Rogue DHCP Server
-
Good Morning,
This is not exactly a pfSense issue. But I am unable to find a solution. Can anyone please help me.Pfsense version : 2.7.0
Issue : The firewall DHCP logs are showing :
DHCPDISCOVER from 00:1f:3b:5b:bd:ad (Rogue) via em0
Rogue DHCP server is running 192.168.1.0 series but my LAN series is different.
But I am unable to trace the device.There are 2 Cisco SG350 Managed switches( After firewall) and 5-6 unmanaged switches in the network. Is it possible to detect on which port is the rogue DHCP connected.
Regards,
Ashima -
@ashima said in Rogue DHCP Server:
2 Cisco SG350 Managed switches
These SG350's, do they have a DHCP server ?
@ashima said in Rogue DHCP Server:
Is it possible to detect on which port is the rogue DHCP connected.
If the DHCP traffic can be 'seen' on a pfSense LAN port, with pfSense packet capturing you would have the MAC address that has DHCP server capabilities.
Recall : DHCP traffic is UDP, ports 67 and 68.No "help me" PM's please. Use the forum, the community will thank you.
-
@Gertjan
I guess the Firewall logs gives the mac-id as
said in Rogue DHCP Server:00:1f:3b:5b:bd:ad
Am I correct in that.
Is this not the mac-id of the Rogue DHCP Server.My problem is how do I search this device. It's a big network of 500 odd devices with 5-6 unmanaged switches in the network. If I can get some info on which port this mac-id device is connected on SG350, I can narrow down my search.
@Gertjan Thank you for replying. It's great to hear from you. I am coming back to this forum after almost 2 years.
-
@Gertjan said in Rogue DHCP Server:
These SG350's, do they have a DHCP server ?
They do - I have the 350 little brother, the 300 and they do so yeah the 350 can as well
-
@ashima said in Rogue DHCP Server:
DHCPDISCOVER from 00:1f:3b:5b:bd:ad (Rogue) via em0
The DHCP 'command' "DHCPDISCOVER" is send by the DHCP to the DHCP server.
So, for me, 00:1f:3b:5b:bd:ad is the DHCP client broadcasting this command on its network for a DHCP OFFER reply, and this reply comes from a DHCP server.@ashima said in Rogue DHCP Server:
5-6 unmanaged switches in the network
These are (normally) 'dumb' devices. They have no GUI, telnet, ssh, as they are not administrable.
The CS350 is something else, na dthe doc says : it has (can have) a DHCP server - check if it's enabled ?edit @johnpoz : ok, thanks.
-
Do you have an entry of dhcp offer from something that says rogue on it? that mac is intel device - so it wouldn't be your sg350s, their macs would be listed as cisco.
Dhcp server doesn't send discover - unless it was setup to relay.
But sure with the 350s you could track down what port a mac is on..
-
@Gertjan @johnpoz The DHCP Server is not Enabled in Cisco Sg350. I have verified it again.
Firewall log is filled with this messages:
and this message :
So @Gertjan you are suggesting that this message in firewall logs does not give the mac-id of Rogue DHCP Server.
Well then I need to first get the mac-id of rogue DHCP Server n then get the port on which it is connected.
How do I do it ?
Any Suggestions ?
-
@ashima said in Rogue DHCP Server:
Any Suggestions ?
You can track down what mac is where on your network via the managed 350 switches - I posted an example of where above.
-
@johnpoz I tried in Cisco and that mac-id (00:1f:3b:5b:bd:ad) never shows up.
Is my diagnosis that this is the mac-id of rogue DHCP Server correct. (I got this info from firewall logs that I have shared).
-
@ashima what about the clients asking 00:e0:22 or that other a6:15:7a
edit: you seeing that on pfsense em0 interface - is that not connected to or thru your 350s?
-
@ashima said in Rogue DHCP Server:
Is my diagnosis that this is the mac-id of rogue DHCP Server correct.
To me that looks like a client device with hostname 'Rogue' looking for a dhcp server.
You don't see the response from some other dhcp server because it's sent to the client MAC dircetly. You only ever see the broadcast traffic at the pfSense interface.
Like for example:
May 5 10:23:36 dhcpd 79959 DHCPDISCOVER from d2:43:8f:91:74:e7 (cedev) via mvneta0 May 5 10:23:36 dhcpd 79959 DHCPOFFER on 172.21.16.24 to d2:43:8f:91:74:e7 (cedev) via mvneta0 May 5 10:23:38 dhcpd 79959 reuse_lease: lease age 329 (secs) under 25% threshold, reply with unaltered, existing lease for 172.21.16.24 May 5 10:23:38 dhcpd 79959 DHCPREQUEST for 172.21.16.24 (172.21.16.1) from d2:43:8f:91:74:e7 (cedev) via mvneta0 May 5 10:23:38 dhcpd 79959 DHCPACK on 172.21.16.24 to d2:43:8f:91:74:e7 (cedev) via mvneta0That's the full transaction but only the first packet is broadcast.
-
@johnpoz pfsense em0 is connected to Cisco SG350 and all clients are after that
-
@ashima then for sure you should see it in the mac address table. even if you was connected to a dumb switch downstream of the 350s - it would list the port that dumb switch is connected too, or even if multiple daisy chained dumb switch - you would still see the mac listed on the port of the 350 your dumb switches are on.
-
@stephenw10 Ok Got it. So how do I get the mac id of Rogue DHCP Server.
-
I would be looking on the client device that is asking.
-
@ashima @stephenw10 is correct - that name might just be the clients name..
@stephenw10 do you see all your clients doing that? I looked in my logs and I only see my son's phone doing that with name in the log
May 2 14:30:40 dhcpd 15223 DHCPACK on 192.168.6.103 to 82:fd:03:77:ef:4a (Pixel-9a) via igb2.6 May 2 14:30:40 dhcpd 15223 DHCPREQUEST for 192.168.6.103 (192.168.6.253) from 82:fd:03:77:ef:4a (Pixel-9a) via igb2.6 May 2 14:30:40 dhcpd 15223 DHCPOFFER on 192.168.6.103 to 82:fd:03:77:ef:4a (Pixel-9a) via igb2.6 May 2 14:30:40 dhcpd 15223 DHCPDISCOVER from 82:fd:03:77:ef:4a (Pixel-9a) via igb2.6 May 2 14:30:40 dhcpd 15223 DHCPOFFER on 192.168.6.103 to 82:fd:03:77:ef:4a (Pixel-9a) via igb2.6None of the other entries show name or device in the log.
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 26.03 | Lab VMs 2.8.1, 26.03 -
It's interesting that you also see the DHCPREQUEST part of that transaction on the pfSense interface though.
-
@johnpoz said in Rogue DHCP Server:
do you see all your clients doing that?
Nope only clients that do not know where the dhcp server is. So in that case it was just after upgrading and rebooting that VM. Most of the time they just use DHCPREQUEST to the server dircetly.
-
It's not uncommon for a device to ask for its old IP when it moves networks. But when it doesn't get a response for that IP, it should do a discover and get an IP on the network its currently on.
-
@stephenw10 Thanks for the tip. I just searched for those mac-ids in the switch and all of them are connected on Port 13 of the Switch. Let me check n get back.
