# [solved] DHCP client ignores DHCPNAK, keeps requesting ...

## ohaleck

Hello all,

I have just read the DHCP is started but no-one can get IP's but I still cannot find solution to my problem:

Some of the DHCP clients in my network keep requesting addresses which they are not supposed to get. My server replies with an DHCPNAK but the clients still do the same. It looks like this:

```

Jan 24 20:49:30 [dhcpd] DHCPDISCOVER from 00:0b:6a:79:86:a9 via eth1

Jan 24 20:49:30 [dhcpd] DHCPOFFER on 192.168.36.33 to 00:0b:6a:79:86:a9 via eth1

Jan 24 20:49:30 [dhcpd] DHCPREQUEST for 192.168.0.131 (192.168.0.1) from 00:0b:6a:79:86:a9 via eth1: lease 192.168.0.131 unavailable.

Jan 24 20:49:30 [dhcpd] DHCPNAK on 192.168.0.131 to 00:0b:6a:79:86:a9 via eth1

Jan 24 20:49:31 [dhcpd] DHCPDISCOVER from 00:0b:6a:79:86:a9 via eth1

Jan 24 20:49:31 [dhcpd] DHCPOFFER on 192.168.36.33 to 00:0b:6a:79:86:a9 via eth1

Jan 24 20:49:32 [dhcpd] DHCPREQUEST for 192.168.0.131 (192.168.0.1) from 00:0b:6a:79:86:a9 via eth1: lease 192.168.0.131 unavailable.

Jan 24 20:49:32 [dhcpd] DHCPNAK on 192.168.0.131 to 00:0b:6a:79:86:a9 via eth1

.... etc
```

The address this computer should get is 192.168.36.33, but it keeps asking for 192.168.0.131.

There are 3 clients which have such problem. They all have on-board network adapters (2 x VIA, 1 x Realtek). Changing the NIC seems to solve the problem, but I cannot force people to do so. I cannot wait till the end of their leases (7 days left) and ipconfig /renew on the client returns "Access to DHCP server denied". I know it's mostly Windows problem, but perhaps someone can help me?Last edited by ohaleck on Mon Jan 31, 2005 5:36 pm; edited 1 time in total

----------

## UberLord

https://forums.gentoo.org/viewtopic.php?t=281586&highlight=dhcp+slow

HTH  :Smile: 

----------

## ohaleck

Thanks for the link but which part of the topic should I refer to? I have baselayout 1.9.4-r6 so it should not be the cause.

Any more help appreciated.

----------

## UberLord

Sorry, I posted a link to a thread in which I posted a link - which was the link I meat to give you!

https://forums.gentoo.org/viewtopic.php?t=256613

anyway, it is because you're using baselayout-1.9.x

----------

## ohaleck

Oh I didn't read the topic carefully and thought the problem was with baselayout 1.1.x so my 1.9.x was good enough.

Anyway it is not the problem with dhcpcd as I don't even have it running - my Gentoo machine is running dhcpd and the clients have Windows XP installed (sic!). They seem not to accept the DHCPOFFER (see the log above) and I cannot make them release their false leases.

Any clues? I know it is an OT but Windows forums are of no help...  :Crying or Very sad: 

----------

## UberLord

Can you make the dhcp server authorative?

----------

## ohaleck

It already is. It sends DHCPNAK messages but clients ignore them. Might that be an unauthorized DHCP server somewhere on the network?

Is there an easy way to detect such? I've read of dhcpcd-test utility provided within dhcpcd package in Suse RPMs but cannot find such for Gentoo...

----------

## UberLord

You could always remove the offending IP information from the Windows machines registry and then reboot them (I think you do need to reboot them - not 100% sure though). A quick search through mine shows that the IP address may need to be removed from numerous locations.

----------

## noe_shit

try and set the windows ip adress staticly to the one you want, then when its working, choose to use dhcp again, it should thus have forgotten about the wrong ip and probably seek the one you want to give it.

if that doesnt happen, then as UberLord suggested, delete all information regarding that ip from the registry and reboot.

to test if there is another dchcpcd on the network, you could turn your off then see if you get a ip by requesting one yourself like you would normaly have done.  :Smile: 

----------

## blake121666

I have similar problems and what I do is disable the adapter, then enable it and then click on "repair" in the "support" section for the adapter.  The other suggestions above would probably work as well.

----------

## ohaleck

I've tried to delete the information from the registry but it didn't help. I didn't reboot the machine though. I'll try all the tricks and post the results...

----------

## ohaleck

Some new facts. I tried to boot client's computer from a Knoppix CD and it did not get the correct IP either. The only way to make it work is to change set another MAC on the network adapter (I entered the one from my notebook and DHCP gave the host my notebook's IP, everything worked fine). I also tried to enter some random MACs into dhcpd.conf and network card but what I got was some more stupid random IP's my DHCP sent NAK on. 

The story is the same:

client: DHCPDISCOVER

server: DHCPOFFER (correct IP)

client: DHCPREQUEST (some random IP)

server: DHCPNAK (IP requested by client)

after several attempts the client sets the lease on the IP it requested and tells me it received it from my DHCP which is wrong because my DHCP server sent DHCNAK's. 

My only clue now is a rogue DHCP running somewhere in the network but I have no idea how to detect it. I tried Windows' dhcploc but it does not even find my DHCP. 

Or could this be the WLAN point2point connection between my server and the client's network?

BTW: resetting network connection, switching it off and on, repairing it or deleting lease information did not help.

----------

## blake121666

If it was a rogue dhcp server that would show in windows.  Do a

```
ipconfig /all
```

to see what it has listed as under "DHCP Server".

Or you could sniff on the network to see exactly what's going on.

----------

## ohaleck

ipconfig displays the address of my dhcp server!! Server's logs say it didn't let the host use this address (see above). 

I can't sniff because the sniffers (tcpdump and ethereal) return an error when I reset the connection on either Windows or Linux client  :Sad: 

----------

## blake121666

You don't have another machine to sniff from?  Sniff from the dhcp server.  I wrote my own sniffer for things like this but I think there's a way to grab the whole packet in tcpdump which you're using.  Something like "tcpdump -nvvvX? port 67 or 68" where "?" stands for the "capture whole packet".  Are you using ISC dhcpd on the server?  If so, try adding something like:

```

# Address to give to give to "windows box"

host wbox {

 hardware ethernet 00:10:b5:5a:6b:d6;

 fixed-address 192.168.1.20;

}

```

and comment out all other assignments so that this is the only one.  Delete the leases (and backed up ones).  This is important because the dhcp server will ack valid addresses for the subnet even if it doesn't officially "assign" them.

```

rm /var/lib/dhcp/*leas*

/etc/init.d/dhcp restart

```

On the windows end, disable adapter, enable adapter, if it times out, click on the "Repair" button of the NIC object.  Windows should get the correct address.  You should end up with what you want in the end.  Then you can backtrack and undo the host assignments, ...etc. and see if Windows brain has been fixed.  Then you can figure out why it got screwed up in the first place.

In your traces, look at what MACs are flying back and forth as well as the actual dhcp options of course.  There might be a bridge or something in the middle doing something funky.  Or there could be another dhcp server showing up in your traces!

EDIT:  I think the -e tcpdump option includes the MAC stuff.

----------

## ohaleck

I finally managed to fix the problem. It was the rogue DHCP on the network. I shut down my server's network interface and figured out I can still connect to its IP address. The ports for DHCP server and HTTP were open. I entered the address into my browser and found out it was a Planet SOHO router. 

I located it by disconnecting segments of my networks (there are several buildings connected) and finally got to a guy who was using the router as a desktop switch!!! Indeed the router has a 4-port Ethernet switch built in. The "hacker" didn't even know the router has an IP set up and the DHCP server running. He hasn't even set the login password. 

Some computers on my network received their addresses from the router which is why their DHCP clients did not report an error even if my server replied with an DHCPNAK. They just had already got their addresses from a different box.

I'm glad I finally got it working. Thanks for all your help. I learned a lot about the operation of DHCP  :Smile:  However it scares me how easy it is to bring the network down. It probably wouln't be so easy for me if someone really meant to do so  :Shocked: 

----------

## blake121666

You should be filtering at your border.  How could someone outside your local subnet become part of your local subnet so easily?

I had this problem in my apartment because I was bridging a wireless segment into my local subnet and had no encryption on the wireless.  Entry into my network was as simple as turning on a wireless NIC anywhere within range (which is surprisingly far)  :Shocked: .

I didn't particularly care about the security but the guy who was connecting to my net was eating up bandwidth and showing up in my logs all over the place lol.  He must have had a bunch of spyware/virus-like-things on his box because his machine kept sending http requests to non-existant webpages (like http://supportcenter.verzon.net/sbconfigservlet/sbconfigservlet ... etc) and I kept seeing alot of these as well as a bunch of icmp dest unreachables and the like.  I ended up setting up a MAC filter on him just to quickly get him out of my logs and setting up WEP for a modicum of security.

----------

## ohaleck

I do filter traffic in- and outbound traffic, but the guy who caused the problem is on my network! I cannot provide more than one cable for an apartment so if someone wants to connect two computers they must use a desktop switch so he used a switch built into an router LOL.

I've never detected anyone connecting to my wireless links, use wireless bridges between with simple MAC filtering between my networks and it seems to be enough for now. 

BTW: what AP's do you use? I tried WEP on my low-end Planet boxes with the newest firmware and they died after <24 hours...

----------

## blake121666

 *ohaleck wrote:*   

> BTW: what AP's do you use? I tried WEP on my low-end Planet boxes with the newest firmware and they died after <24 hours...

 

I'm using a microsoft MN-500 AP (the cheapest one).  It kinda stinks if you use their software (it's always automatically setting itself up wrong if you even *try* to use its software).  But if you just use the basic web frontend it gets by.  It cost me $35 at Best Buy so I can't complain.  Actually it does better than my D-Link WAP since it at least works at the ranges I use it.  It spits out some netbios crap at intervals and my windows clients probably do something with that.  It's also sending out SRB hellos each second ... this appears to have only started after I setup my XP clients' as bridges between the TAP interface and the wireless for colinux.  Even though there is only one route between any 2 nodes it still does these SRB broadcasts.  I'd like to be able to hardcode exactly how I want the bridging setup but there's no way to do that.  I can't complain though, it's doing 128-bit WEP between clients and I have mixed-speed clients (56g and 11b) and it handles that well.  It even has a 5-port ethernet switch built into it - I uplink it to my 24-port switch but I'm thinking of redesigning things so that I'll use it's 5-port hub for the WAN side so that I can multihome an old box I have laying around to sniff on the WAN side and act as my main firewall.  There have been funky things done on that side and the linksys I'm currently using isn't the greatest for sniffing and troubleshooting.  The MN-500 has the standard firewalling capabilities like the linksys but it has a hard time when *all* boxes use it as the default router.  I have at most 4 wireless machines up at the same time and most of the time 1 or 2.

----------

