This has been a way that PMP MAC allocation has worked from the early days of Canopy. There are some historical compatibility reasons for it, but one of the main reasons and benefits is that it allows us to limit consumption of the MAC address pool and add additional interfaces with software upgrades without having to over-allocate finite MAC addresses.
This product line has always used the locally administered bit in the OUI and we derive additional MAC addresses for other interfaces from that OUI. This allows us to limit our consumption of the MAC address pool. The base MAC you would see on a web page and on the sticker (0a-00-3e based) reflects the MAC address of the ethernet interface. This is true for any device at all times and is a main identifier of a device.
From this base MAC address we derive other addresses as the configuration demands. This is most entirely on the SM as the AP really only supports 2 interfaces, the Ethernet (0a-00-3e), and a “private RF” (1a-00-3e), which is used for internal AP - SM communication as well as for proxy traffic.
On an SM, out of the box, the SM is not manageable from the “public” (upstream, RF) side of the system. To allow this, you have to enable “Public Accessibility” on the SM, at which point the SM’s 0a-00-3e interface will be accessible from both Public (upstream/RF side) and Private (downstream/Ethernet) side of the device. This is for bridged mode operation.
When you enable NAT, we now have a situation where we have to isolate the Ethernet/Private side interface from the RF/Public side of the device which requires an additional MAC address. As stated before, we are able to do this by deriving another MAC address from our base MAC and since 1a was used for internal RF-RF communications, 2a is used for NAT WAN.
Additionally, we also have the ability to either manage the SM via NAT WAN interface itself (2a), or, setup a separate management interface which can have a management VLAN, which would use a 3a based address. And finally (at this point), if PPPoE is enabled, we have yet another interface to terminate at the SM (the PPPoE link), and so we use 4a for that interface.
To your question as to why the MAC on the webpage doesn’t change based on mode, the answer is because that 0a based mac is always in use and is a serial number of the device.
This is a summary of how the 0a-00-3e base address is used:
0a - base ethernet address for management of AP and SM. For SM in Private Accessibility mode this only works on the RJ-45 physical side of the device. For AP, this will work from either side of the device.
1a - used for internal RF-RF private communications, not accessible from external interfaces.
2a - used when NAT is enabled on the SM for NAT WAN user data. Can be configured to also be used for SM device management
3a - Used when NAT is enabled on the SM for SM device management traffic when NAT WAN management is not enabled. Allows for separation of device management traffic from user traffic
4a - Used when PPPoE is enabled for the PPPoE end point termination - takes the place of 2a in this configuration scenario