We have a Cisco EPC3928AD EuroDocsis 3.0 2-PORT Voice Gateway from
our ISP. The router is connected to a firewall (an Ubuntu-box running
iptables and Wireshark). Our LAN (10.0.0.1/24) is beyond the firewall.
No other equipment is connected to the router. The router's WIFI has
A few days ago we noticed problems when fetching mail or browsing.
The connection started to get slower and sometimes we do not have a
connection at all. This behavior seem to occur at random and during
irregular time periods (1-30 minutes approx.). All equipment on the
LAN is affected. Certain services like Skype are not affected.
The ISP did a checkup of the router and the connection to the rest
of the WAN. They found no problems, neither with the modem itself nor
the signal strength or the cable. They also set up monitoring of the
WAN segment that the modem is on and that ran for several days without
finding any problems.
Our LAN has no DHCP. We also had the DHCP in the modem was switched
off. The NIC on the firewall facing the WAN was set to 192.168.0.201.
Although our LAN has static addresses and DNS configurations on each
NIC are set to the ISP's recommended DNSs, they told us that
activating the DHCP in the router "sometimes helps"...
We proceeded to activate the DHCP with starting address
192.168.0.201 and with a range of 1. We also reserved 192.168.0.201
for the MAC of the NIC facing the modem. What happened next puzzled
us: in the router's "Preassigned DHCP IP Addresses"-list an unknown
MAC, 00:11:e6:de:ad:07 (00:11:e6 belongs to Scientific Atlanta, part
of Cisco), was occupying 192.168.0.201. Moreover, in the router's
"Connected Devices Summary", the same MAC was showing up, but this
time with an IP (10.0.0.74) on the LAN!
We restarted the router, but to no avail. The same unknown MAC
showed up again, this time with a LAN address (10.0.0.2) already in
use by a workstation on the LAN. Blocking the MAC in IP-tables made
the MAC disappear from the "Connected Devices Summary", but is still
in the "Preassigned DHCP IP Addresses"-list. We have set the IP-range
to 2, so it now occupies 192.168.0.202 instead of 192.168.0.201.
Restarting the router or disconnecting it from the firewall does
not help. The unknown MAC keeps on reappearing. The intermittent
problems with the connection persist. What is going on? Is this a hack
of some kind? Any input will be much appreciated.