DHCP being flooded with BOOTP requests
-
Hi all,
My DHCP logs are currently flooded with this:
"BOOTREQUEST from 00:00:00:00:00:01 via igb0: BOOTP from dynamic client and no dynamic leases" at the rate of about 50-100/min
igb0 is the LAN interface on this router.
From my understanding of the DHCP spec the phoney MAC address is perhaps a placeholderThis was my setup on this network when the problem appeared:
- High Availability cluster (I've dropped back to a single router atm, more on that below)
- Running 2.3.3-RELEASE (amd64)
- DHCP server active on the LAN
- as of this latest release "Ignore BOOTP queries" is checked (to no effect)
- There are no BOOTP servers on the network (that I can find - we never needed one)
- We have no devices set to require BOOTP
- The wired LAN runs on a 10.0 /21 ClassA network, with ~ 50 separate buildings with a small Mikrotik RB250GS at most buildings, offering Class A addresses to wired clients, but with most connections via wireless.
- We are currently transitioning from legacy Ubiquiti Pico's setup as a 'SOHO router that offers a Class C address block to each building. We're replacing them with the Ubiquiti LR AC units setup as simple access points offering both protected and guest network connections on the Class A network with those Class A addresses offered up from the Pfsense DHCP.
A few weeks back, someone setup a rogue router on a LAN segment. It was plugged directly into one of the small Mikrotiks and so started offering DHCP addresses to the network backbone. In the course of diagnosing and fixing this situation I checked my DHCP logs and found they were being flooded.
To eliminate possible confusion I partially deconstructed the HA Cluster and established the primary of the two as a single router until we found the rogue router. I and another tech visited several endpoints (mainly medical offices and the like), editing their ethernet settings from DHCP to static and pointing DNS directly at the primary router IP, not the VitualIP of the cluster.
The rogue router was found and removed, but I'm reticent to re-initialize the cluster until I can find the source of this - DHCP requests are currently constituting 30% - 60% of LAN traffic.
Anyone have any ideas?
-
OK, so you have 50 buildings on a single broadcast subnet – but not a single switch with DHCP snooping? Well, I think debugging anything here is pointless, next time someone plugs a $15 wifi AP into the wall, you're gonna be doomed again.
-
Well, you have an obviously correct point, and I'll be addressing that (I didn't spec the current equipment), but the rogue router was removed and wasn't causing the BOOTP flood.