Receiving DHCP IP Requests on WAN?

CZFan · March 18, 2018, 6:26pm

Hi All,

I have a 1Gb / 100Mb fibre connection at home, on my WAN interface. I receive IP via DHCP on WAN interface and apparently the connection is bound to my WAN MAC address

Every 3 seconds I get a DHCP broadcast for an IP Address on my wan interface, the MAC address where it is coming from is not the same as the MAC for the other side of my connection.

Is this normal? Should I be concerned, is someone stealing my bandwidth?

“20:29:50 firewall,info conn_state: in:ether1 out:(unknown 0), src-mac 52:54:00:74:6d:87, proto UDP, 0.0.0.0:68->255.255.255.255:67, len 272”

sindy · March 18, 2018, 7:04pm

I would assume that your ISP is using a switch without port isolation so the source of these requests is someone else’s equipment trying to obtain an address via another port of that switch and fails (probably because their MAC address is not (yet) registered with the ISP. If this is the case, you might be able to spot DHCP discoveries from other MAC addresses now and then, but as it is not necessary to use a Discovery (which is broadcast) to renew an already assigned address, a device which has succeeded in receiving an address only ever sends a Discovery after restart, hence these will be very rare.

How does the fibre connection look physically, do you have a media converter from the ISP? If so, does it use single fibre or uplink and downlink direction use a separate fibre each?

CZFan · March 19, 2018, 12:05pm

Thx sindy,

I have been receiving these broadcasts for over a month now, so will be strange if it is a case of “…their MAC address is not (yet) registered with the ISP”

Connection is a follows:

Internet via Simplex SC fibre cable----> Huawei GPON Terminal---->2011UiAS-2HnD. I assume this SC cable is a patch lead from the box outside my house, not sure if it transforms into LC (double cable) mode from there back to fibre service provider network.

Also note my experience with fibre is limited

sindy · March 19, 2018, 12:30pm

Mine as well, but in single fibre, different wavelengths are often used to separate the directions, so if there is a single fibre, the probability that someone has connected in parallel to your single fibre is even lower.

What makes that even more puzzling is that 52:54:00 is a private MAC range historically used by virtualization: https://www.linuxquestions.org/questions/linux-virtualization-and-cloud-90/generating-custom-mac-addresses-4175414700/#post4718511

So I would ask the ISP whether they know about that. Or visit a friend who is connected the same way and check whether the same can be observed at his line.

CZFan · March 19, 2018, 12:52pm

Thx sindy,

As always, excellent response / feedback, really appreciate it.

I created a rule in raw to drop this MAC address coming in on WAN, at first, the counter increased in the 1000’s very quickly, but strangely now after about 3 days of dropping this, the counter only increased by 22 in the last 23 hours

I will pass info on the the ISP ad see their response.