Syed Jahanzaib Personal Blog to Share Knowledge !

February 6, 2014

Detect Rogue DHCP & Alert via Email

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 1:53 PM

Dedicated to Local Desi Cable.Network Operators 😉


To detect ROGUE (Duplicate / Conflicting) DHCP server via mikrotik and received an email alert about the conflicting dhcp server IP/MAC/Date+time, there are several ways to do, either using remote syslog server, OR use LOG action BUT I found the following method more customizable and suitable. Just make sure to tune if properly before deployment 😀



Click on + sign to add new alert, & on Alert box,

& paste the following code.

:local CurrentTime [/system clock get time];
 :local hostname [/system identity get name]
 :global date [/system clock get date]
 :local int "$interface"
 :local addr "$address"
 :local mac $"mac-address"
 :local dh

/tool e-mail send server= port=587 start-tls=yes password=YOURPASSWORD subject=DHCP-Detected body=("ROGUE DHCP Server have been detected on $hostname at $date  - time $CurrentTime  - Interface= $int  - IP Address=$addr - MAC-Address= $mac  !! GO HUNT & KILL :D")

Now click on Apply.

As showed in the image below …


Make sure to tune the INTERVAL setting according to your requirement. Also its a good idea to enter legitimate mac address in VALID SERVER box to avoid false detection of your valid dhcp servers.

Configure EMAIL/SMTP Settings

Now configure your EMAIL smtp address so that email can be send,OR you can set other alert options too like sms or print LOG in main window only or whatever :p

I am using GMAIL in this example.

/tool e-mail set address= password=mypassword port=587 starttls=no user=gmailid

Also enable EMAIL logging so that in case of any error, you can view it in LOG window for troubleshooting purposes.

/system logging add topics=e-mail action=memory

Now as soon as any rogue/conflicting dhcp server will be detected by Mikrotik, it will log it in main LOG window, and will also send you email alert using your GMAIL ID.

As showed in the image below …



Syed Jahanzaib



  1. Great Post Dude! As i need a script like this and are to lazy i am so glad You did it 😉


    Comment by MR — February 6, 2014 @ 2:17 PM

  2. Bro ap ne is script main … pasward ***** to ye id Q diya hova hia ???


    Comment by syed Ali Waqas — February 6, 2014 @ 10:29 PM

  3. Nice Post – Syed Jahanzaib


    Comment by Abubaker SIddiq Lasania — February 7, 2014 @ 4:04 AM

  4. Is it possible to explain firewall mikrotik with nat and mangle


    Comment by Mostafa Mohamed — February 9, 2014 @ 7:05 AM

  5. Terkirim dari tablet SamsungSyed Jahanzaib Personnel Blog to Share Knowledge ! menulis:


    Comment by teukurizal — February 9, 2014 @ 1:31 PM

  6. set address= or server= ye ip kis ka hai…


    Comment by Muhammad Furqan Khan — May 22, 2014 @ 8:06 PM

  7. send to mail don’t work , but work fine in log, what’s problem ??


    Comment by mohammed — June 10, 2014 @ 9:10 AM

  8. very nice


    Comment by Bharat Patel — August 7, 2015 @ 8:28 AM

  9. Hi

    I would really appreciate some help – I’ve gone through the MIkrotik manual and some literature, but I still can’t figure out exactly what to do.

    Here’s the scenario: Our wireless network broadcasts on the range (DHCP to client PC’s is done via a DHCP server).
    One (or more) of the clients are running a device which also applies DHCP, but on the range.

    This seems to restrict clients on the 172.XX.XX.0/24 range of getting DHCP addresses.

    What do I need to do on the mikrotik firewall to block the DHCP on the range, while ensuring connectivity on the range.
    Also, I understand that if default forwarding is disabled, clients won’t “see” each other.

    I tried the solution but it wont work.
    DHCP-Server as authoritative=yes
    chain=forward action=drop protocol=udp src-address=! src-port=67 dst-port=68

    How EXACTLY do I do this on the Firewall? I attempted something earlier (IP filtering), but this pervented me from accessing the AP.

    Please help ! 🙂


    Comment by Maximus Innase — June 12, 2018 @ 4:05 PM

RSS feed for comments on this post. TrackBack URI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: