{"id":349,"date":"2009-03-23T01:34:29","date_gmt":"2009-03-23T07:34:29","guid":{"rendered":"http:\/\/gregsowell.com\/?p=349"},"modified":"2009-03-23T07:19:10","modified_gmt":"2009-03-23T13:19:10","slug":"mikrotik-rogue-dhcp-detection","status":"publish","type":"post","link":"https:\/\/gregsowell.com\/?p=349","title":{"rendered":"Mikrotik Rogue DHCP Detection"},"content":{"rendered":"<p>Mikrotik actually has a rogue detection service you can configure, but as we have found running apartment complexes, it can give you false positives.  To combat this, I&#8217;ve come up with a new method.<\/p>\n<p>First configure syslog exporting with the DHCP service dumping.  Next enable the dhcp client to run on all your inside facing interfaces.  I&#8217;ve got my <a href=\"http:\/\/gregsowell.com\/?p=40\">Cacti<\/a> syslog server set to match &#8220;dhcp,info,debug dhcp-client%got ip address&#8221;, which is the message sent when the dhcp client receives an IP address.  Once the syslog server processes the message it sends us an alert.  <\/p>\n<p>Add dhcp-client to each interface, be sure to disable default route, peer dns and peer ntp.<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">\/ ip dhcp-client \r\nadd interface=vlan10 comment=&quot;&quot; disabled=no \r\nadd interface=ether2 comment=&quot;&quot; disabled=no <\/code><\/pre>\n<p>This script will need to be scheduled to run around every hour or so.  It will release the dhcp reservation on your interfaces.  Otherwise it won&#8217;t attempt to pull a new address until the old allocation has expired, which can be up to a year.  It loops through releasing from all your interfaces.<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">:log info (&quot;dhcp detect release&quot;)\r\n:for e from=0 to=40 do={\r\n\/ip dhcp-client release ($e)\r\n}<\/code><\/pre>\n<p>Once you get an alert from your syslog server, you log into the Mikrotik and issue the:<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\"> \r\n\/ip dhcp-client print detail<\/code><\/pre>\n<p>You&#8217;ll get the following:<\/p>\n<blockquote><p>Flags: X &#8211; disabled, I &#8211; invalid<br \/>\n 0   interface=vlan10 status=bound address=192.168.1.100\/24<br \/>\n     gateway=192.168.1.1 dhcp-server=192.168.1.1<br \/>\n     primary-dns=209.189.224.45 secondary-dns=209.189.224.40<br \/>\n     expires-after=21h13m2s<\/p><\/blockquote>\n<p>Take the dhcp-server address and use it below:<\/p>\n<pre class=\"gs-code\"><code class=\"language-plaintext\">\/ip arp print where address=&quot;192.168.1.1&quot;<\/code><\/pre>\n<p>You will get the following result:<\/p>\n<blockquote><p>Flags: X &#8211; disabled, I &#8211; invalid, H &#8211; DHCP, D &#8211; dynamic<br \/>\n #   ADDRESS         MAC-ADDRESS       INTERFACE<br \/>\n 0 D 192.168.0.253   00:08:74:4B:7F:BC ether1<\/p><\/blockquote>\n<p>Now you track this guy down and shut him off at the switch port, or if you are using mac-track in <a href=\"http:\/\/gregsowell.com\/?p=40\">cacti<\/a>, you simply look him up, connect to the proper switch and kill him.  You could also use this in conjunction with the standard rogue detection service to more quickly find the MAC address.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Mikrotik actually has a rogue detection service you can configure, but as we have found running apartment complexes, it can give you false positives. To combat this, I&#8217;ve come up with a new method. First configure syslog exporting with the DHCP service dumping. Next enable the dhcp client to run on all your inside facing [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[],"class_list":["post-349","post","type-post","status-publish","format-standard","hentry","category-mikrotik"],"_links":{"self":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/349","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=349"}],"version-history":[{"count":8,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/349\/revisions"}],"predecessor-version":[{"id":454,"href":"https:\/\/gregsowell.com\/index.php?rest_route=\/wp\/v2\/posts\/349\/revisions\/454"}],"wp:attachment":[{"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=349"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=349"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/gregsowell.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=349"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}