Apple devices flooding DHCP server

RouterOS General
1

At a customers site, a week ago, log started to show lots of

dhcp-lan client xx:xx:xx:xx:xx:xx declines IP adress 172.18.11.xx

there were several of these entries every second during business hours. The problem was reported as windows users got a message telling their ip was already in use. Well, no wonder they were used, considering the number of dhcp requests. The DHCP scoop was simply filled, even though there was 240 addresses in the dhcp scoop, and only 50ish devices on site. There were several entries in dhcp lease table telling that mac-address 00:00:00:00:00:00, client ID [empty] is assigned to a bunch of ips, with the status “busy”. Normally dhcp lease status is “bound”.

Tracking down the mac-addresses revealed one macbook pro and a bunch of iphones.
The owner of the macbook and a iphone had a look at his home router log (an ubiquiti router) and found that his devices did the same thing at home.

So we requested all iphone owners to forget the lan-wlan, restart their devices, and connect to guest-wlan. So they did, and the problem went away.

Now we wanted to figure out what this was all about. We put 3 iphones on lan-wlan, and all looked good - for about 3 hours. Now the same problem occurred again. DHCP is flooded with requests, filling all available addresses.
The macbook is creating problems as soon as it is connected to lan. It doesn’t matter if it uses wlan or cable - same problem. As soon as it connects to lan, it sends a lot of dhcp requests. It doesn’t do this when connected to guest network - neither wlan or cable.

Lan-wlan and guest-wlan are two vlan. They uses the same switches, the same APs (6x wAP ac managed by capsman). Router is a rb3011. The two vlans are identically configured, except for the obvious (different vlan id, different ip range, and different switch ports for untagged traffic). In capsman the lan-wlan is primary configuration, while guest-wlan is secondary.

Any ideas how to debug this?
Has apple released some updates lately that could cause issues?

Edit: Arp is set to ‘enable’ on all interfaces. (I’ve read that proxy-arp may cause issues with apple devices and dhcp)

17.4.1 APPLE iOS cannot be static in DHCP
2

I have a lot of Apple Gear, and haven’t seen the problem so far. I think it is caused by the devices in question, but not due to some widespread issue, but rather to the individual device.

I found the following topic in the Apple Forum: https://discussions.apple.com/thread/8193574

Maybe the suggestion there help you? Or try updating the cliënt to latest version of macOS and iOS. I know certain that the latest version don’t cause similar issues.

3

same here, running ROS 6.43.8.
lots of Apple devices, all on dhcp.
Works as expected, no flooding seen here.

4

Well. Disable DHCP server and force everyone to set static ip will be a way to get around DHCP issues. Though, it will case quite a bit of other problems when dealing with users without technical knowledge.
The strange thing is that this turned up as an issue with so many devices at once. Network equipment has not been altered for months. They don’t get automatic updates. So why should this happen to a bunch of units at the same day? I suspect an automatic update within the world of apple.

5

Have you tried using a different Mikrotik to rule out the Mikrotik as the problem? Disable the DHCP Service, try obtaining an IP. Is there another DHCP service on the network?

In Winbox, capture packets with Tools > Packet Sniffer. Save packets to a file. Let the problem happen for a minute. Stop the capture, copy the file to your PC. Open it with Wireshark. A single DHCP transaction should have 4 packets.

  1. The Discovery is your client looking for DHCP Servers on the network. There should only be 1.
  2. The Offer is your mikrotik offering an IP. If a lease for that MAC already exists, I think the Mikrotik will offer that same IP.
  3. The client will then deny or request the IP. If denying, maybe the client detects an IP conflict however RouterOS detects conflicts too and skips bad IPs.
  4. The Mikrotik will then acknowledge that the client accepted the IP.

Run a packet capture on a problem client. Still getting all 4 packets there?

6

@petterg

This is how Apple devices work. I do guess that you have an open wifi network with a portal login?
If so, all Apple devices that passing trough and see the open wifi network will try to connect to call home.

I am in charge of a governmental guest network with around 4000-5000 wifi points. At any given times there are around 1500 users.
Problem is that for example a buss stopp is close to our building, so all iPhone in the buss connects to our network.
Due to this I have a DHCP lease time on only 5min. If not I will quickly run out of DHCP IP.

Look at Captive Portal for Apple
https://discussions.apple.com/thread/7491051

7

This is an office network in a building where walls and windows are so thick that there are no wifi coverage on the balcony, Even with the AP just inside the window. Wifi is WPA2-PSK.

Apple devices has not behaved this way before.

I have not tested another mikrotik, but the customers network admin has tested with ubiquiti at home, seen the same thing using his iphone and macbook.

There was no other DHCP server on the network yesterday. I’ve setup an alert on the mikrotik dhcp server to see if another dhcp server shows up occasionally.

I’m leaning towards this being a bonjor sleep proxy running on some apple device.
https://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy
How can I detect where that service is being run?

This is interesting reading aswell http://10base-t.com/bonjour-sleep-proxy-service/

8

We’ve identified one macbook that seemed to be the cause of this issue. Disconnected it from wlan - problem went away. Reconnected it - problem came back. Rebooted that mac - problem is gone. At least for now.

This device got identified because the user complained that wlan only worked in her office - nowhere else in the building. This site has 6 APs. As mentioned this building has extremely thick walls. Wifi signals can go through one interior wall, but not two walls. It can’t get through the outside walls at all. So this mac had some issue where it could connect only to one of those 6 APs. Reboot solved this issue as well as it seems to been the cause of why all iphones and macbooks was declining all DHCP offers.

9

We faced similar issue with running out of available IPs from the pool by mac-address 00:00:00:00:00:00 and also “IP declines” “conflict” by many iphones, but not Laptops from different brands (weird).
In the local router we have a bridge that is set to proxy-arp because we have many VPN tunnels to remote locations.
To reduce the history, after many hours of investigation we realized that we have one EOIP tunnel in the bridge of the local router connected to a remote router, at the remote router we had the other side of the EOIP into another bridge too that has the setting of proxy-arp. That caused the problem, we changed the remote router EOIP bridge to ARP enable only, and that solve the issue for all the devices. In the local router all the devices including Iphones took their IP almost immediately after the change at the remote router.

10

Runs for the hills… Hint: Put a password on that guest wifi and busstop users wont be able to login. :stuck_out_tongue_winking_eye:

11

Not as easy as it sounds. User now help them self and authenticate using SMS. If there is a password, users need to have a way to know the password.

12

Guests are inside the building, there can be a sign or signs… It can be changed weekly or daily.
Not that hard if one is organized! :stuck_out_tongue_winking_eye:

Or you could go all out - Alternative Approach
See Jotne for WIFI Password, sexual favours accepted!

13

I do agree that it can be done.
But around 100 buildings, 2-30 doors to enter in every building, it would be some mess to update :slight_smile:

14

Look into a digital signage solution… :slight_smile:
But seriously, when you run out of DHCP address space you will have to do something, and setting a very short lease time usually will not work because some (Apple!!) devices will not accept a lease with a short duration. I would not dare to go below 1h for a lease time on such a large network.
Using a large subnet (so you can have many addresses in the pool) is not so good either, because you will invariably encounter those apps and other programs that “just scan the entire IP space to find their friends (peers, devices, whatever)” and it will cause a lot of broadcast traffic due to the ARP requests…

15

I was thinking of blocking Apple devices :wink:

16

So I turned the IP assigned to my iPhone to Static DHCP on Router.
Disabled WiFi & Enabled. It wont connect.
Even removed the WiFi by using Forget Network on iPhone. Still no go.

Whats with this attachment to previous IP?