So I was aimlessly looking through logs on my router recently and found a device in the ARP table that should not be there, would be interested to hear other peoples opinion on it.
I have a fairly basic network with an x86 machine running openWRT as the router, a bridge mode VMG1312 or 8324 as a modem and an old TP-link router as a WAP. The modem is connected to the router via a single cable and has the address 192.168.2.1, the router is 192.168.1.1 and all the other lan and wireless clients are on this subnet. In order to access stats on the modem I have a “modem-management” interface defined in openWRT on the same physical port as the modem connects to with the IP 192.168.2.2 and this incantation given to iptables to allow access:
iptables -t nat -I POSTROUTING ! -s 192.168.1.1 -d 192.168.2.1 -j SNAT --to 192.168.2.2
This interface must then be added to the LAN firewall group for devices to be able to talk to the modem.
I had concerns about adding an interface on the same physical port as the WAN connection to the LAN firewall group but with my limited knowledge of networking assumed that it didnt matter as the PPPoE connection from the modem is dealt with separately by the router than the 192.168.2.x IP packets.
Looking at the ARP table on the router the other day showed a device with IP 192.168.2.12 and a MAC address beginning with 28:8A:1C. No devices other than the interface on the router or the modem should be in the 192.168.2.x subnet. No devices on the 192.168.1.x subnet are in that low range either. That MAC address is for a Juniper device, I own no Juniper equipment.
Any idea what this is? I guess spoofing the MAC of a manufacturer of ISP grade hardware would be something an intruder would do?
I rebooted the router and waited a few hours and the strange device did not reappear. Have now removed the modem-management interface and the iptables command… am I being paranoid?