DHCP issue, users getting IP outside set range

KitMikro · August 18, 2016, 9:42am

Hi All,

I’ve got a weird issue since a few days. Sometimes users get an IP address outside the set IP Pool. I have no clue what to look for.

my ip range is 192.168.10.x but sometimes users get 192.168.1.x or 192.168.2.x or 192.168.3.x etc etc etc

/ip address
add address=192.168.10.250/24 disabled=no interface=bridge-local network=192.168.10.0

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe \
    src-address=192.168.10.0/24 to-addresses=0.0.0.0

/ip pool
add name=thuisnetwerk ranges=192.168.10.40-192.168.10.99
/ip dhcp-server
add address-pool=thuisnetwerk authoritative=yes disabled=no interface=bridge-local \
    lease-time=1h30m name=dhcp-thuis
/ip dhcp-server config
set store-leases-disk=15m
/ip dhcp-server network
add address=192.168.10.0/24 dns-server=192.168.10.250 domain=thuis.local gateway=\
    192.168.10.250

Feklar · August 18, 2016, 4:44pm

Check to see if there is another DHCP server on the network. The quickest way to do this is to create a DHCP client on the interface (with add default route set to no). If it gets a response from something, then you need to investigate the layer2 network and figure out where the other server is.

KitMikro · August 19, 2016, 7:34am

That is a nice trick! I’ll put that one in my cheat sheet But I get no address on the dhcp-client, it just keeps searching.

I did find a user that had a router connected the wrong way, so the 192.168.1x addresses could be explained… now that is solved, why do i get positive hits with angry ip scanner on the 192.168.2.x 192.168.3.x

Feklar · August 19, 2016, 3:50pm

You can also use the alerts portion of the DHCP-Server and the built in script to send you an email, though the client seems to work a bit better.

As far as the other subnets, there are a couple of possibilities that come to mind.
1.) If the end user picked up a lease from a bad DHCP server the lease maybe hasn’t expired yet, so the device hasn’t asked for a new IP.
2.) Could be a statically assigned IP address on some equipment.
3.) Could be someone has proxy-arp enabled, does the whole subnet respond, or just some IP addresses?
4.) Your scanning PC is in a different subnet than what you are scanning, and has a default gateway setup, so it’s using that gateway to scan for those IP addresses.

For 2 and 3, when you do an IP scan, either from the MikroTik or your PC, check your ARP table for the IP addresses that don’t belong. Are they one MAC address, or several different MAC addresses? If one MAC, it could be a form of proxy-arp on some equipment.

ekpesinyang · August 19, 2016, 4:11pm

There are other DHCP server on the network that is also active. check the ipconfig /all and get the gateway and do a trace route to be sure were the source is from.

KitMikro · August 26, 2016, 12:50pm

Well yesterday I checked every network cable (about 90 in a 5 stories high building), switched the wifi off and still couldn’t find another DHCP server. I’m starting to wonder if this is a problem with my laptop or angryipscanner… Also I didn’t have any more complaints about any users getting the wrong IP address. So I still need to look into this, but for once this problem should not be solved yesterday.

thanks for your help and suggestions so far. cheers.

pe1chl · August 26, 2016, 4:46pm

You can enable a DHCP server alert in your MikroTik on the Alert tab in DHCP Server.
It will log a message (and you can execute a script e.g. to send a mail) when a rogue DHCP server appears on a network
where the MikroTik is supposed to be the only DHCP server.

KitMikro · August 26, 2016, 6:34pm

Thanks another useful tip! I’ll do so cheers