Network question

[techmike]

I used to think I understood a few things about networking. I have a seven camera surveillance system - old school - coax, just upgraded the DVR, brand name is Zosi, I already had some of their cameras, they worked just fine. DVR is set-up and working, lot more features and resolution than the old one. What i did was to set up a wifi router that is not connected to a WAN, just the DVR, a PC in order to set up the router, and an Android tablet on the Lan. DVR is wired to the router, the tablet wif's to the router/DVR, and has a Zosi app that lets me view the cameras remotely around the house. It was working fine, then every two to 5 days (randomly) the tablet loses connectivity to the DVR. Can power cycle the DVR, then re-connect the tablet/app, all is well until next time. Tried many things, DHCP on, off, reserved IP's, their tech support had me update the firmware, nothing helped.
Then I noticed that the DVR is changing it's MAC address. I did not know that was possible - since I started counting there have been 9 different MAC addresses put out by the DVR. The DVR does not log any error or activity, just squirts a new MAC with the same IP. Seller is sending me a new DVR, not a high confidence level that it will work any different.
My former understanding was that MAC addresses were burned into the firmware and was one of the few constants in the universe. So I have a DVR with a random MAC generator. I plan on looking up the OEM code(s) in the MACs, have not done that yet.
My question: (finally) What benefit could there be (if any) to a piece of network equipment that has this issue?

[JustaShooter]

My former understanding was that MAC addresses were burned into the firmware and was one of the few constants in the universe.

Right, that's how it is supposed to work.

My question: (finally) What benefit could there be (if any) to a piece of network equipment that has this issue?

I can't think of any legitimate reason for a network device to behave that way.

[techmike]

My former understanding was that MAC addresses were burned into the firmware and was one of the few constants in the universe.

Right, that's how it is supposed to work.

My question: (finally) What benefit could there be (if any) to a piece of network equipment that has this issue?

I can't think of any legitimate reason for a network device to behave that way.

Thank you. Allow me to clarify: Given a Chinese manufacturer, what 'nefarious' reason(s) are there for spoofing MAC addresses in a low-end DVR? Would there be some cost savings?

[schmieg]

My former understanding was that MAC addresses were burned into the firmware and was one of the few constants in the universe.

Right, that's how it is supposed to work.

My question: (finally) What benefit could there be (if any) to a piece of network equipment that has this issue?

I can't think of any legitimate reason for a network device to behave that way.

Thank you. Allow me to clarify: Given a Chinese manufacturer, what 'nefarious' reason(s) are there for spoofing MAC addresses in a low-end DVR? Would there be some cost savings?

I can think of a lot of reasons to do this on a laptop or tablet or phone for nefarious reasons, but none on a DVR.

[rickt]

MACs aren't supposed to change. That would make ARP (Address Resolution Protocol) not function. How did you determine the MAC was changing?

[JustaShooter]

My former understanding was that MAC addresses were burned into the firmware and was one of the few constants in the universe.

Right, that's how it is supposed to work.

My question: (finally) What benefit could there be (if any) to a piece of network equipment that has this issue?

I can't think of any legitimate reason for a network device to behave that way.

Thank you. Allow me to clarify: Given a Chinese manufacturer, what 'nefarious' reason(s) are there for spoofing MAC addresses in a low-end DVR? Would there be some cost savings?

No cost savings - well, I suppose minimal savings if they were to use someone else's MAC Address range instead of buying their own, but a block of 16 million addresses costs something like 0.01 *cents* per address.

I suppose maybe if they were going to use it as part of a botnet or something that perhaps randomly changing MAC addresses might make it harder to identify, but not by enough to matter.

[sodbuster95]

A MAC address operates on layer 2 of the TCP/IP stack. In contrast, an IP address operates on layer 3. So - and I'm just spit-balling here - if you lose connectivity when the MAC address changes, then you might have a problem with the router you have everything connected to. I.E., it might be a switch and not an actual layer 3 router.

Now, as far as why a device would randomly reassign itself a new MAC address...that's a mystery to me. I can think of no benefit whatsoever - not even a valid nefarious reason - as most devices are going to translate, even on an intranet, at layer 3 with IP and not at layer 2 with the MAC address. Moreover, reassigning a MAC would mean that someone wrote some code specifically for that purpose. Which just strikes me as a nonsensical added complication for no real purpose.

[techmike]

MACs aren't supposed to change. That would make ARP (Address Resolution Protocol) not function. How did you determine the MAC was changing?

There is an Info page in the DVR firmware, bottom line is the MAC. Also have an app on the tablet called Ping Tools, kinda handy as it displays everything on a LAN. Screenshot of Ping Tools here is just after a new MAC was generated- old entry is labeled Zosi DVR, which is now yellow or not connected. New unknown device is the DVR with the same IP, different MAC and that is now connected to the network, but not the viewing app on the tablet.

[schmieg]

Does this DVR have both a WiFi and Ethernet NIC? Is it possible that the same IP address has been assigned to WiFi and Ethernet and it is somehow switching between the two?

[techmike]

Does this DVR have both a WiFi and Ethernet NIC? Is it possible that the same IP address has been assigned to WiFi and Ethernet and it is somehow switching between the two?

It does have wifi capability, and since that would be a second NIC it would have a different MAC. Since I started counting I am up to 10 different MAC's - with one repeat. I do not have the wifi configured on the DVR, nor is it enabled.

[schmieg]

On my home network, I sometimes get a report of one or more unknown devices with MACs that don't match anything I own. The strange thing is that the router does not show these MAC addresses as ever being on the network. However, I have never had a known device change its MAC. Microsnot does some strange things now and then in Windows networking. Wondering if it's a software problem. Does it ever return to the original MAC or do you just start using the new MAC and then it changes again?

[rickt]

A MAC address operates on layer 2 of the TCP/IP stack. In contrast, an IP address operates on layer 3.

Technically, those are layers of the OSI model. The ARP table holds the correlation between MAC addresses and TCP/IP addresses. If the MAC changes, then the entry holding the DVR's TCP/IP address no longer correlates to the correct MAC address. That is why communication is lost.

Windows users can see their ARP table by typing arp -a at a command prompt.

[deanimator]

I have actually seen a network where there were two devices simultaneously with the same MAC address. I don't know what the canonical response to this is supposed to be.

When you have duplicate IP addresses, one of the devices typically loses connectivity. I don't know with MAC addresses.

[sodbuster95]

A MAC address operates on layer 2 of the TCP/IP stack. In contrast, an IP address operates on layer 3.

Technically, those are layers of the OSI model.

Quite right. I've been away from the IT field for a few years...

[techmike]

Well, just ran 4 of my DVR's MAC addresses through a vendor look-up service - all were "Not Found". https://macvendors.com/

While my set-up is not connected to the WAN, many people do shoot their camera feed to the internet for remote viewing on their device. What, if any, security issues might this plethora of MAC addresses be susceptible to?