- what exactly have you done two minutes after starting the sniff, and for how long had the connection been already down before you've started sniffing?
- was the /ip dhcp-client print detail taken before starting the sniff or after finishing it?
The point is that during those first two minutes, the router just tries to get the MAC address of the gateway in the WAN subnet, and gets no responses; the link is not down because some other
device is getting DHCP NAK. Two minutes into the capture, the Mikrotik has requested an IP address from scratch (no renewal, just a request for a new one), got it, and since then everything went smoothly. However, the lease time indicated in the capture is 1d22h39m
, whereas the /ip dhcp-client print detail
shows about 45m longer
), which is very strange. Plus the time shown is what actually remains until the expiration, not the lease duration indicated when the lease has been done.
Normally, the DHCP client starts attempting to renew the lease once half the lease time expires. So do the /ip dhcp-client print detail
several times and watch the expires-after
decrease, and note the remaining time somwhere. At roughly the same time the next day, check whether it has raised again (which would indicate a successful renewal took place in the meantime) or whether it shows about 1d less than the day before and status
rather than bound
, which would indicate that all the renewal attempts have failed so far. The client normally repeats the renewal request several times before reverting to asking for any address rather than renewing the lease of the current one, but all this normally happens before the original lease expires.
Or configure the sniffer the following way:
/tool sniffer set filter-mac-protocol=ip filter-ip-protocol=udp filter-port=67 filter-interface=br-wan
and start it using tool sniffer start
(still with some file-name
configured). Keep it running until the next failure (you may log out from the router in the meantime), then do /tool sniffer stop
. This way you'll see exactly what was happening. Just don't be surprised - you'll see also some of your neighbours' DHCP traffic even if the ISP uses port isolation properly (some server->client messages are sent to the broadcast MAC address), so you'll have to use some display filters in Wireshark to only show what is relevant to your issue.
Instead of writing novels, post /export hide-sensitive. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1.