Community discussions

 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Wed Sep 16, 2009 2:55 pm

Apple devices flooding DHCP server

Wed Jan 09, 2019 5:33 pm

At a customers site, a week ago, log started to show lots of
dhcp-lan client xx:xx:xx:xx:xx:xx declines IP adress 172.18.11.xx
there were several of these entries every second during business hours. The problem was reported as windows users got a message telling their ip was already in use. Well, no wonder they were used, considering the number of dhcp requests. The DHCP scoop was simply filled, even though there was 240 addresses in the dhcp scoop, and only 50ish devices on site. There were several entries in dhcp lease table telling that mac-address 00:00:00:00:00:00, client ID [empty] is assigned to a bunch of ips, with the status "busy". Normally dhcp lease status is "bound".

Tracking down the mac-addresses revealed one macbook pro and a bunch of iphones.
The owner of the macbook and a iphone had a look at his home router log (an ubiquiti router) and found that his devices did the same thing at home.

So we requested all iphone owners to forget the lan-wlan, restart their devices, and connect to guest-wlan. So they did, and the problem went away.

Now we wanted to figure out what this was all about. We put 3 iphones on lan-wlan, and all looked good - for about 3 hours. Now the same problem occurred again. DHCP is flooded with requests, filling all available addresses.
The macbook is creating problems as soon as it is connected to lan. It doesn't matter if it uses wlan or cable - same problem. As soon as it connects to lan, it sends a lot of dhcp requests. It doesn't do this when connected to guest network - neither wlan or cable.

Lan-wlan and guest-wlan are two vlan. They uses the same switches, the same APs (6x wAP ac managed by capsman). Router is a rb3011. The two vlans are identically configured, except for the obvious (different vlan id, different ip range, and different switch ports for untagged traffic). In capsman the lan-wlan is primary configuration, while guest-wlan is secondary.

Any ideas how to debug this?
Has apple released some updates lately that could cause issues?

Edit: Arp is set to 'enable' on all interfaces. (I've read that proxy-arp may cause issues with apple devices and dhcp)
 
User avatar
bramwittendorp
Frequent Visitor
Frequent Visitor
Posts: 86
Joined: Thu Jun 16, 2016 3:48 pm
Location: The Netherlands
Contact:

Re: Apple devices flooding DHCP server

Wed Jan 09, 2019 8:07 pm

I have a lot of Apple Gear, and haven't seen the problem so far. I think it is caused by the devices in question, but not due to some widespread issue, but rather to the individual device.

I found the following topic in the Apple Forum: https://discussions.apple.com/thread/8193574

Maybe the suggestion there help you? Or try updating the cliënt to latest version of macOS and iOS. I know certain that the latest version don't cause similar issues.
Bram - MikroTik enthusiast - MTCNA / MTCRE
Don't be shy, share your /export hide-sensitive and make sure to read this.
 
eddieb
Member Candidate
Member Candidate
Posts: 101
Joined: Thu Aug 28, 2014 10:53 am
Location: Netherlands

Re: Apple devices flooding DHCP server

Wed Jan 09, 2019 8:45 pm

same here, running ROS 6.43.8.
lots of Apple devices, all on dhcp.
Works as expected, no flooding seen here.
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Wed Sep 16, 2009 2:55 pm

Re: Apple devices flooding DHCP server

Wed Jan 09, 2019 8:54 pm

Well. Disable DHCP server and force everyone to set static ip will be a way to get around DHCP issues. Though, it will case quite a bit of other problems when dealing with users without technical knowledge.
The strange thing is that this turned up as an issue with so many devices at once. Network equipment has not been altered for months. They don't get automatic updates. So why should this happen to a bunch of units at the same day? I suspect an automatic update within the world of apple.
 
Van9018
Member
Member
Posts: 468
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Apple devices flooding DHCP server

Thu Jan 10, 2019 2:48 am

Have you tried using a different Mikrotik to rule out the Mikrotik as the problem? Disable the DHCP Service, try obtaining an IP. Is there another DHCP service on the network?

In Winbox, capture packets with Tools > Packet Sniffer. Save packets to a file. Let the problem happen for a minute. Stop the capture, copy the file to your PC. Open it with Wireshark. A single DHCP transaction should have 4 packets.
1. The Discovery is your client looking for DHCP Servers on the network. There should only be 1.
2. The Offer is your mikrotik offering an IP. If a lease for that MAC already exists, I think the Mikrotik will offer that same IP.
3. The client will then deny or request the IP. If denying, maybe the client detects an IP conflict however RouterOS detects conflicts too and skips bad IPs.
4. The Mikrotik will then acknowledge that the client accepted the IP.

Run a packet capture on a problem client. Still getting all 4 packets there?
 
User avatar
Jotne
Forum Veteran
Forum Veteran
Posts: 796
Joined: Sat Dec 24, 2016 11:17 am
Location: Magrathean

Re: Apple devices flooding DHCP server

Thu Jan 10, 2019 8:13 am

@petterg

This is how Apple devices work. I do guess that you have an open wifi network with a portal login?
If so, all Apple devices that passing trough and see the open wifi network will try to connect to call home.

I am in charge of a governmental guest network with around 4000-5000 wifi points. At any given times there are around 1500 users.
Problem is that for example a buss stopp is close to our building, so all iPhone in the buss connects to our network.
Due to this I have a DHCP lease time on only 5min. If not I will quickly run out of DHCP IP.

Look at Captive Portal for Apple
https://discussions.apple.com/thread/7491051
.
Use Splunk to monitor your MikroTik Router

MikroTik->Splunk
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Wed Sep 16, 2009 2:55 pm

Re: Apple devices flooding DHCP server

Thu Jan 10, 2019 9:43 am

This is an office network in a building where walls and windows are so thick that there are no wifi coverage on the balcony, Even with the AP just inside the window. Wifi is WPA2-PSK.

Apple devices has not behaved this way before.

I have not tested another mikrotik, but the customers network admin has tested with ubiquiti at home, seen the same thing using his iphone and macbook.

There was no other DHCP server on the network yesterday. I've setup an alert on the mikrotik dhcp server to see if another dhcp server shows up occasionally.

I'm leaning towards this being a bonjor sleep proxy running on some apple device.
https://en.wikipedia.org/wiki/Bonjour_Sleep_Proxy
How can I detect where that service is being run?

This is interesting reading aswell http://10base-t.com/bonjour-sleep-proxy-service/
 
petterg
Member Candidate
Member Candidate
Topic Author
Posts: 192
Joined: Wed Sep 16, 2009 2:55 pm

Re: Apple devices flooding DHCP server

Fri Jan 11, 2019 7:59 am

We've identified one macbook that seemed to be the cause of this issue. Disconnected it from wlan - problem went away. Reconnected it - problem came back. Rebooted that mac - problem is gone. At least for now.

This device got identified because the user complained that wlan only worked in her office - nowhere else in the building. This site has 6 APs. As mentioned this building has extremely thick walls. Wifi signals can go through one interior wall, but not two walls. It can't get through the outside walls at all. So this mac had some issue where it could connect only to one of those 6 APs. Reboot solved this issue as well as it seems to been the cause of why all iphones and macbooks was declining all DHCP offers.

Who is online

Users browsing this forum: No registered users and 62 guests