| Solution |
Example Topology:
This article presents three options to confirm the presence of a rogue DHCP Server (ie an unexpected DHCP server) on the network.
- Extract the optional 'Server Identifier' from the DHCP Request message. Packet capture can be done in 2 ways:
- CLI: diagnose sniffer packet <interface> "port 67 or port 68" 6 0 l
The 'interface' part here is referring to the FortiGate physical or VLAN interface connected to the client VLAN. The packet capture filters for ports 67 or 68, as DHCP uses UDP ports 67 and 68 by default.
- GUI of the firewall: Navigate to Network, under which is Diagnostics. When selecting diagnostics, the main page contains the packet capture skeleton, where the packets can be captured based on the IP address, ports, or protocols.
As per the image:
From the packet captured on the FortiGate, open the DHCP Request message (broadcast from the client) and look for the option 'Server Identifier' as shown below.
From RFC 2131, this option should exist on the message, or at least the Vendor Class Identifier.
-
Using the packet capture from the FortiGate. In cases where there is no information about the server available from the option above, it is necessary to try another approach. From Wireshark, it is expected that at least the following packets were captured:
 pcap01
As shown in the image above, there are no DHCP Server messages (Offer or Ack), but there is another device (50:00:00:02:00:01) sending an ARP Request for the IP 192.168.30.7, and there is an ARP Announcement afterward.
This means that some DHCP Servers are verifying if they already have the IP 192.168.30.7 on the network to decide if it is offered to the client, then it is the confirmation that no one answered, and the client sends the ARP Announcement.
From this example, if some devices already have this specific IP assigned, the communication between the clients will not be visible because it is unicast, but it will show a DHCP Declined message broadcasted from the client, and the process of Discover, Offer, etc, will restart.
Note:
In a large-scale environment, there may be many ARP Request messages that may not be from a DHCP Server. In these cases, it is necessary to look for the messages surrounding the ARP Announcement and then dismiss the irrelevant ones by process of elimination, possibly through tracking the MAC address.
-
Check the IP address configuration of a client with a DHCP lease from rogue server: This option is simpler than the first option: disable the status of the DHCP Server on the interface, and retry obtaining an IP address from the client.
If the client receives the IP assignment, use the DHCP server IP to retrieve DHCP Server MAC address, and check the MAC address location in the network switches.
Example:
- Get a new DHCP address on a Windows client (Unplug/replug ethernet connection, or run 'ipconfig /release /renew' in command prompt.)
- Open a Command Prompt terminal and type 'ipconfig /all'. The DHCP server displays if any and it will be possible to check the DHCP server IP address.
C:\Users\fortinet> ipconfig /all
...
Ethernet adapter Ethernet:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : Microsoft Hyper-V Network Adapter
Physical Address. . . . . . . . . : 00-15-5D-AA-BB-CC
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 192.168.30.7(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Thursday, December 11, 2025 11:56:23 PM
Lease Expires . . . . . . . . . . : Monday, December 22, 2025 11:56:24 AM
Default Gateway . . . . . . . . . : 192.168.30.2
DHCP Server . . . . . . . . . . . : 192.168.30.2
DNS Servers . . . . . . . . . . . : 8.8.8.8
8.8.4.4
NetBIOS over Tcpip. . . . . . . . : Enabled
- Run the command 'arp -a' to check the ARP table of the Windows client, and what is the MAC address of the server found with the command 'ipconfig /all'.
C:\Users\fortinet> arp -a
Interface: 192.168.30.7 --- 0xb
Internet Address Physical Address Type
192.168.30.1 50-00-00-00-00-01 dynamic
192.168.30.2 50-00-00-02-00-01 dynamic
192.168.30.255 ff-ff-ff-ff-ff-ff static
224.0.0.22 01-00-5e-00-00-16 static
224.0.0.251 01-00-5e-00-00-fb static
224.0.0.252 01-00-5e-00-00-fc static
239.255.255.250 01-00-5e-7f-ff-fa static
255.255.255.255 ff-ff-ff-ff-ff-ff static
Check MAC address tables on network switches to determine which port shows the rogue DHCP server's MAC address.
- The FortiSwitch CLI command to display the MAC address table is 'diagnose switch mac-address list'.
- The FortiGate command to display the mac address table of a connected FortiSwitch is 'diagnose switch-controller switch-info mac-table <switch ID>'.
Resolution:
Since broadcast DHCP traffic operates at the Data Link Layer and does not pass through the FortiGate, it is not possible to block rogue DHCP servers directly from the FortiGate. Instead, switch-based access control methods such as DHCP snooping must be used if restrict allowed DHCP traffic on the network. If using a managed FortiSwitch, see the administration guide Configuring the DHCP server access list
If DHCP snooping is not an option, in a controlled environment, it may be possible to correct the issue by isolating the MAC address to a particular switch port and applying one of the following:
- correcting the configuration on the server or switch port if the device is intende,d but should not be providing DHCP services on this VLAN.
- Disabling/quarantining the switch port and all other not in-use switch ports if the device is unintended.
Related articles:
Technical Tip: Understanding DHCP Server and DHCP Relay functionality on FortiGate
Troubleshooting Tip: Check DHCP Messages with VLAN Tag using Wireshark Packet Capture
|
