dhcp wrong subnet

Message

zebbedi · Post by **zebbedi** » Wed Apr 22, 2020 8:31 am

Hi,

The networking on my laptop has recently gone completely crazy and stopped worked. I use NetworkManager to auto configure a wired connection. When I do it fails to setup correctly. I end up with an IP address of 192.168.168.100 however all my network is on 192.168.0.x with my main router (dhcp and gateway) being on 192.168.0.1.

I've tried running

Code: Select all

# dhcpcd -T -4
DUID 00:01:00:01:21:c5:48:b8:9c:eb:e8:35:4f:1f
dummy0: IAID e8:2e:eb:e0
enp0s20f0u2: IAID e8:35:4f:1f
docker0: waiting for carrier
br-dde597106864: waiting for carrier
wlp2s0: waiting for carrier
enp0s20f0u2: soliciting a DHCP lease
enp0s20f0u2: offered 192.168.168.100 from 192.168.168.1
interface=enp0s20f0u2
pid=27649
protocol=dhcp
reason=TEST
ifcarrier=up
ifflags=4163
ifmtu=1500
ifwireless=0
new_broadcast_address=192.168.168.255
new_dhcp_lease_time=300
new_dhcp_message_type=2
new_dhcp_server_identifier=192.168.168.1
new_ip_address=192.168.168.100
new_network_number=192.168.168.0
new_routers=192.168.168.1
new_subnet_cidr=24
new_subnet_mask=255.255.255.0
dhcpcd exited

This sticks out: enp0s20f0u2: offered 192.168.168.100 from 192.168.168.1

If i'm reading it correctly, it thinks my dhcp server is 192.168.168.1 and I have no idea where that is coming from. I get the same response from dhclient. Why is it trying to go on to a subnet of 192.168.168? and where is that coming from? I've run out of ideas. If i configure manually i can connect fine. My router and other devices on the network all seem to be fine.

It's worth mentioning that this all went wrong after running some docker compose stuff which creates 10 odd containers and about a similar number of virtual network devices.

Ant P. · Post by **Ant P.** » Wed Apr 22, 2020 7:53 pm

You have a rogue dhcp server running. You say you've been downloading and running mystery code off the internet, so it's likely coming from there.

zebbedi · Post by **zebbedi** » Wed Apr 22, 2020 8:03 pm

Definitely not been running mystery code from anywhere? The docker compose stuff is my work.

Don't think there is a rogue server anywhere. It's just my home network. Only this laptop picks it up, all other machines and devices are fine.

Post by **NeddySeagoon** » Wed Apr 22, 2020 9:12 pm

zebbedi,

On Wifi ?

Maybe its not your network you are connected to at all.
Do you recognise the public IP that 192.168.0.1 leads to?

Ant P. · Post by **Ant P.** » Wed Apr 22, 2020 9:34 pm

Run wireshark and see which MAC address the responses are coming from. It should show the manufacturer name and make it easier to find the machine responsible.

Post by Hu » Thu Apr 23, 2020 1:41 am

Docker's preference to fetch from Dockerhub makes it dangerously easy to run questionable software, so it's quite reasonable to assume that is what happened. Even though you likely ran the containers you intended to run, and did not intend them to be dangerous, I would still suspect one of them. Since all your other systems still behave normally, that suggests to me that a bad dhcpd in one of the containers is confusing the laptop, but none of the other systems see it because Docker is not forwarding that out onto the general network.

Does the problem stop if you bring down all your containers?

Would you mind sharing your Docker compose configuration file? Redact anything non-public, if you like. I want to see what it does to your network configuration, particularly around bridging.

zebbedi · Post by **zebbedi** » Thu Apr 23, 2020 6:21 am

It's a hard wired connection. It's using USB dongle over ethernet. Wifi actually gets the correct ip from dhcp.

I've completely shut down docker and all containers have been deleted. The images all come from our own local corporate docker repo. I'm afraid I really wouldn't be able to share it due to IP.

The problem still persists though even with docker shut down.

papas · Post by **papas** » Thu Apr 23, 2020 11:43 am

Are you on your company"s network? Check your router interfaces, wifi and ethernet ports are on the same subnet? Which router do you have. Arp-scan, ip addr may have interesting information.

zebbedi · Post by **zebbedi** » Thu Apr 23, 2020 2:42 pm

It's my own home network. DrayTek 2862 router.

Any advice on what to run to check these things? Ok, so i've just run wireshark on my windows pc. I ran

Code: Select all

ipconfig /release
ipconfig /renew

and then captured the output with wireshark. The windows PC ran in to the same problem with 192.168.168.100 broadcasting dhcp. The problem appears has as src of NestLabs. I do have 2 Nest thermostats and 2 Nest Protect smoke alarms so I think one of them is running a rogue dhcp as suggested.

I just have no idea how to resolve it.

papas · Post by **papas** » Thu Apr 23, 2020 6:35 pm

so you have 2 dhcp servers, but as you wrote above your pc was working fine for some time. NeddySeagoon was right, you are connecting in different network and seems that docker has nothing to do with it. Did you change the switchport that your pc usually connect to? You must attach your pc to the right network.
Your router is a powerful machine but i never had the chance to work with it.(Who has configured it?)
Btw there is several configurations to make it work. I think the easiest way is to assign a switchport to the same subnet as the wifi or you can connect your alarm-dhcp server in the second wan port of your router (you have two wan ports), but is still mystery to me, how your wired-network was working before.

Ant P. · Post by **Ant P.** » Thu Apr 23, 2020 6:54 pm

Right, so it's not the docker stuff. My bad.

You'll need to either figure out how to turn the DHCP server off on those things, or put them on an isolated LAN segment behind a real multi-homed router or managed switch.

zebbedi · Post by **zebbedi** » Fri Apr 24, 2020 6:48 am

I think i've found the problem. I was infact misreading the wireshark analysis (i've not used it before so not massively familiar with it) but it wasn't nest. It was a cctv security camera. I turned off all wireless in order to try to block the nest smoke alarm but it continued to happen so by a process of elimination i removed each hard wired device one by one and eventually discovered it's the camera that is spamming the network. I don't know why yet but at least the network is now working again properly with all devices.

Tony0945 · Post by **Tony0945** » Fri Apr 24, 2020 2:25 pm

The last two posts were very interesting. I was just thinking this morning of buying a thermostat that connects to the internet. Except I've been resisting that. The only reason for buying one is that the high end better T-stats all are internet connected, I was thinking I could set the firewall to block all incoming and outgoing traffic to that external address. It sounds like that's not sufficient. Best of all would be to make my own T-stat from a Raspberry Pi.
This ties into those two posts, but please, Mr. moderator, split it if it's not.