Hi everyone, i have my GL-MT2500 (brume2) connected to my ISP router. and i use my GL-MT300N-V2 (Mango) connected as access point to brume2.
Sometimes i find an unknown client connected for a short time than disconnects. but sometimes it is connected and downloads even more than 100mb. Even it was blocked, it seems to be able to reconnect anyway. I can't understand how it's possible or who is able to connect, even if i reset or changed the wifi password. I add some log pics. thank you for your help.
Mostly it is some VM, docker container or Private Wi-Fi Address of Android or iOS.
1 Like
thanks for reply.
I dont have VM, docker or android phone who can connect on this network.
If it was one my device who trying to connect how he know everytime the new wifi password?
There is a possibility some of my devices (tv, pc, ios phone ios ipad) were hacked? or my ISP router was hacked?
Becouse on my ISP router are connected other devices like tv or ios Phone.
Some android devices use mac address randominization by default.
1 Like
That is true but his screenshot connected by cable. Could be switch, modem, printer, poe, cctv, etc.
thanks for reply,
i know this
thanks for reply,
they are not connected by cable but from mango access point. So everytime you see connecred by calbe, they are connected by wifi.
Video doorbell has 2 mac addresses 
smart bulb 
? Anything smart devices.
If you want to make static DHCP and block any new devices (like small range lan IP addresses).
i dont have smart device or doorbell.
The solution i found is set client control access list to Allowlist mode. i see one unknow device with random mac try to log in but he cant.
Last day i have this error message on log system.
Authenticate/Decrypt packet error: bad packet ID (may be a replay): [ #144311 ] – see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
i found the solution here: OpenVPN Message Authenticate/Decrypt packet error - Virtual Private Networks - IPFire Community
I may have been attacked from an MID attack or only vpn error.
But i like if someone can explain me this new log file.
thanks for your help
What is your question about the log?
Please export the log and upload the export here instead of posting plenty of screenshots 
im sorry im doing some dirt. i want know if is all normally what happen on the log file (on 4:00 am when im sleeping) or if something hack the device changing settings by terminal.
Looks normal to me as long as you use Aura OpenVPN services.
1 Like
im sorry i will do it next time becouse log file is rewritten now
^ This. Android phones / tablets use random MAC unless you toggle to use device Mac when joining network. You state you don't own android devices but what about your TV OS...
Most smart TVs have WiFi and Ethernet therefore they have a Mac address per interface, so it could be connecting via WiFi and then jumping to a wired connection for example depending how you have it wired up.
I highly doubt you have anything to worry about or have been hacked, it would be highly unlikely. Random macs are not just used by the "bad guys" or android, iPhone and other device probably default to random Mac too in some cases.
Best thing would be to just change your SSID password as that would then force all your devices to have to re-authenticate.
Also the stats will not display correctly unless you turn network acceleration off so it could just be a glitch when it's reporting the traffic. Either way, just reset the SSID password and eventually you will find the pesky device...
1 Like
thanks, i know and just done all you wrote.
now i have this error log from some hours:
daemon.err ovpnclient[3157]: AEAD Decrypt error: bad packet ID (may be a replay): [ #42540 ] -- see the man page entry for --no-replay and --replay-window for more info or silence this warning with --mute-replay-warnings
someone know what it this
Do you use open vpn? If not then turn off. Looks like virtual network for open vpn with random virtual mac address.
yes i use open vpn, and i have this error.
someone on this site: OpenVPN Message Authenticate/Decrypt packet error - #8 by bonnietwin - Virtual Private Networks - IPFire Community
explain was an error or a MITD attack. but now there are not unknow device on my network.
Do you know if a bad guy have my ISP router IP, can come in my isp router than come in on my brume2? (brume 2 dont have open doors setting)