ip addresses outside of pool being served

milomak · March 18, 2023, 6:44pm

i have a RB951Ui-2HnD running RouterOS v6.45.6 (stable). it is running in bridge mode.

the router it is connected has set a static internal addres of 192.168.0.102 for a mac address. this has been working without issue for probably the last 2 years. i have not updated neither router since then.

it had been serving the mac address with that address until about 2 days ago. now it is serving 192.168.88.240 to that mac address.

the pool

the dhcp server

don’t know if arp will be useful

what am i missing?

oh and let me add. sometimes it serves the expected ip.

WN1X · March 18, 2023, 11:45pm

Have you confirmed the MAC address for 192.168.0.102 has not changed. You need to check when the wrong IP address is being served out.

mkx · March 19, 2023, 9:23am

Could be some other device on same network that acts as DHCP server. You should be able to verify on client, which receives wrong IP address to see which DHCP server offered the wrong IP address.

milomak · March 19, 2023, 11:47am

mac address has not changed

milomak · March 19, 2023, 11:48am

no new device that serves ip addresses has been added in the last 2 years. it receives the ip via ethernet as well.

mkx · March 19, 2023, 12:13pm

I’ve never seen MT DHCP server to “invent” IP address range to serve devices. I’ve seen cases where some device acted as DHCP server without network admin being aware of that. You seem like you’re not willing to verify ideas of people you asked for help, which to me is a bit rude (to put it mildly).

holvoetn · March 19, 2023, 2:17pm

The fact sometimes the correct IP address is given, indicates it’s a simple matter of who answers first to the request.

Simple test.
Disable DHCP on your Mikrotik.
Reboot the client router (or release the lease and renew) and see what happens. If it gets a valid IP address (the wrong one), something happened in your network without you knowing (to put it mildly )

Wireshark may help to find the culprit.

milomak · March 19, 2023, 2:29pm

i’m not sure how it is rude pointing out that there has been no change in 2 years in how the system is setup.

so what i have noticed is that when i disable the ip reserved on the main router, the deivice seems to get 192.168.0.109 consistently on the few reboots i have done.

even though it seems i have set the mikrotik to reserve the mac address for 192.168.0.102

milomak · March 19, 2023, 2:58pm

how do i disable dhcp on the mikrotik?

holvoetn · March 19, 2023, 3:02pm

Ip
Dhcp server
Select your dhcp server
Disable ( don’t delete)

milomak · March 19, 2023, 3:34pm

you sir are a scholar and a gentlemen

edit - apologies, i don’t mean to assume your gender. it’s just that’s the quote i know,

WN1X · March 19, 2023, 3:40pm

Knowing that a rogue DHCP server is the culprit is good, but using wireshark would allow you to learn the IP address of the rogue.

milomak · March 19, 2023, 4:45pm

i would like to learn more about this wireshark

edit - in all honestly i think i bought a sledgehammer to fix what needed a far smaller tool. i just needed a bridge and i seem to have got something with a lot more bells and whistles.

k6ccc · March 19, 2023, 4:45pm

A couple of additional notes. First is that you are running an ancient version of RouterOS. Second is that RouterOS has the ability to detect rogue DHCP servers. You appear to be using WebFig, but it should at least be somewhat similar to WinBox. Under DHCP server > Alerts, you can set which interface you want to monitor for rogue DHCP server and set some parameters. When a rogue DHCP server is detected, you can trigger a script for what to do about it. In my case, the script sends me an E-Mail telling me about it.

/ip dhcp-server alert
add disabled=no interface=E02-pB4_101 on-alert="DHCP Alert" valid-server=\
    6C:3B:6B:7E:99:86
add disabled=no interface=E03-pB6_103 on-alert="DHCP Alert" valid-server=\
    6C:3B:6B:7E:99:87

And in case you really want it, here’s the script that tells me about it.

:log info "Starting Rogue DHCP server script"
/tool e-mail send to="jim@<redacted>" body="$[/system clock get date] at $[/system clock get time]  MikroTik RB4011 router has detected a rogue DHCP server.  See event log." \
   subject="RB4011 router found rogue DHCP server"
:delay 00:00:10
/tool e-mail send to="k6ccc@<redacted>" body="$[/system clock get date] at $[/system clock get time]  MikroTik RB4011 router has detected a rogue DHCP server.  See event log." \
   subject="RB4011 router found rogue DHCP server"
:log info "DHCP alert script completed"

milomak · March 19, 2023, 4:55pm

i tried to update but get a dns error. don’t know if this is related to bridge mode

Second is that RouterOS has the ability to detect rogue DHCP servers. You appear to be using WebFig, but it should at least be somewhat similar to WinBox. Under DHCP server > Alerts, you can set which interface you want to monitor for rogue DHCP server and set some parameters. When a rogue DHCP server is detected, you can trigger a script for what to do about it. In my case, the script sends me an E-Mail telling me about it.

/ip dhcp-server alert
add disabled=no interface=E02-pB4_101 on-alert=“DHCP Alert” valid-server=
6C:3B:6B:7E:99:86
add disabled=no interface=E03-pB6_103 on-alert=“DHCP Alert” valid-server=
6C:3B:6B:7E:99:87

>
> And in case you really want it, here's the script that tells me about it.
>
> ```text
:log info "Starting Rogue DHCP server script"
/tool e-mail send to="jim@<redacted>" body="$[/system clock get date] at $[/system clock get time]  MikroTik RB4011 router has detected a rogue DHCP server.  See event log." \
   subject="RB4011 router found rogue DHCP server"
:delay 00:00:10
/tool e-mail send to="k6ccc@<redacted>" body="$[/system clock get date] at $[/system clock get time]  MikroTik RB4011 router has detected a rogue DHCP server.  See event log." \
   subject="RB4011 router found rogue DHCP server"
:log info "DHCP alert script completed"

thanks. so i need to add all mac addresses that are valid on the mikrotik?