This command will return only the MAC address of this unknown server. As you can see, this command will print all alerts in the system.Įven better, we can use the following command to make the Dude routeros function: :put unknown-server] You can find explanation of this parameter terse in this post. If you’re using the command line, you can print these unknown servers with the command (assuming that we’re using the interface named ether2): > ip dhcp-server alert print terseĠ interface=ether2 valid-server="" alert-timeout=1h >
This script is another great way to automate the network monitoring process. If it’s not in the list, MikroTik will raise the alarm.ĭepending on your settings, this event will only be logged in the local MikroTik’s event log or it could trigger an associated on-alert script.
Your MikroTik device will capture that packet and analyse it.Īs this packet contains the MAC address of the DHCP server, it will be compared with the list of the known MAC servers. If any DHCP in the network can hear those messages, it should respond with the DHCP offer message. When you activate a new DHCP alert, your MikroTik device will start sending the DHCP discovery messages every 60 seconds. I will use it to locate this device on the network switches and to isolate it from my network. The most important field is the MAC address of that device.
In my case, I wrote my own script and you can download it here. This script will send an email alert to our IT department. This script can perform different action. This script will be executed every time when a new DHCP server is detected. The last option is to add On Alert script. If you prefer the command line, your command will look like: /ip dhcp-server alert add alert-timeout=10m disabled=no interface=ether1 valid-server=E0:CB:4E:0C:49:34,E0:CB:4E:0C:4A:06Īs you can see, we can specify more then one MAC in the list. In case that MikroTik detect that DHCP, it will completely ignore it. If we already have any DHCP server in that network segment, we should specify its MAC address(es) in the field named Valid Servers. In such case, your MikroTik device will detect and only internally log any new DHCP server in the network. You can access this feature using the command line with ip dhcp-server alert.Ĭlick on the button to add a new DHCP alert:Īt least, you need to choose an appropriate network interface and alert timeout. To access this feature, in the WinBox GUI: This LAN segment even can be one VLAN inside the network. You should also write down the MAC address(es) of your DHCP server(s) and the LAN segment for which you want to set monitoring. By default, every MikroTik Routerboard has this packet installed and enabled. The pre-requirement is to have the DHCP package installed and enabled on your device. Just turn this port off and your network is safe again.Īs always, we can enable this feature using the command line, the WinBox or WebFig GUI.
Once located, you can block its network access with the remote port administration. However, you can locate this machine in the network using the switch MAC address table.
This is the option that should be implemented on your network switches. You can’t use the MikroTik router to actively block such machine. When an alert occurred, you will be informed about the MAC address (and a few more details) of that machine. Even better, it can send you an email on such detection. Every MikroTik device with the DHCP server service can be used to search your network for any rogue DHCP server.