My ISP's Gateway (cable modem + router combination) has MAC addresses printed on its back. The same addresses can also be found when visiting Gateway settings.
The issue is that those addresses aren't used at all. TCPDump detects that fake/spoofed addresses (such as 02:00:00:00:00:XX) are used instead. It doesn't matter whether ISP Gateway is in router mode (Double WAN) or in bridged mode.
Blocking the real MAC addresses via IPTables has no effect on my connection. Blocking the captured fake/spoofed MAC addresses 02:00:00:00:00:XX does drop my connection when ISP Gateway is in router mode, but not when it is in bridged mode.
Why would ISP use fake/spoofed MAC addresses for its own Gateway.
My first thought would be because most people would not know that this is done and so it would help to control what MACs are allowed on the network (security through obscurity)
Can you post the model number of the router? And have you looked up the IEEE prefix of the printed MAC on the bottom and seen if it matches the manufacturer of the router?
A number of routers out there seem to have the MAC address saved in the nvram instead of the CFE. Maybe it helps to manufacture them at high volume so they don't have to setup a system to customize the CFE when it's uploaded.
Anyway when dd-wrt is loaded on those devices the MAC address is set to some generic number that is mostly zeros. You have to add back in the correct MAC.
Your ISP may be buying off-the-shelf or generic devices from the OEM, and the OEM is assigning the MAC. The ISP then makes some tweak in the firmware and loads it on the device and doesn't bother changing the MAC. If they are running your networking on the wan side point-to-point it doesn't matter what the MAC is. It could be the same for all devices.
If your ISP permits customer-supplied devices to be connected to their gear and for those devices to be publicly numbered, then they couldn't possibly be controlling what MAC is permitted on the network.
You seem to be concerned about this so have you even tried pinging other IP's on the WAN that are in the subnet on your WAN? If you don't get a response, and don't see any ARPs from those, then you cannot directly access any of your ISP's customer's devices - meaning they cannot access you via MAC - thus no spoofing or other attack possibilities exist - so once more, as Hanlon's Razor dictates, your ISP is probably doing this because they are idiots and don't even realize they are doing it.
ISP Gateway in Router mode uses 192.168.0.X subnet. It sends out many IGMP queries, but I have IGMP inbound/forward/outbound blocked on my router.
ISP Gateway in router mode results in a rogue device/IP from a different subnet 192.168.1.X with another spoofed MAC to also joins IGMP group.
Thing is, 192.168.1.X is MY local subnet and that IP is not present on my local network. I don't know what that device/IP is, but my network is small and I know each device by heart. Everything is tightly controlled on my local network. There is no physical device between my personal router and ISP's Gateway.
ISP Gateway's 192.168.0.X packets and rogue device/IP's packets both include "VSS Monitoring" Ethernet trailers and the rogue device/IP also has 802.1Q VLAN tag. I don't have any tagged VLAN's on my local network.
When ISP Gateway is in Router mode, I have to unblock the spoofed MAC address it uses to enter ISP Gateway device settings. I do not have to unblock the rogue device/IP MAC address at any point.
The rogue/IP device does not show up when ISP Gateway is in Bridged mode.
ISP has legal right to manage its own Gateway devices and have them remotely reset. I think that rogue device/IP is some kind of a management VLAN, but it uses my subnet instead of ISP Gateway subnet.
