too far out on the street. I wouldn't mind turning it down further. I the tried the TX power adjustment setting but read some threads saying that this might not do anything due to US FCC laws and such?

ya they can also get it if they are notified when the default ssid pops up during setup and cause they know the default password as well. Wish asus gave unique passwords with their routers like ISP's started doing.

I think it only lowers it by 10 rssi the most or something on the lowest setting. but I don't think you have anything to worry about man. What I do when i setup the router is first use a temporary password then set the gui to https. then relog and change the passwd. do it wired in even better and do it quick. I doubt that thing ever reconnected to your router. Just make a nice strong password. change it every 90 days if it makes you feel better. no way i'm doing that on my 40 devices though I'll change it once a year lol Another reason though the asus mobile app comes in handy lol. I mean I don't stress security as much as I used to man, we can only do so much if we want to play with nice things.

 

[FanaticLight7]

ya they can also get it if they are notified when the default ssid pops up during setup and cause they know the default password as well. Wish asus gave unique passwords with their routers like ISP's started doing.

I think it only lowers it by 10 rssi the most or something on the lowest setting. but I don't think you have anything to worry about man. What I do when i setup the router is first use a temporary password then set the gui to https. then relog and change the passwd. do it wired in even better and do it quick. I doubt that thing ever reconnected to your router. Just make a nice strong password. change it every 90 days if it makes you feel better. no way i'm doing that on my 40 devices though I'll change it once a year lol Another reason though the asus mobile app comes in handy lol. I mean I don't stress security as much as I used to man, we can only do so much if we want to play with nice things.

Yeah I was thinking it might have been something during setup, though I wasn't sure if setup stores the connected devices still. And there's no default password on setup I believe, the router just shows up as an open network IIRC.

 

[cooloutac]

Yeah I was thinking it might have been something during setup, though I wasn't sure if setup stores the connected devices still. And there's no default password on setup I believe, the router just shows up as an open network IIRC.

yes true you're right, the default is only for the webui.

 

[FanaticLight7]

yes true you're right, the default is only for the webui.

Okay so in case you or anyone else was wondering. I did some experimenting and was able to reproduce these logs. Clearly looks like a bug in ASUS firmware.

I turned off MAC filtering, changed my SSID/Passwords so none of my other devices would try and automatically connect, then tried authenticating with my phone on the network with an incorrect password. Even though my phone wouldn't sign on to the network, I would be able to reproduce the above logs. Ignore the May 5 date, I think it's because I have my internet unplugged while I was testing this. Used a different router as my internet router in the meantime. I don't know why but for some reason the log shows as successful for both Auth and Assoc even though it's not.

May 5 01:09:24 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth AE:23:E3:A2:A5:58, status: Successful (0)
May 5 01:09:24 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc AE:23:E3:A2:A5:58, status: Successful (0)
May 5 01:09:32 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind AE:23:E3:A2:A5:58, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
May 5 01:09:33 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind AE:23:E3:A2:A5:58, status: 0, reason: Class 2 frame received from nonauthenticated station (6)
May 5 01:09:50 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth 44:91:60:8D:373, status: Successful (0)
May 5 01:09:50 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc 44:91:60:8D:373, status: Successful (0)
May 5 01:09:58 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 44:91:60:8D:373, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
May 5 01:10:00 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 44:91:60:8D:373, status: 0, reason: Class 3 frame received from nonassociated station (7)

Either way I think I'm done with this router. I was coming from an old AC66U and that one was great. Not really many issues, but this AC3100 hasn't been the smoothest experience. Aside from this syslog thing, I've been having tons of stability issues with high pings to the 5GHz band and stuff. I would have to reboot the router every few days which is super annoying. Think I'm gonna check out the Eero pro 6 when it launches in a week. I just want some simplicity and stability without creepy stuff like the above freaking me out haha.

 

[cooloutac]

Okay so in case you or anyone else was wondering. I did some experimenting and was able to reproduce these logs. Clearly looks like a bug in ASUS firmware.

I turned off MAC filtering, changed my SSID/Passwords so none of my other devices would try and automatically connect, then tried authenticating with my phone on the network with an incorrect password. Even though my phone wouldn't sign on to the network, I would be able to reproduce the above logs. Ignore the May 5 date, I think it's because I have my internet unplugged while I was testing this. Used a different router as my internet router in the meantime. I don't know why but for some reason the log shows as successful for both Auth and Assoc even though it's not.

May 5 01:09:24 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth AE:23:E3:A2:A5:58, status: Successful (0)
May 5 01:09:24 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc AE:23:E3:A2:A5:58, status: Successful (0)
May 5 01:09:32 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind AE:23:E3:A2:A5:58, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
May 5 01:09:33 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind AE:23:E3:A2:A5:58, status: 0, reason: Class 2 frame received from nonauthenticated station (6)
May 5 01:09:50 syslog: WLCEVENTD wlceventd_proc_event(500): eth2: Auth 44:91:60:8D:373, status: Successful (0)
May 5 01:09:50 syslog: WLCEVENTD wlceventd_proc_event(529): eth2: Assoc 44:91:60:8D:373, status: Successful (0)
May 5 01:09:58 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 44:91:60:8D:373, status: 0, reason: Deauthenticated because sending station is leaving (or has left) IBSS or ESS (3)
May 5 01:10:00 syslog: WLCEVENTD wlceventd_proc_event(466): eth2: Deauth_ind 44:91:60:8D:373, status: 0, reason: Class 3 frame received from nonassociated station (7)

Either way I think I'm done with this router. I was coming from an old AC66U and that one was great. Not really many issues, but this AC3100 hasn't been the smoothest experience. Aside from this syslog thing, I've been having tons of stability issues with high pings to the 5GHz band and stuff. I would have to reboot the router every few days which is super annoying. Think I'm gonna check out the Eero pro 6 when it launches in a week. I just want some simplicity and stability without creepy stuff like the above freaking me out haha.

Thanks for confirming, I figured as much. And I don't blame ya. lol I just came from an ac66u_b1 i had that i loved for over 2 years, to the ac86u which freaks me out with something new every single day... I never know if one of the wireless networks is gonna go down at any moment and I sure don't feel confident in using it, especially with all the mysterious crashes, and errors and weird log entries. Today the guest network just started deauthenticating everything knocking everything on it offline. I couldn't even inspect the log cause these dam wlceventd entries had it totally flooded out. I asked what could of cause that on the forums and I got crickets. not a peep. more twilight zone stuff.

Someone on the forums recommended a mikrotik hap ac2 to me. it looks far from simple though lol. But I want something with good security for myself. My only issue is I don't think anything is going to compete with the range on this ac86u and I got a device 100s of feet away in my backyard I need connection to. I keep forcing myself to use the router cause I been using asus for two years, but I think I might be a fool and keeping something thats going to get destroyed sooner then later.

 

[FanaticLight7]

Thanks for confirming, I figured as much. And I don't blame ya. lol I just came from an ac66u_b1 i had that i loved for over 2 years, to the ac86u which freaks me out with something new every single day... I never know if one of the wireless networks is gonna go down at any moment and I sure don't feel confident in using it, especially with all the mysterious crashes, and errors and weird log entries. Today the guest network just started deauthenticating everything knocking everything on it offline. I couldn't even inspect the log cause these dam wlceventd entries had it totally flooded out. I asked what could of cause that on the forums and I got crickets. not a peep. more twilight zone stuff.

Someone on the forums recommended a mikrotik hap ac2 to me. it looks far from simple though lol. But I want something with good security for myself. My only issue is I don't think anything is going to compete with the range on this ac86u and I got a device 100s of feet away in my backyard I need connection to. I keep forcing myself to use the router cause I been using asus for two years, but I think I might be a fool and keeping something thats going to get destroyed sooner then later.

Maybe take a look at the Eeros or some mesh solution then. I actually am running with a Google Nest Wifi right now as a trial run for a week but I think I'll return it. It's very good and easy to use. I'm also only using the main router and no other mesh points, and it covers more or less the same area as the AC3100 in my house. You probably also don't have to worry about security with Google either. Only thing is it lacks a lot of features like QoS and is a little less stable than the Eeros I hear. Still, it's still running much better than the AC3100 though. Eero is similar and has a wifi 6 router coming out next week so it seems like a better deal at a similar price which is why I think I'll go with that in the end.

 

[cooloutac]

another problem i have is the guest network setup on the asus doesn't isolate devices well. i wonder how it works on the eero. From the looks of the mikrotik you can actually make a proper vlan. the routeros software on those mikrotiks looks extremely powerful. i still have my doubts that these ap's will go 200 feet to my shed though.

 

[cooloutac]

It almost feels like asus is going backwards with security too, like that ac66u_b1 i have, always made you type in the new login password on setup you couldn't copy and paste it. It also didn't have open wifi after initial setup it had a hardcoded default password for the ssid. this ac86u i got seems to have thrown all that out the window among other things when it comes to basic security.