Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Some clients getting IP from strange source..

    Scheduled Pinned Locked Moved General pfSense Questions
    17 Posts 5 Posters 5.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W Offline
      wallabybob
      last edited by

      DHCP clients typically record the IP address of the server giving them the lease so the client can renew the lease before it expires.

      If I recall correctly, some windows systems report the DHCP server in the output of the shell command ipconfig /all

      You should see the pfSense dhcp client output in the pfSense system log which can be displayed by shell command clog /var/log/system.log

      1 Reply Last reply Reply Quote 0
      • D Offline
        dhatz
        last edited by

        luke, I seem to remember that you're running a bridged setup, so it's possible that someone is running a "rogue" DHCP server on your network. You can determine it by monitoring DHCP traffic.

        1 Reply Last reply Reply Quote 0
        • L Offline
          luke240778
          last edited by

          @dhatz:

          luke, I seem to remember that you're running a bridged setup, so it's possible that someone is running a "rogue" DHCP server on your network. You can determine it by monitoring DHCP traffic.

          Correct, and this is what i am thinking/worrying about.. but not sure how i would find it.. and seeing that the DHCP leases that its giving are nothing like my network, not understanding how it could be working..  If all AP's know to get DHCP from my 10.0.0.1, how can any of them be getting IP's in a 172.16.0.xx range?

          How can i determine this by looking at DHCP traffic?  the DHCP leases only shows the ones that are getting IP from me, the ones with this problem, their MAC's are not on the DHCP list as they are getting an IP from elsewhere.  Can you tell me how i would go about trying to track this down?

          1 Reply Last reply Reply Quote 0
          • C Offline
            cmb
            last edited by

            Look at ipconfig/all on the host (assuming Windows) that has a weird DHCP IP and you'll see the DHCP server's IP. You should be able to ping the DHCP server IP from that host, then check its ARP cache to see what MAC it has, and track it down from there. Most likely it's one of your APs, but hard to say, the MAC will let you track it down.

            1 Reply Last reply Reply Quote 0
            • L Offline
              luke240778
              last edited by

              @cmb:

              Look at ipconfig/all on the host (assuming Windows) that has a weird DHCP IP and you'll see the DHCP server's IP. You should be able to ping the DHCP server IP from that host, then check its ARP cache to see what MAC it has, and track it down from there. Most likely it's one of your APs, but hard to say, the MAC will let you track it down.

              Don't think i can do it that way. All clients have antennas, so ipconfig/all on their PC will show the details of the Antenna.  In the antenna, it is connected to my AP, so it will show the mac of that, the AP is set manually to get DHCP from 10.0.0.1 which they are not, so i dont see how it can be one of my AP's (i have checked them all also).  I have clients on multiple AP's all getting this strange IP, reboot them and sometimes they luckily get the correct IP from my DHCP server, and otehr times they continue to get the other IP.. any other ideas?

              1 Reply Last reply Reply Quote 0
              • D Offline
                dhatz
                last edited by

                @luke240778:

                @dhatz:

                luke, I seem to remember that you're running a bridged setup, so it's possible that someone is running a "rogue" DHCP server on your network. You can determine it by monitoring DHCP traffic.

                Correct, and this is what i am thinking/worrying about.. but not sure how i would find it.. and seeing that the DHCP leases that its giving are nothing like my network, not understanding how it could be working..  If all AP's know to get DHCP from my 10.0.0.1, how can any of them be getting IP's in a 172.16.0.xx range?

                How can i determine this by looking at DHCP traffic?  the DHCP leases only shows the ones that are getting IP from me, the ones with this problem, their MAC's are not on the DHCP list as they are getting an IP from elsewhere.  Can you tell me how i would go about trying to track this down?

                There are various tools you could use, depending on what type of systems you have. Check http://www.google.com/search?q=rogue+dhcp+server+detection

                As I pointed out to you some months ago, your bridged setup is prone to such problems, most probably induced completely unintentionally by someone among your users installing another router at home. IIRC you run your WISP on a combination of Ruckus and UBNT gear; the latter is Linux-based and its iptables allows you to filter traffic.

                1 Reply Last reply Reply Quote 0
                • L Offline
                  luke240778
                  last edited by

                  Thanks for your help, found a link with a tool called dhcp_probe for linux, installed and ran it, and it did indeed find another dhcp server, but it was 192.168.2.1 and not anything like the 172.16.0.xx ip's that i see all my clients getting.. could that 192.168.2.1 be giving ip's out in that 172.16.0.xx range?

                  1 Reply Last reply Reply Quote 0
                  • pttP Offline
                    ptt Rebel Alliance
                    last edited by

                    To test, you can set one PC with a staic IP, lets say, 172.16.0.3 with GW 172.16.0.1, and try to ping 172.16.0.1, to check if that IP responds, or you can get nmap and scan the 172.16.0.x network….

                    Just an off topic question; are you still palying with your  RB750GL and DHCP relay ?  ;D

                    http://forum.ubnt.com/showthread.php?t=51522

                    1 Reply Last reply Reply Quote 0
                    • L Offline
                      luke240778
                      last edited by

                      Thanks for your reply.  Yeah i did that test already and came up with nothing.. ran an angryIP scan on that subnet and also got nothing.. strange

                      Yes i am still playing with the RB750GL, i have it basically doing everything that i need it to apart from that DHCP relay.. doesnt seem to be working for me at all..

                      1 Reply Last reply Reply Quote 0
                      • D Offline
                        dhatz
                        last edited by

                        @ptt:

                        Just an off topic question; are you still palying with your  RB750GL and DHCP relay ?  ;D
                        http://forum.ubnt.com/showthread.php?t=51522

                        It was quite interesting to read those people's take on Mikrotik vs pfSense… I think their position is understandable from their point of view (i.e. running a WISP) since MT has been targeting that specific niche for almost 10 years. Additionally, since MT ROS is built on Linux, if one is already familiar with the underlying tools e.g. iptables/tc/etc one has a smoother learning curve.

                        On the other hand, IMO pfSense is better suited than MT ROS as a corporate firewall and VPN termination device (and router & IDS/IPS & rev-proxy, depending how well the quagga / openbgp / snort / varnish packages evolve).

                        Despite some disparaging comments, there is simply no comparison between pfsense and ROS when one considers the underlying technology, e.g. the fact that pfsense includes top-tier tools like ISC dhcpd and unbound DNS (v2.1).

                        1 Reply Last reply Reply Quote 0
                        • L Offline
                          luke240778
                          last edited by

                          @dhatz:

                          @ptt:

                          Just an off topic question; are you still palying with your  RB750GL and DHCP relay ?  ;D
                          http://forum.ubnt.com/showthread.php?t=51522

                          It was quite interesting to read those people's take on Mikrotik vs pfSense… I think their position is understandable from their point of view (i.e. running a WISP) since MT has been targeting that specific niche for almost 10 years. Additionally, since MT ROS is built on Linux, if one is already familiar with the underlying tools e.g. iptables/tc/etc one has a smoother learning curve.

                          On the other hand, IMO pfSense is better suited than MT ROS as a corporate firewall and VPN termination device (and router & IDS/IPS & rev-proxy, depending how well the quagga / openbgp / snort / varnish packages evolve).

                          Despite some disparaging comments, there is simply no comparison between pfsense and ROS when one considers the underlying technology, e.g. the fact that pfsense includes top-tier tools like ISC dhcpd and unbound DNS (v2.1).

                          Totally agree, and it was definately hard in that thread to keep my cool :)

                          I don't care what any of them say, i AM keeping my pfSense Firewall no matter what.  I definately, from testing both, agree that the "Hotspot" on ROS is MUCH better than the Captive Portal on pfSense.  It is a cool little tool, but in production, as a WiSP.. Captive Portal really sux.. works very poorly unfortunately.

                          1 Reply Last reply Reply Quote 0
                          • pttP Offline
                            ptt Rebel Alliance
                            last edited by

                            Back on topic  ;D

                            I'm not 100% sure, but with a firewall rule like this in your Rockets (i'm using airOS 5.3.5.), you should be able to block Rogue DHCP servers.

                            Please try first in Lab ;)

                            Edit: here you can read about UBNT & Rogue DHCP servers http://forum.ubnt.com/showthread.php?t=25073

                            UBNT_Block_Rogue_DHCP.PNG
                            UBNT_Block_Rogue_DHCP.PNG_thumb

                            1 Reply Last reply Reply Quote 0
                            • L Offline
                              luke240778
                              last edited by

                              @ptt:

                              Back on topic  ;D

                              I'm not 100% sure, but with a firewall rule like this in your Rockets (i'm using airOS 5.3.5.), you should be able to block Rogue DHCP servers.

                              Please try first in Lab ;)

                              Edit: here you can read about UBNT & Rogue DHCP servers http://forum.ubnt.com/showthread.php?t=25073

                              Thanks ptt.. i'll give that a shot.. what exactly does that do?  Also, seeing that you brought up that ubnt thread.. do you have any idea how to continue with DHCP server on pfSense but using the RB750 as NAS and Hostpot with clients getting DHCP from pfsense still, but authenticating to my RADIUS server via the hotspot page on the RB?  I can't get that DHCP relay working..  I have it setup so far as:

                              Port 1 - Getting DHCP from pfsense
                              Port 2 - Setup DHCP relay but when i try and connect, it doesnt assign an IP to me.
                              Port 3 t0 5 have not setup as yet, was just going to test with port 2 so far, then do the rest the same.

                              1 Reply Last reply Reply Quote 0
                              • pttP Offline
                                ptt Rebel Alliance
                                last edited by

                                i'll give that a shot.. what exactly does that do?

                                "If" i'm not wrong (i'm not a networking expert)

                                DHCP server "BOOTPS" have as src port 67, then if you block ANY (0.0.0.0/0) traffic coming from your Clients to the WLAN interface of your AP,  from port 67, then you are Blocking ANY external DHCP server.

                                About MikroTik, i can't help you. We are only using it as "Access Concentrator" (fancy name for a PPPoE server) and giving our customers "Static IPs", so i have no experience with MT and DHCP server / DHCP Relay  :-[

                                Also we are planning to take out the MikroTik PPPoE Server from our network (due the fact that Ubiquiti cant do QoS on encrypted traffic) and use Static IPs on the CPEs (in Router mode), and connect our APs (in Bridge mode) directly to the  pfSense server.

                                1 Reply Last reply Reply Quote 0
                                • First post
                                  Last post
                                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.