DHCP Server Offering Issue

JazzMaster · May 27, 2019, 3:11pm

I have a problem with a DHCP Server. It keeps offering two addresses to something that no longer exists on the network. I am unable to remove the address from the DHCP Server Leases Tab or the ARP table. Is there a method to acomplish this?

Dennis

tdw · May 27, 2019, 4:36pm

A DHCP server will not offer an address unless asked for one.

With a conventional DHCP server setup, configured with an IP pool, a dynamic lease will appear in the DHCP server leases tab and remain there until the lease time specified expires.

An partial ARP entry will appear if anything attempts to contact a connected device, even if it is not present - these will appear with just the D flag (rather than DC), an IP address but no MAC address (as a non-existent device won’t be able to answer).

JazzMaster · May 27, 2019, 4:57pm

I have attached a visual of my problem. The MAC and I/P addresses do not exist on the network yet the DHCP Server keeps offering and loading up the log file.
Trouble Mac Address 8638.PNG
Trouble Mac Address 8635.PNG

tdw · May 27, 2019, 5:48pm

Those MAC addresses are assigned to Mikrotik. What are the log messages?

JazzMaster · May 27, 2019, 7:25pm

Log File.PNG

tdw · May 27, 2019, 8:35pm

What does the following pasted into a terminal window on the mikrotik show:

:foreach i in=[/interface ethernet find] do={ :put "$[/interface ethernet get $i default-name] $[/interface ethernet get $i mac-address]"; }

Your config, or certainly the DHCP part of it (using /ip dhcp-server export hide-sensitive and /ip dhcp-client export hide-sensitive ) would be useful too.

JazzMaster · May 27, 2019, 9:10pm

JazzMaster · May 27, 2019, 9:28pm

Here is the result of the server and client request
My Results.PNG

tdw · May 27, 2019, 9:49pm

I’d post the output of /export hide-sensitive with any public IPs, etc, obsfucated.

Rather than multiple screenshots, either save as a file and copy to your computer, or use Copy All in the terminal window. Paste here in a code tag (the icon above the reply box).

JazzMaster · May 27, 2019, 9:59pm

Ok I’ll get to my computer and repost.

JazzMaster · May 27, 2019, 10:48pm

Is this what you wanted?

[code/ip dhcp-server
add add-arp=yes address-pool=“CB Pool” disabled=no interface=ether2 lease-time=
1d30m name=“CB DHCP”
add add-arp=yes address-pool=“McCurdy Pool 1” disabled=no interface=ether6
lease-time=1d30m name=“McCurdy DHCP 1”
add add-arp=yes address-pool=“McCurdy Pool 2” disabled=no interface=ether7
lease-time=1d30m name=“McCurdy DHCP 2”
/ip dhcp-server network
add address=10.10.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.5.1
add address=10.10.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.6.1
add address=192.168.88.0/24 dns-server=209.18.47.61,209.18.47.62 gateway=
192.168.88.1 netmask=24
][/code]

/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=sfp1

[codeether1 B8:69:F4:B7:86:33
ether2 B8:69:F4:B7:86:34
ether3 B8:69:F4:B7:86:35
ether4 B8:69:F4:B7:86:36
ether5 B8:69:F4:B7:86:37
ether6 B8:69:F4:B7:86:39
ether7 B8:69:F4:B7:86:3A
ether8 B8:69:F4:B7:86:3B
ether9 B8:69:F4:B7:86:3C
ether10 B8:69:F4:B7:86:3D
sfp1 B8:69:F4:B7:86:38
][/code]

tdw · May 27, 2019, 11:00pm

No, the whole config - to see all of the interface and IP configuration

JazzMaster · May 27, 2019, 11:06pm

I guess I am confused. Is there a specific script to run to accomplish what you need?

tdw · May 27, 2019, 11:15pm

/export hide-sensitive

JazzMaster · June 3, 2019, 2:51am

Here is what you requested. I am so sorry for the delay but personal problems come first. I do hope you can help. I have discovered that the address that is requesting is the MAC address from the Mikrotik 3011 port ether2. What could cause the port itself to request a DHCP address when one is already set?

\

jun/02/2019 21:23:41 by RouterOS 6.44.3

software id = DXJ2-GFC6

model = RouterBOARD 3011UiAS

serial number = 8EED09095E0A

/interface bridge
add name="Static IPs"
/interface ethernet
set [ find default-name=ether1 ] comment="Reserved backup WAN"
set [ find default-name=ether2 ] comment="CB DHCP"
set [ find default-name=ether3 ] comment="Static IPs (bridged with SFP)"
set [ find default-name=ether5 ] comment="Reserved McCurdy DHCP"
set [ find default-name=ether10 ] arp=proxy-arp comment="Mangement Port"
set [ find default-name=sfp1 ] advertise=10M-full,100M-full,1000M-full comment=WAN
/interface pptp-server
add name=pptp-in1 user=""
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name="CB Pool" ranges=192.168.88.10-192.168.88.254
add name="Static IPs" ranges=71.66.192.35-71.66.192.46
add name="McCurdy Pool 1" ranges=10.10.5.2-10.10.5.254
add name="McCurdy Pool 2" ranges=10.10.6.2-10.10.6.254
add name="VPN Pool" ranges=10.10.30.10-10.10.30.20
add name="CB VPN Pool" ranges=192.168.88.100-192.168.88.110
/ip dhcp-server
add add-arp=yes address-pool="CB Pool" disabled=no interface=ether2 lease-time=1d30m name="CB DHCP"
add add-arp=yes address-pool="McCurdy Pool 1" disabled=no interface=ether6 lease-time=1d30m name="McCurdy DHCP 1"
add add-arp=yes address-pool="McCurdy Pool 2" disabled=no interface=ether7 lease-time=1d30m name="McCurdy DHCP 2"
/ppp profile
add local-address="VPN Pool" name=vpnprofile remote-address="VPN Pool"
add local-address="CB VPN Pool" name="CB VPN Pool" remote-address="CB VPN Pool"
/interface bridge port
add bridge="Static IPs" interface=sfp1
add bridge="Static IPs" interface=ether3
/ip neighbor discovery-settings
set discover-interface-list=all
/interface detect-internet
set detect-interface-list=all
/interface list member
add comment=defconf interface="Static IPs" list=LAN
add interface=sfp1 list=WAN
add interface=ether2 list=LAN
add interface=ether5 list=LAN
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.88.1/24 comment="Court Building Addresses" interface=ether2 network=192.168.88.0
add address=71.66.192.34/28 comment="Public IPs" interface="Static IPs" network=71.66.192.32
add address=10.10.5.1/24 interface=ether6 network=10.10.5.0
add address=10.10.6.1/24 interface=ether7 network=10.10.6.0
/ip arp
add address=10.10.5.15 interface=ether6 mac-address=8C:3B:AD:E0:07:51
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid interface=sfp1
/ip dhcp-server network
add address=10.10.5.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.5.1
add address=10.10.6.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.6.1
add address=192.168.88.0/24 dns-server=209.18.47.61,209.18.47.62 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=209.18.47.61,209.18.47.62
/ip dns static
add address=192.168.88.1 name=router.lan
/ip firewall filter
add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input protocol=gre
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" disabled=yes in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="defconf: accept established,related, untracked" connection-state=established,related,untracked
/ip firewall nat
add action=masquerade chain=srcnat out-interface="Static IPs"
/ip firewall service-port
set tftp disabled=yes
/ip route
add distance=1 gateway=71.66.192.33
add distance=1 gateway=71.66.192.33
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
/ppp secret
add name=xxxxxx profile=vpnprofile service=pptp
add name=xxxxxxx profile=vpnprofile service=pptp
add name=xxxxxxxxx profile=vpnprofile service=pptp
add name="xxxxxx" profile=vpnprofile service=pptp
/radius
add address=142.93.203.30 service=ppp
/system clock
set time-zone-name=America/Chicago
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
/tool romon
set enabled=yes id=00:0B:82:D3:F1:01
/tool sniffer
set file-limit=1500KiB file-name=CB_2.pcap memory-limit=300KiB
[dennispillow@MikroTik] >

tdw · June 3, 2019, 8:21am

OK. Naming your bridge “Static IPs” is somewhat confusing - it appears to actually be your WAN, and it is included in your LAN interface list which will allow more external access to your Mikrotik than you may wish for.

The /ip dhcp client entry for sfp1 is the cause of your DHCP requests, and as it a member of the bridge containing ether3 the address used could easily be that of ether3 (inherited by the bridge), rather than the interface itself. As your WAN IP is static just remove the DHCP client.

I really wouldn’t use PPTP for VPNs, it isn’t very secure.

JazzMaster · June 3, 2019, 4:07pm

Thank you for your input. I will have to wait until the weekend so I can test this. I have another 3011 ordered to use as a test unit. I WILL let you know the results.