Announcement

Collapse
No announcement yet.

Rogue DHCP server

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Rogue DHCP server

    I was having a problem implementing SBS 2008 on a network that was using a legacy warehouse inventory system that needed its own DHCP server running to communicate with its own devices inside the production facility. This DHCP would not give addresses to any pc's, only the devices that were part of the system. I assume there is some type of mac filtering going on.
    Needless to say the DHCP server in SBS 2008 kept shutting down because it was seeing other DHCP advertisements from a totally separate subnet.
    My only choice was to use the DHCP server inside the router or come up with some other way. After Binging and Googleing I could find no other solutions that worked. So I decided to try the Windows firewall on the SBS 2008 server.
    I created an inbound rule to block the ports 67 and 68 on the interface and it seems to work. I no longer see the advertisements from the other network and my local pc's are getting addresses from the Windows server.

    Here is how I created the inbound firewall rule:
    I created the rule thru the wizard and when done went into the properties to modify it.
    On the General tab click "Enabled" and "Block the Connections"
    On Programs and Services Tab leave All Programs checked and click "Services" then select this service only: "DHCP server"
    On the Protocols and Ports tab: For local select the UDP protocol and enter specific port 68
    For remote port enter specific port 67
    Click apply.

  • #2
    Re: Rogue DHCP server

    Originally posted by chuckfraz View Post
    Needless to say the DHCP server in SBS 2008 kept shutting down because it was seeing other DHCP advertisements from a totally separate subnet.
    If the DHCP server for the warehouse inventory system was on a separate subnet, how were the DHCP broadcasts being seen on the SBS machine's subnet? I'm assuming there was some kind of DHCP helper, such as a router that was passing DHCP traffic over the separate subnets. Could you have turned that feature off so as to keep the inventory system's DHCP traffic segregated to it's own subnet?




    Originally posted by chuckfraz View Post
    I created an inbound rule to block the ports 67 and 68 on the interface and it seems to work. I no longer see the advertisements from the other network and my local pc's are getting addresses from the Windows server.
    So, the SBS machine was receiving DHCP traffic from the separate subnet that has the inventory system on it but the client PCs were not? Otherwise, how are the client PCs not getting interference from the inventory system's DHCP server? I would think that the inventory system would be sending DHCPNack packets back to any PC that was not in it's list of MAC addresses, if your assumption is correct that a MAC filter is being used.


    Originally posted by chuckfraz View Post
    I created the rule thru the wizard and when done went into the properties to modify it. On the General tab click "Enabled" and "Block the Connections" On Programs and Services Tab leave All Programs checked and click "Services" then select this service only: "DHCP server" On the Protocols and Ports tab: For local select the UDP protocol and enter specific port 68 For remote port enter specific port 67 Click apply.
    Neat little rule you made. So, if I'm understanding correctly, this blocks the SBS machine from sending out DHCPDiscover broadcasts, but allows all incoming DHCP traffic?

    I so loathe bizarre, proprietary implementations of technology to shoehorn a broken workflow.
    Wesley David
    LinkedIn | Careers 2.0
    -------------------------------
    Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
    Vendor Neutral Certifications: CWNA
    Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
    Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

    Comment


    • #3
      Re: Rogue DHCP server

      As far as I know DHCP broadcasts across all networks attached to the same networking gear, switches, hubs etc. which is my case. The local pc's are not getting address from the unwanted DHCP server because the vendor for that equipment has set up mac filtering so that only they're devices get addresses. The SBS 2008 server is seeing that DHCP server and shutting down its own DHCP.

      Comment


      • #4
        Re: Rogue DHCP server

        If there's multiple subnets involved in this scenario, which it sounds like, and yet broadcasts are being seen across them... another scenario that could be happening is that your switches have IP routing enabled. That caused me some confusion a little while ago before I realized that by default a ProCurve 2600 routes traffic between different subnets.
        Wesley David
        LinkedIn | Careers 2.0
        -------------------------------
        Microsoft Certifications: MCSE 2003 | MCSA:Messaging 2003 | MCITP:EA, SA, EST | MCTS: a'plenty | MCDST
        Vendor Neutral Certifications: CWNA
        Blog: www.TheNubbyAdmin.com || Twitter: @Nonapeptide || GTalk, Reader and Google+: [email protected] || Skype: Wesley.Nonapeptide
        Goofy kitten avatar photo from Troy Snow: flickr.com/photos/troysnow/

        Comment


        • #5
          Re: Rogue DHCP server

          Originally posted by chuckfraz View Post
          As far as I know DHCP broadcasts across all networks attached to the same networking gear, switches, hubs etc. which is my case. The local pc's are not getting address from the unwanted DHCP server because the vendor for that equipment has set up mac filtering so that only they're devices get addresses. The SBS 2008 server is seeing that DHCP server and shutting down its own DHCP.
          Not true.

          DHCP is a broadcast which cannot go across subnets becuase traffic needs to be routed between the subnets and a router will not pass broadcast packets.

          We have 4 subnets in our LAN and have an IP helper on our switches to enable the client machines on each of the subnets to get its IP address from a single DHCP server.

          Are you positive that there are no IP helpers on switches anywhere or DHCP relay agents installed that will cause this?

          Either that or your network is setup funny.

          Comment

          Working...
          X