This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Unknown Host Remediation

Hello,

My UTMs Management->Licensing->Active IP Addresses page lists two unknown hosts:

192.168.0.102

192.168.0.105

Interestingly, these hosts are in my (tight) DHCP range but are NOT receiving their IP address from my DHCP server.

runZero asset discovery does not find either of these hosts.

Are the MAC addresses of the Active IP Addresses captured somewhere?

Any ideas on how to track down these hosts?

Thanks!



This thread was automatically locked due to age.
  • I think you can look under the DHCP item under Network Services, and see the Leases tab at the top (sorry I don't have UTM in front of me at the moment).

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Could be static ip devices using utm's gateway?

    Try the arp -a command on utm. That will identify the ip and mac. Resolving the mac may give some indication to the device.

    ---

    utm:/root # arp -a | grep 115
    printer.local.domain (10.10.4.115) at 28:c2:dd:f1:b1:4d [ether] on eth0.4

    ---

    Printer has no internet connectivity - it has a static ip assigned internally, no dns servers, but does have a gateway ip. Printer is on the wifi vlan, but lan clients send data to it, so a gateway ip is needed to route properly. To ensure it doesn't slip past, there's a block firewall rule and printer ip is exempted in the web filtering.

  • I understand that, but they might have shown up with MAC information.

    I guess I have to load a dummy UTM to work in this again, lol

    Did you check to make sure you didn't create a Host Object with those IPs?

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Try the arp -a command on utm.

    I had previously tried arp from another host with no luck but arp from the UTM worked!

    <M> Hillary:/home/login # arp -a | grep 102
    ? (192.168.0.102) at 8a:f5:3d:08:18:db [ether] on eth2
    <M> Hillary:/home/login # arp -a | grep 105
    ? (192.168.0.105) at 2a:4e:6c:47:38:fc [ether] on eth2

    These two hosts appear to be assigning themselves IP addresses in my (old) DHCP range.

    I've blocked their IP addresses at the firewall and applied a Block All Web Filter Action. Not sure what else I can do...

  • Did you check to make sure you didn't create a Host Object with those IPs?

    Yes

  • Those macs come back to nothing.  Do you have some phones/tablets on the network with randomized macs enabled that may be set to static ip?

  • They are probably that, as Android has this enabled by default for their WiFi adapters.  You can see the actual hardware ones in Settings.

    If you use something like PRTG, it may also be able to identify these devices if you scan your network with it.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • Do you have some phones/tablets on the network with randomized macs enabled that may be set to static ip?

    In theory, no. All devices on this particular network have static or DHCP mapped addresses that should not be in the .100-.109 range.

  • What about anything like ESPHome devices that are being used for any home control, or IoT?  Smart devices, bulbs, switches, etc?

    Bluetooth devices also have a MAC if I am not mistaken, as they transmit data.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)