next »

[luke240778]

I am having a strange problem currently where i see some clients on my LAN that are connected to my AP's but are with an IP like 172.16.0.165 (my lan is 10.0.0.1/18)

I can't understand how this can happen.. All my AP's that clients connect to have my settings as Gateway, and DNS.. so am not sure where to look to try and fix this problem?

my pfSense box is the only DHCP server i have on my network, and all AP's have the correct settings for my setup.

[wallabybob]

I am having a strange problem currently where i see some clients on my LAN that are connected to my AP's but are with an IP like 172.16.0.165 (my lan is 10.0.0.1/18)

I can't understand how this can happen.

The clients have configured a static IP address? I don't see how you could prevent that!

The users of these client computers reported problems? If they didn't then perhaps the firewall rules on your LAN interface are overly generous. But I don't know enough about your network topology or the policies you want your users to abide by for me to comment further. 

[luke240778]

I am having a strange problem currently where i see some clients on my LAN that are connected to my AP's but are with an IP like 172.16.0.165 (my lan is 10.0.0.1/18)

I can't understand how this can happen.

The clients have configured a static IP address? I don't see how you could prevent that!

The users of these client computers reported problems? If they didn't then perhaps the firewall rules on your LAN interface are overly generous. But I don't know enough about your network topology or the policies you want your users to abide by for me to comment further. 

No, they haven't set Static IP.. its strange.. their Antenna is connected to my AP, from which it gets IP via DHCP from my pfsense box, but on teh AP i am seeing their AP as 172.16.0.165.  The antenna is locked to the client, they cannot get in to it to change any settings.  The strange thing is i had a problem with my pfsense box yesterday (as you know from posting in that thread), when i created a new VM with pfsense to get back up and running, i also noticed that i set the WAN to get DHCP, just so it wouldnt affect the other pfsense VM that was running, and i also got an IP in the 172.16.0.xx range!  No idea how or from where.. i have a fiber connection which is not DHCP.. i have to setup WAN manually on my pfsense.

[wallabybob]

DHCP clients typically record the IP address of the server giving them the lease so the client can renew the lease before it expires.

If I recall correctly, some windows systems report the DHCP server in the output of the shell command ipconfig /all

You should see the pfSense dhcp client output in the pfSense system log which can be displayed by shell command clog /var/log/system.log

[dhatz]

luke, I seem to remember that you're running a bridged setup, so it's possible that someone is running a "rogue" DHCP server on your network. You can determine it by monitoring DHCP traffic.

[luke240778]

luke, I seem to remember that you're running a bridged setup, so it's possible that someone is running a "rogue" DHCP server on your network. You can determine it by monitoring DHCP traffic.

Correct, and this is what i am thinking/worrying about.. but not sure how i would find it.. and seeing that the DHCP leases that its giving are nothing like my network, not understanding how it could be working..  If all AP's know to get DHCP from my 10.0.0.1, how can any of them be getting IP's in a 172.16.0.xx range? 

How can i determine this by looking at DHCP traffic?  the DHCP leases only shows the ones that are getting IP from me, the ones with this problem, their MAC's are not on the DHCP list as they are getting an IP from elsewhere.  Can you tell me how i would go about trying to track this down?

[cmb]

Look at ipconfig/all on the host (assuming Windows) that has a weird DHCP IP and you'll see the DHCP server's IP. You should be able to ping the DHCP server IP from that host, then check its ARP cache to see what MAC it has, and track it down from there. Most likely it's one of your APs, but hard to say, the MAC will let you track it down.

[luke240778]

Look at ipconfig/all on the host (assuming Windows) that has a weird DHCP IP and you'll see the DHCP server's IP. You should be able to ping the DHCP server IP from that host, then check its ARP cache to see what MAC it has, and track it down from there. Most likely it's one of your APs, but hard to say, the MAC will let you track it down.

Don't think i can do it that way. All clients have antennas, so ipconfig/all on their PC will show the details of the Antenna.  In the antenna, it is connected to my AP, so it will show the mac of that, the AP is set manually to get DHCP from 10.0.0.1 which they are not, so i dont see how it can be one of my AP's (i have checked them all also).  I have clients on multiple AP's all getting this strange IP, reboot them and sometimes they luckily get the correct IP from my DHCP server, and otehr times they continue to get the other IP.. any other ideas?

[dhatz]

luke, I seem to remember that you're running a bridged setup, so it's possible that someone is running a "rogue" DHCP server on your network. You can determine it by monitoring DHCP traffic.

Correct, and this is what i am thinking/worrying about.. but not sure how i would find it.. and seeing that the DHCP leases that its giving are nothing like my network, not understanding how it could be working..  If all AP's know to get DHCP from my 10.0.0.1, how can any of them be getting IP's in a 172.16.0.xx range?  

How can i determine this by looking at DHCP traffic?  the DHCP leases only shows the ones that are getting IP from me, the ones with this problem, their MAC's are not on the DHCP list as they are getting an IP from elsewhere.  Can you tell me how i would go about trying to track this down?

There are various tools you could use, depending on what type of systems you have. Check http://www.google.com/search?q=rogue+dhcp+server+detection

As I pointed out to you some months ago, your bridged setup is prone to such problems, most probably induced completely unintentionally by someone among your users installing another router at home. IIRC you run your WISP on a combination of Ruckus and UBNT gear; the latter is Linux-based and its iptables allows you to filter traffic.

[luke240778]

Thanks for your help, found a link with a tool called dhcp_probe for linux, installed and ran it, and it did indeed find another dhcp server, but it was 192.168.2.1 and not anything like the 172.16.0.xx ip's that i see all my clients getting.. could that 192.168.2.1 be giving ip's out in that 172.16.0.xx range?

[ptt]

To test, you can set one PC with a staic IP, lets say, 172.16.0.3 with GW 172.16.0.1, and try to ping 172.16.0.1, to check if that IP responds, or you can get nmap and scan the 172.16.0.x network....



Just an off topic question; are you still palying with your  RB750GL and DHCP relay ?  

http://forum.ubnt.com/showthread.php?t=51522

[luke240778]

Thanks for your reply.  Yeah i did that test already and came up with nothing.. ran an angryIP scan on that subnet and also got nothing.. strange

Yes i am still playing with the RB750GL, i have it basically doing everything that i need it to apart from that DHCP relay.. doesnt seem to be working for me at all..

[dhatz]

Just an off topic question; are you still palying with your  RB750GL and DHCP relay ?  
http://forum.ubnt.com/showthread.php?t=51522

It was quite interesting to read those people's take on Mikrotik vs pfSense... I think their position is understandable from their point of view (i.e. running a WISP) since MT has been targeting that specific niche for almost 10 years. Additionally, since MT ROS is built on Linux, if one is already familiar with the underlying tools e.g. iptables/tc/etc one has a smoother learning curve.

On the other hand, IMO pfSense is better suited than MT ROS as a corporate firewall and VPN termination device (and router & IDS/IPS & rev-proxy, depending how well the quagga / openbgp / snort / varnish packages evolve).

Despite some disparaging comments, there is simply no comparison between pfsense and ROS when one considers the underlying technology, e.g. the fact that pfsense includes top-tier tools like ISC dhcpd and unbound DNS (v2.1).

[luke240778]

Just an off topic question; are you still palying with your  RB750GL and DHCP relay ?  
http://forum.ubnt.com/showthread.php?t=51522

It was quite interesting to read those people's take on Mikrotik vs pfSense... I think their position is understandable from their point of view (i.e. running a WISP) since MT has been targeting that specific niche for almost 10 years. Additionally, since MT ROS is built on Linux, if one is already familiar with the underlying tools e.g. iptables/tc/etc one has a smoother learning curve.

On the other hand, IMO pfSense is better suited than MT ROS as a corporate firewall and VPN termination device (and router & IDS/IPS & rev-proxy, depending how well the quagga / openbgp / snort / varnish packages evolve).

Despite some disparaging comments, there is simply no comparison between pfsense and ROS when one considers the underlying technology, e.g. the fact that pfsense includes top-tier tools like ISC dhcpd and unbound DNS (v2.1).

Totally agree, and it was definately hard in that thread to keep my cool

I don't care what any of them say, i AM keeping my pfSense Firewall no matter what.  I definately, from testing both, agree that the "Hotspot" on ROS is MUCH better than the Captive Portal on pfSense.  It is a cool little tool, but in production, as a WiSP.. Captive Portal really sux.. works very poorly unfortunately.

[ptt]

Back on topic  

I'm not 100% sure, but with a firewall rule like this in your Rockets (i'm using airOS 5.3.5.), you should be able to block Rogue DHCP servers.

Please try first in Lab

Edit: here you can read about UBNT & Rogue DHCP servers http://forum.ubnt.com/showthread.php?t=25073