Bizarre IP in my LAN
-
Hi
I have a bizarre case. ISP router in bridge mode, pfsense is DHCP server, i have 3 net, 192.168.2.1/24, 192.168.4.1/24 and 192.168.5.1/24. No other DHCP servers:
in pfSense no dhcp leases to trace.
Explain this please..... ;-) 192.168.10.11 ????
I have asked clients to reconnect, but no luck...
Everything can be rebuilt!
-
@Modesty Rouge DHCP server? Do a packet capture on a client and force an IP renew. If there is a rouge you will see it in the packet capture.
-
@Modesty yup packet capture would do it, or you could use nmap
$ nmap --script broadcast-dhcp-discover -e eth1 Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-14 08:21 Central Standard Time Pre-scan script results: | broadcast-dhcp-discover: | Response 1 of 1: | Interface: eth1 | IP Offered: 192.168.9.110 | DHCP Message Type: DHCPOFFER | Server Identifier: 192.168.9.253 | IP Address Lease Time: 4d00h00m00s | WPAD: | | Subnet Mask: 255.255.255.0 | Router: 192.168.9.253 | Domain Name Server: 192.168.3.10 | Domain Name: home.arpa | NTP Servers: 192.168.3.32 |_ NetBIOS Node Type: 1 WARNING: No targets were specified, so 0 hosts scanned. Nmap done: 0 IP addresses (0 hosts up) scanned in 10.10 secondsYes nmap can run on windows ;) Or MS even put out a tool back in the day.. Old technet article - but that is long gone - but you can grab it from here
https://tachytelic.net/2019/05/detect-rogue-dhcp-server/
Still works on windows 10
Its only finding my actual dhcp server, pfsense.. But if there is more than 1 on your network you should discover it.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
WOW
I used Rougue Checker and found
Is the 169.254.5.254 on my PC? Its not on my pfSense box
Any tip to help me one more step?
Everything can be rebuilt!
-
-
@Modesty said in Bizarre IP in my LAN:
169.254.5.254
That is a link-local IPv4 address, also known as APIPA - windows will give itself that address when an interface is set for dhcp, but a dhcp server does not answer.. No you really shouldn't have that IP on your PC..
What doe the output of ipconfig /all show?
example
Windows IP Configuration Host Name . . . . . . . . . . . . : i9-win Primary Dns Suffix . . . . . . . : home.arpa Node Type . . . . . . . . . . . . : Broadcast IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : home.arpa Ethernet adapter Ethernet 2: Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Realtek PCIe 5GbE Family Controller Physical Address. . . . . . . . . : 34-C8-D6-B4-01-55 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.10.9(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . . . . : NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter Ethernet: Connection-specific DNS Suffix . : home.arpa Description . . . . . . . . . . . : Killer E2600 Gigabit Ethernet Controller Physical Address. . . . . . . . . : B0-4F-13-0B-FD-16 DHCP Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IPv4 Address. . . . . . . . . . . : 192.168.9.100(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.255.0 Lease Obtained. . . . . . . . . . : Saturday, November 9, 2024 12:35:04 PM Lease Expires . . . . . . . . . . : Sunday, November 17, 2024 12:35:03 PM Default Gateway . . . . . . . . . : 192.168.9.253 DHCP Server . . . . . . . . . . . : 192.168.9.253 DNS Servers . . . . . . . . . . . : 192.168.3.10 NetBIOS over Tcpip. . . . . . . . : Enabled Ethernet adapter vEthernet (WSL): Connection-specific DNS Suffix . : Description . . . . . . . . . . . : Hyper-V Virtual Ethernet Adapter Physical Address. . . . . . . . . : 00-15-5D-AF-59-50 DHCP Enabled. . . . . . . . . . . : No Autoconfiguration Enabled . . . . : Yes Link-local IPv6 Address . . . . . : fe80::15f4:5c26:699:97d7%27(Preferred) IPv4 Address. . . . . . . . . . . : 172.29.64.1(Preferred) Subnet Mask . . . . . . . . . . . : 255.255.240.0 Default Gateway . . . . . . . . . : DNS Servers . . . . . . . . . . . : fec0:0:0:ffff::1%1 fec0:0:0:ffff::2%1 fec0:0:0:ffff::3%1 NetBIOS over Tcpip. . . . . . . . : EnabledThat 192.168.9.100 is my normal network connection, the 192.168.10.9 is a 5ge interface I have connected directly to my NAS with also a 5ge connection that I use only for transfer of files between my nas and pc. The 172.29.64.1 is interface used only for the WSL instance I run on my PC..
-
Keep in mind what L2 are those 192.168.10 showing up on - to detect if you have dhcp server you don't know about - you would need to be on that same L2 network
What network are those .10 showing up on - your 2 your 4 or your 5?
-
Hi, thanks for answer.
@johnpoz said in Bizarre IP in my LAN:
Keep in mind what L2 are those 192.168.10 showing up on - to detect if you have dhcp server you don't know about - you would need to be on that same L2 network
That is may not be possible, I dont have a .10 network, how can I log in to it?
I tried network VLAN_5_LEILIGHET, no ping response from 192.168.10.18 + .24What network are those .10 showing up on - your 2 your 4 or your 5?
The .10 is only visible on unifi controller, not in DHCP leases on pfSense
the .10 is to a sonos device, in a apartment I rent out.
Can it be its ovn dhcp server?
Can it be some issues due to 10 days ago my dhcp was on only192.168.10.0/24.2 is my lan, .4 and .5 is VLANs
-
@Modesty said in Bizarre IP in my LAN:
That is may not be possible, I dont have a .10 network
You have a L2 they are showing up on if your seeing the traffic in pfsense.. You understand the difference between L2 and L3?
Where exactly are you seeing that in pfsense - the firewall, if so what interface does the firewall log the traffic on?
You can boot a client in the unifi controller
Click on the client in the unifi controller and look at the little gear icon
Can it be some issues due to 10 days ago my dhcp was on only192.168.10.0/24
You mean you use to a hand out 192.168.10 addresses from pfsense dhcp? It could be the client not wanting to change its address.. Iot devices are not always that smart ;) Have seen iot devices once get an IP from dhcp never want to change it, because they never ask for dhcp again.. You have to like completely reset the device.
-
Thanks @johnpoz Bizarre IP in my LAN:
You have a L2 they are showing up on if your seeing the traffic in pfsense.
As I wrote:
"The .10 is only visible on unifi controller, not in DHCP leases on pfSense."I have done
Still goes back to .10, this is why I state bizarre ip in my LANI have not restarted the sonos, its in an apartment I dont have access to.
-
@Modesty said in Bizarre IP in my LAN:
"The .10 is only visible on unifi controller, not in DHCP leases on pfSense."
Did I say anything about dhcp leases?? So your not seeing any firewall traffic blocking these 192.168.10 address?
this is why I state bizarre ip in my LAN
So which one of these networks .2 .4 or .5 is your LAN in pfsense?
You say your only have .2 4 an 5.. Yet your pc also has a 192.168.88 address.
Maybe it would help if you actually draw up a picture of how you have your network setup..
-
@johnpoz said in Bizarre IP in my LAN:
Maybe it would help if you actually draw up a picture of how you have your network setup..
This is not my expertice, so sorry if I'm not 100%
In pfSense box I dont se .10, only on unify controller.
So where does .10 come from?
You say your only have .2 4 an 5.. Yet your pc also has a 192.168.88 address.
I think this is on my PC, some service, maybe NordVPN, I dont know to be honest.
M
-
@Modesty again to mention that these IOT devices sometimes will not give up an old IP.. You stated you use to run a 192.168.10 network.. So reset these sonos devices or log into them, put a 192.168.10 address on your device and change their IPs to what they should be for the network you have them on, your lan on 192.168.2?
Or just factory reset them. Or forget network, etc.
If you want to check if you have some rouge dhcp server, you would have to connect to whatever vlan/network these sonos are on - in your unifi controller what ssid are they connecting to, what network is that suppose to be currently?
edit: here I set my phone to use a IP that is not on my network.. And the unifi controller sees it.. If you had a rouge dhcp server you would think you would see more than these sonos devices on the different IP scheme.. But since its the sonos only, my guess would be at one time they had those IPs when you were running the 192.168.10 network, and they don't want to give it up - either they are set static on the device, or their iot stack is shit and they are not getting the new IP from your current dhcp server range..
You will need to either login to them and fix the static, or reset them so they get a new dhcp IP.
I had a thermostat that was like this - pos! once it got a IP from dhcp it would never ask for dhcp again, it would just continue to use the IP it got originally.. I had to go on the thermostat and reset the whole network.. Then when I connected it got an IP on the current network, and set a reservation for it so it would never cuase a possible dupe IP issue because it wasn't renewing its lease.
edit2: a quick google found this about sonos
https://www.reddit.com/r/sonos/comments/193fmti/sonos_devices_dont_release_dhcp_assignments/
-
@johnpoz
Thanks, I did reset them and reinstalled them , now they behave like kids ;-) -
@Modesty said in Bizarre IP in my LAN:
now they behave like kids ;-)
hahah - not sure how to take that, you mean they are working correctly or are they still acting up - hahah ;)
