Syed Jahanzaib – Personal Blog to Share Knowledge !

February 6, 2014

Detect Rogue DHCP & Alert via Email

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 1:53 PM 

Dedicated to Local Desi Cable.Network Operators 😉

dhcp-rogue

To detect ROGUE (Duplicate / Conflicting) DHCP server via mikrotik and received an email alert about the conflicting dhcp server IP/MAC/Date+time, there are several ways to do, either using remote syslog server, OR use LOG action BUT I found the following method more customizable and suitable. Just make sure to tune if properly before deployment 😀

CONFIGURE DHCP-ALERT

Goto IP / DHCP SERVER / ALERTS

Click on + sign to add new alert, & on Alert box,

& paste the following code.


:local CurrentTime [/system clock get time];
 :local hostname [/system identity get name]
 :global date [/system clock get date]
 :local int "$interface"
 :local addr "$address"
 :local mac $"mac-address"
 :local dh

/tool e-mail send server=173.194.69.109 port=587 start-tls=yes YOUR_GMAIL_ID@gmail.com password=YOURPASSWORD to=aacable@hotmail.com subject=DHCP-Detected body=("ROGUE DHCP Server have been detected on $hostname at $date  - time $CurrentTime  - Interface= $int  - IP Address=$addr - MAC-Address= $mac  !! GO HUNT & KILL :D")

Now click on Apply.

As showed in the image below …

dhcp-alert.

Make sure to tune the INTERVAL setting according to your requirement. Also its a good idea to enter legitimate mac address in VALID SERVER box to avoid false detection of your valid dhcp servers.

Configure EMAIL/SMTP Settings

Now configure your EMAIL smtp address so that email can be send,OR you can set other alert options too like sms or print LOG in main window only or whatever :p

I am using GMAIL in this example.


/tool e-mail set address=74.125.45.109 from=gmailid@gmail.com password=mypassword port=587 starttls=no user=gmailid

Also enable EMAIL logging so that in case of any error, you can view it in LOG window for troubleshooting purposes.


/system logging add topics=e-mail action=memory

Now as soon as any rogue/conflicting dhcp server will be detected by Mikrotik, it will log it in main LOG window, and will also send you email alert using your GMAIL ID.

As showed in the image below …

log

.

Regard’s
Syed Jahanzaib

 

9 Comments »

  1. Great Post Dude! As i need a script like this and are to lazy i am so glad You did it 😉

    Like

    Comment by MR — February 6, 2014 @ 2:17 PM

    Reply

  2. Bro ap ne is script main …@gmail.com pasward ***** to aacable@hotmail.com ye id Q diya hova hia ???

    Like

    Comment by syed Ali Waqas — February 6, 2014 @ 10:29 PM

    Reply

  3. Nice Post – Syed Jahanzaib

    Like

    Comment by Abubaker SIddiq Lasania — February 7, 2014 @ 4:04 AM

    Reply

  4. Is it possible to explain firewall mikrotik with nat and mangle

    Like

    Comment by Mostafa Mohamed — February 9, 2014 @ 7:05 AM

    Reply

  5. Terkirim dari tablet SamsungSyed Jahanzaib Personnel Blog to Share Knowledge ! menulis:

    Like

    Comment by teukurizal — February 9, 2014 @ 1:31 PM

    Reply

  6. set address=74.125.45.109 or server=173.194.69.109 ye ip kis ka hai…

    Like

    Comment by Muhammad Furqan Khan — May 22, 2014 @ 8:06 PM

    Reply

  7. send to mail don’t work , but work fine in log, what’s problem ??

    Like

    Comment by mohammed — June 10, 2014 @ 9:10 AM

    Reply

  8. very nice

    Like

    Comment by Bharat Patel — August 7, 2015 @ 8:28 AM

    Reply

  9. Hi

    I would really appreciate some help – I’ve gone through the MIkrotik manual and some literature, but I still can’t figure out exactly what to do.

    Here’s the scenario: Our wireless network broadcasts on the 172.17.50.0/24 range (DHCP to client PC’s is done via a DHCP server).
    One (or more) of the clients are running a device which also applies DHCP, but on the 192.168.10.0/24 range.

    This seems to restrict clients on the 172.XX.XX.0/24 range of getting DHCP addresses.

    What do I need to do on the mikrotik firewall to block the DHCP on the 192.168.10.0/24 range, while ensuring connectivity on the 172.17.50.0/24 range.
    Also, I understand that if default forwarding is disabled, clients won’t “see” each other.

    =====================================================================================
    I tried the solution but it wont work.
    DHCP-Server as authoritative=yes
    and
    chain=forward action=drop protocol=udp src-address=!192.168.10.1 src-port=67 dst-port=68
    ========================================================================================

    How EXACTLY do I do this on the Firewall? I attempted something earlier (IP filtering), but this pervented me from accessing the AP.

    Please help ! 🙂

    Like

    Comment by Maximus Innase — June 12, 2018 @ 4:05 PM

    Reply

RSS feed for comments on this post. TrackBack URI

Leave a comment