We run a falrly large WISP/FTTP hybrid.
Some of our lovely customers leave and dont tell us and plug their starlink or BT or other device into our WISP side Radio.
We then see a rogue DHCP being discovered.
We only see the mac address and LAN ip of the device, is there a way to trace the source WAN IP or route over the radio link, at least this way we could work out who it might be.
How does that even happen?
You can’t see IP address of your device because (apart from acting as a switch) it doesn’t collaborate in malicious activities.
But the I wonder the same as @flynno: how can somebody connect starlink router to WAN port of your device and still bothers your network? Do your gadgets have multiple WAN ports configured (while only one being active)? Or is your “border” device simple L2 switch?
They will take our WAN cable from the Ubiquiti radio reciever (Station) and plug it into their new device/service LAN port. This then pushes DHCP back which we can see.
when a customer cancel the contract with us, we unmount the devices and the link from their house.
You just disable the lan port on the CPE and go collect it
Yes we do the same but only if they tell us they are leaving.
You cant account for thick customers!
Back to original Question
Search for the errant MAC address in the bridge hosts table on the switches and radios in your network.
You should really have DHCP snooping or bridge filters / switch ACLs to prevent rouge DHCP servers, otherwise genuine clients who are closer (in terms of round-trip time) to the problem client site may end up obtaining an address from the problem site.
We are not bridged, statically routed back to our virgin fibre source on a /30
However I did implement DHCP Spoofing last night on the 2 core Edgeswitch’s and its stopped the rogue services.
However not knowing where they come from is troubling us, we only see the LAN ip and mac address of the source.
Find them … as per advice by @tdw. Yes, it’s manual work, but if you want to catch plaintiff, you need to do some detective work before you send out the guns.
Ok guys its obviously not that easy to identify the route, Snooping enabled all looks good.
Were are an entirely Static or PPPoE authenitcated ISP, we dig in our own fibre and provide our own fully routed GPON ISP network to our clients.
DHCP from our core router is not required.
Its the legacy WISP part we mainly have issues with.
So its a pain when a stupid customer plugs our end point WAN into their Starlink via switch and feeds back DHCP.
I did discover by luck one today, its was starlink, managed to see a device named on their network, called him and he denied it! I could log onto one of several commercial printers he had there and printed something to it…
He wasnt impressed!
However, as always appreciate all the feedback and help.
What would we do without customers..