@ccwtech That makes sense. Should be interesting to know what it was!

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

Very fast. Maybe every 10 seconds.

Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.

Weve isolated to one AP.

Ahh, well I don't know what to do then.

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

Very fast. Maybe every 10 seconds.

Maybe you can find it by working with the switches. First finding from which switch it comes and then from what port.

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request?

The MAC address is gibberish, so our guess is a broken device (either end point or AP.)

How fast are the requests showing up? Maybe that would determine if it's malicious or not?

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@pete-s said in Getting DHCP BAD_ADDRESS on Windows DHCP:

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds like a DHCP starvation attack!

It ends up being that way, but we don't think it is intentional.

But what could possibly make the mac address change for each request? Or you think some hardware is broken?

@scottalanmiller said in Getting DHCP BAD_ADDRESS on Windows DHCP:

Base problem now.... whatever device this is keeps trying to connect and fills up the DHCP range quickly causing issues.

That's sounds exactly like a DHCP starvation attack! Intruder alert!

@scottalanmiller You have some linguistic gymnastics going on there.

This is what wikipedia says:

Best practice
A best practice is a method or technique that has been generally accepted as superior to any alternatives because it produces results that are superior to those achieved by other means or because it has become a standard way of doing things, e.g., a standard way of complying with legal or ethical requirements.

"Generally accepted as superior" being the central point here. IMHO best practice means just that. It doesn't mean that it is actually the best way in every situation, only that it is accepted as generally the best way.

Put in another way - you better have a good reason to do things differently.

@scottalanmiller said :

What use case are you envisioning?

@donahue said :

maybe personal VPN, like those VPN services?

That's why I said:

Or are you thinking about it for privacy issues?

To be able to hide your IP and circumvent geoblocking you could for instance use a VPN service or a http proxy service or something else like a ssh tunnel or whatnot.
That could be the use case.

Also ios 12.0.1 have only been out a couple of days. What did you expect?

If it works over an android phone using the same SIM card and not over the apple phone then it's pretty obvious it's the phone.

Since the phone works as a router in this scenario it has to have ipsec pass through. Maybe there is a bug in the apple phone. Who knows? Apple don't give a cr*p - if they think ipsec passthrough is not needed for their users they will just disable it.

You can enable logging on your VPN client in Windows. Then you can see how far it goes and that could provide some clue how to work around the problem. Or just use your android phone...