How to detect rogue DHCP servers on the internal network?

egil

Hi,

I run the network at a dormitory where we from time to time see people install their wifi routers incorrectly, causing a rogue DHCP server to show up on the network, causing mischief for us.

Is it possible to set-up a service on pfSense that automatically detects if rogue DHCP servers are present on the network?

Regards, Egil.

johnpoz

If you have windows here is a older tool that still works

http://blogs.technet.com/b/teamdhcp/archive/2009/07/03/rogue-dhcp-server-detection.aspx

But it would be better to prevent than detect wouldn't it - what switches are you using?
http://en.wikipedia.org/wiki/DHCP_snooping
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/snoodhcp.html

in linux use dhcp probe

egil

Hi John,

Unfortunately, the network topology is the worst kind of homemade, with only a few managed switches here and there, and bad cabling to top it of.
The switches that can best be described as being the backbone are two ZyXEL GS2200-24P and a Dell PowerConnect 2724.

I don't know much about DHCP snooping, how to set it up etc., so any advice is welcome indeed. Is it possible on a switch level to block DHCP ACK's that are not coming from a specific MAC address?

johnpoz

Well your not going to be able to run dhcp snooping unless your switches support it.  And all the switches would need to be able to do it, not just a couple of them.  Or you still would have problems with people connected to the same switch that is down stream from your managed switch..

I can not believe a school network would run on such crap?

I would think a school would run decent hardware?  How does tuition not cover a decent network - shit doesn't the school have a computer science program?  This would all be hand on stuff that should be talk in the classes..