Workstations are being assigned 192.168.1.111 instead of an IP in our 192.168.20.X subnet

We recently had NAT and DHCP turned off in our SDSL router so that our Firebox X50 Edge could provide these services. Our subnet is 192.168.20.X, but since making the switch, I've had 9-10 instances where a user boots up and is assigned the following:
       
        IP Address. . . . . . . . . . . . : 192.168.1.111
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.1
        DHCP Server . . . . . . . . . . . : 192.168.1.1

There is no other DHCP server in use on the network. I've checked all of our servers (W2K & W2003) and DHCP is not installed on any of them. I worked with firewall support for 2 days and sent them logs, but there are no entries in the logs that list anything out of our subnet. I also had the ISP that manages the router double check it.

Where could this erroneous assignment be coming from ??
robwhite64Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JRHITCommented:
In the DHCP section of the Router you need to specify a IP range.
Gary Fuqua, CISSPOwnerCommented:
Is that the old DHCP range from the original router, or something else?
JRHITCommented:
Oh your Firebox is providing this? Does it have web management?  If so, specify the range in the dhcp section there.
Starting with Angular 5

Learn the essential features and functions of the popular JavaScript framework for building mobile, desktop and web applications.

lifetechCommented:
Could they be picking these up from nearby wireless access points?
lifetechCommented:
On the affected machines, go to http://192.168.1.1, and see if you pull up any info on the router.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
grsteedCommented:
You could run EtherReal (www.ethereal.com) on a pc that's getting the wrong address and see who's assigning it. Look for DHCP Request and DHCP Ack in the packets. It will give the IP address of the source.

Gary
RLGSCCommented:
robwhite64,

The best way to do this is to run Ethereal or some other LAN sniffer and capture the DHCP dialogues over a period of time.

If I had to guess what is happening, I would guess that you have a rogue DHCP node somewhere in your network. A short note on DHCP is in order. When a node uses DHCP to get an address, it does a broadcast over the entire LAN looking for a response from a DHCP server. The first DHCP server to respond wins. There is no inherant structure to this exchange.

Thus, if your intended DHCP server is slow to respond for any reason, another node can get its answer in. I would scan for all DHCP responses for your network and isolate those that are not from your intended server. I would then use my scanner to identify the MAC address of the rogue.

I hope that the above is helpful.

- Bob Gezelter (aka RLGSC)
artofchoboCommented:
Does the switch have any dhcp support? try turning it off.... I seen my friends having such services in the switches they bought.

Regards,
chobo
JRHITCommented:
192.168.1.111 IS the DEFAULT ip for the Firebox Edge x50...

open up https://192.168.1.111

Go into the DHCP portion and specify the range.
JRHITCommented:
That would actually be https://192.168.111.1

Go there, Select Wizards, Click Go.

Then go through the welcome and enter in the DHCP information and range.

Problem should be solved.
pgm554Commented:
On the WS that are getting the rogue addresses,get into a command line prompt and do an ipconfig /all.
It will tell you which DHCP server address assigned the bad address.

robwhite64Author Commented:
I'll try to address all your responses here so we can get closer to the solution.

JRHIT, the range is already assiged.
Trusted Network IP Address  192.168.20.254
Trusted Network Subnet Mask  255.255.255.0
DHCP Address Pool  192.168.20.150-192.168.20.252

GaryF, no. Our range and IP addresses have remained the same. The 192.168.1.X was never part of this network.

Lifetech, we aren't running any wireless equipment here. But I like your idea to see what I can find out on the next machine that gets the rogue IP. I did a copy of the IPCONFIG /ALL on the last one but I didn't go further than that.

GRSteed and BobG, I'll look into EtherReal. So you're thinking one of the workstations is somehow assigning DHCP? I sure didn't know that could happen. Actually, I doubt that very seriously. The network has less than 40 workstations and servers on it and I've touched every one of them at one point or another.

Chobo, I also like the switch idea. I'm looking into this as well. I'm not currently able to console into the one switch that could possibly have those capabilities--don't have a laptop.

JRHIT, see original question with IPs. They're correct--it's not 192.168.111.1. The Firewall is not set at defaults anyway.

PGM554, also see original question. The info provided was from IPCONFIG /ALL on an affected WS.

smithandrewCommented:
We had a similar problem before where a user was running VMWare on the workstations, and the VMWare Host Adapter was running, acting as a DHCP server - some workstations were picking up the IP from this VMWare DHCP server.
robwhite64Author Commented:
BobG, so the logs from the Firewall appliance wouldn't accomplish the same goal as a tool like EtherReal? And if not, where would I need to install EtherReal? On a server, or could I install it on my own workstation?

Found a laptop, btw, and now need to go buy a null modem cable tomorrow.

cbromley33Commented:
Had a similar issue once.  Was because a user thought that he could bring his wireless router in from home, and just plug it in, and it would give his laptop wireless access.  So.. make sure the users aren't attaching equipment unexpectedly...  But as already said.. ethereal on the computer with the wrong address is probably the best way to go to narrow it down.
pgm554Commented:
Can you ping the rogue DHCP server?
grsteedCommented:
Another thing you could look at.

As pqm554 mentioned back 6 messages, you can use IPCONFIG /ALL from the command line. As you pointed out in your original question the DHCP server shows an address of 192.168.1.1. If you can ping that address, then enter ARP -A  on the command line and look for that address.  That should give you the MAC address of the rogue server.

From there, if your switch is managed, you could see what port that MAC shows up on. Otherwise it'll take some footwork to find it.

Also you didn't mention if you tried lifetech's idea,  "go to http://192.168.1.1, and see if you pull up any info on the router."

Gary
grsteedCommented:
Oh Yeah,

For the Ethereal solution, you need to install that on one of the affected PC's.  

Gary
robwhite64Author Commented:
Gary, if lifetech means I need to go to http://192.168.1.1 from an affected PC, I haven't tried it yet--gotta wait until another machine has the issue. Same goes for the idea to ping the rogue DHCP server.

cbromley33, I am certain there are no wireless routers here. The same goes for smithandrew's suggestion about the possibility of VMWare being installed somewhere. I have a small and unique bunch of users who are not very tech savvy, and I'm the only IT presence in the company. They think I'm a genius if that gives you any clue as to where they are technically.

Hopefully the rogue server will strike again today and I'll have a chance to try more of your ideas. Thanks!
robwhite64Author Commented:
I used lifetech's idea to go to http://192.168.1.1 from an affected PC. I didn't have the password to get in but after putting in an incorrect one, the title bar showed Linksys BEFSR81. I walked over to a rack where we keep PCs that our remote users connect to via GoToMyPC and there it was, the BEFSR81, which I then saw is a DSL router with DHCP server capabilities. I'd just assumed it was a workgroup switch prior to today. I got the password and disabled DHCP. The issue should be resolved now.

Thanks again to everyone who pitched in.
robwhite64Author Commented:
I thought my post didn't work so it's posted twice!
lifetechCommented:
Great! The mystery is solved!
grsteedCommented:
Glad to hear you found it!!
RLGSCCommented:
robwhite64,

The logs on your designated DHCP server will only show addresses assigned by it, not by a rogue. The output from IPCONFIG is helpful.  Using Ethereal (or another sniffer) to find out what is actually happening is often helpful.

- Bob Gezelter (aka RLGSC)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Networking

From novice to tech pro — start learning today.