3

We have a Cisco EPC3928AD EuroDocsis 3.0 2-PORT Voice Gateway from our ISP. The router is connected to a firewall (an Ubuntu-box running iptables and Wireshark). Our LAN (10.0.0.1/24) is beyond the firewall. No other equipment is connected to the router. The router's WIFI has been disabled.

A few days ago we noticed problems when fetching mail or browsing. The connection started to get slower and sometimes we do not have a connection at all. This behavior seem to occur at random and during irregular time periods (1-30 minutes approx.). All equipment on the LAN is affected. Certain services like Skype are not affected.

The ISP did a checkup of the router and the connection to the rest of the WAN. They found no problems, neither with the modem itself nor the signal strength or the cable. They also set up monitoring of the WAN segment that the modem is on and that ran for several days without finding any problems.

Our LAN has no DHCP. We also had the DHCP in the modem was switched off. The NIC on the firewall facing the WAN was set to 192.168.0.201. Although our LAN has static addresses and DNS configurations on each NIC are set to the ISP's recommended DNSs, they told us that activating the DHCP in the router "sometimes helps"...

We proceeded to activate the DHCP with starting address 192.168.0.201 and with a range of 1. We also reserved 192.168.0.201 for the MAC of the NIC facing the modem. What happened next puzzled us: in the router's "Preassigned DHCP IP Addresses"-list an unknown MAC, 00:11:e6:de:ad:07 (00:11:e6 belongs to Scientific Atlanta, part of Cisco), was occupying 192.168.0.201. Moreover, in the router's "Connected Devices Summary", the same MAC was showing up, but this time with an IP (10.0.0.74) on the LAN!

We restarted the router, but to no avail. The same unknown MAC showed up again, this time with a LAN address (10.0.0.2) already in use by a workstation on the LAN. Blocking the MAC in IP-tables made the MAC disappear from the "Connected Devices Summary", but is still in the "Preassigned DHCP IP Addresses"-list. We have set the IP-range to 2, so it now occupies 192.168.0.202 instead of 192.168.0.201.

Restarting the router or disconnecting it from the firewall does not help. The unknown MAC keeps on reappearing. The intermittent problems with the connection persist. What is going on? Is this a hack of some kind? Any input will be much appreciated.

ElToro1966
  • 177
  • 2
  • 8

1 Answers1

2

The same occurred to me, with the same router and exactly the same MAC address (00:11:e6:de:ad:07). After a blackout a DLNS server with IP ending in 249 (named BRCM-DMS:249) appeared on my network. I solved it enabling and disabling media server on Share and storage. After a while, IP and network server disappeared...

vaites
  • 36
  • 2
  • 1
    I have seen DOCSIS devices where configuring the device in bridging mode would cause it to be using the same MAC address across all devices of that model. – kasperd Dec 25 '15 at 11:09
  • vaites, we did exactly the same thing and it seems to solve the problem. Thanks. – ElToro1966 Dec 29 '15 at 09:58