Weird problem with Windows 7 and m0n0wall

Solomaxwell6

So, I run my fraternity's computer network. It basically goes through a soekris net4801 router equipped with m0n0wall, then a switch that divides it up into each of our three houses, then a switch at each of the three houses to provide internet service to each room.

Today, a few people running Windows 7 started having difficulties connecting to the internet. So I checked it out, and it looks as if their IP address are 192.168.1.0/24. The network is on 192.168.13.0/24 (not sure why 13 was picked, it was that way long before I took over the position). I tried ipconfig /release /renew, but they kept getting 192.168.1.*, and therefore couldn't connect to the internet. I was able to get it to work by just manually configuring the IP addresses to the proper subnet, but that's just a temporary solution.

Note that they haven't really had any problems in the past.

Anyone know what's going on and how I can make a more permanent solution to the problem? I'm a lot more familiar with Cisco devices than m0n0wall, and I don't have too much experience either way, so a lot of this is kind of new to me.


These are the sort of DHCP log entries I'm getting (newest at the top)... typically, the computer should accept the IP address offered by DHCPOFFER, but it's not doing that in this case:
Mar 3 19:18:33 dhcpd: DHCPINFORM from 192.168.1.133 via sis0: unknown subnet for address 192.168.1.133
Mar 3 19:18:29 dhcpd: DHCPOFFER on 192.168.13.218 to [MAC address] ([name]) via sis0
Mar 3 19:18:28 dhcpd: DHCPNAK on 192.168.1.133 to [MAC address] via sis0
Mar 3 19:18:28 dhcpd: DHCPREQUEST for 192.168.1.133 (192.168.1.1) from [MAC address] via sis0: wrong network.
Mar 3 19:18:28 dhcpd: DHCPDISCOVER from [MAC address] ([name]) via sis0

stigweard

One of three things is going on (all the same result). Someone is running a server version of something with dhcp enabled (maybe windows network sharing ips or whatever it is called), there is another router with dhcp enabled, or someone has been the victim of dns poisoning and is sending out fake local ips, dns etc... Use something like wireshark or autoscan to locate the offending machine.

Alternatively, set the machine to static ips. It doesn't fix the underlying problem, but they will get their internet back.

Solomaxwell6

But would any of those really be Windows 7 particular? The thing that I'm really curious about with the whole thing is the fact that it's only effected Windows 7 computers. I don't know what Win7 would be doing differently that would change something like grabbing an IP from the DHCP server.

stigweard

I've seen stranger. I ran into a small network one time (~30 machines) where two would get a different gateway than the rest of the network. It turned out to be a voip server for the phone system that had a dhcp server enabled. For some reason, it only ever affected two machines apart from the phones.

What I see in the log is that the suspect machine is asking for dhcp info. The proper dhcp server offers out a new ip for it, but it refuses it and re-requests from 192.168.1.1. If you setup a machine on that subnet, can you ping that ip? The machines are getting the information from somewhere, or they would default to the 169... address.

Älphämönkëy

Operating systems have different network timing configurations. I have had to muck with OS X to increase the timeout window when requesting an IP from a slow DHCP server.

Use ARP to get the MAC address of the other DHCP server and see if you can trace it back from there. If you don't have managed switches, you can either inspect room-to-room or just do a rolling outage one port at a time until you isolate where the DHCP server is coming from.