MikroTik Scripts: Discover Unknown DHCP Server on the Network

Configuring discovered of an unknown DHCP server on the network and sending a notification to Telegram or email. The name of the DHCP interface on which the server is found, the IP and MAC addresses of the unauthorized device are sent.

Sometimes it happens when an employee connects the situation to the local network of the enterprise, a personal router, with the DHCP server enabled, which can cause problems with connecting new IP addresses of devices on the local network. Problems may not be detected immediately, but when the lease of IP addresses expires.

For quick notification of the appearance of an unauthorized DHCP server in the local network, use the Alerts setting in the DHCP server settings.

Article in other languages:
?? – Scripts MikroTik: Descubre un servidor DHCP desconocido en red
?? – MikroTik Скрипты: Обнаружение неизвестного DHCP сервера в сети
?? – Scripts MikroTik: Découverte d’un serveur DHCP inconnu sur le réseau
?? – MikroTik-Skripte: Erkennen Sie unbekannte DHCP-Server im Netzwerk
?? – MikroTik-scripts: Detectie van een onbekende DHCP-server op het netwerk

Create alert

Initial data:

• Interface: bridge1-lan – DHCP server interface name;
• Valid Servers: 64:D1:54:52:6C:36 – MAC address of the DHCP server interface (bridge1-lan);
• Alert Timeout: 10 minutes – interval for checking an unauthorized DHCP server and sending a notification.

Setting up a warning:

[IP] -> [DHCP Server] -> [Alerts] -> [+] -> [Interface: bridge1-lan] -> [Valid Servers: 64:D1:54:52:6C:36] -> [Alert Timeout: 00:10:00]

I recommend calling the test script in the Alert window, rather than placing the script text. If the scripts are placed in one place [System] -> [Scripts] it improves the usability of the device than placing the scripts in certain device settings.

Script call code:

/system script run DiscoverUnknownDHCPServer

Script: Discover unknown DHCP server and send message to Telegram

To send Telegram message, I use the function call – MikroTik Scripts: Sending a message to Telegram (function).

Let’s create a script:

[System] -> [Scripts] -> [+] -> [Name: DiscoverUnknownDHCPServer] -> [Policy: read, write, polisy, test]

Script code:

# Find DHCP Alert 
:local CurrentTime [/system clock get time];
:local MsgID [/log find where message ~"dhcp alert" time =$CurrentTime];
:local MsgText [/log get number=$MsgID message];

# Send Telegram Message
:local DeviceName [/system identity get name];
:local MessageText "\F0\9F\94\B4 <b>$DeviceName: UNKNOWN DHCP SERVER FOUND! </b> Info: $CurrentTime $MsgText";
:local SendTelegramMessage [:parse [/system script  get MyTGBotSendMessage source]];
$SendTelegramMessage MessageText=$MessageText;

Script: Discover unknown DHCP server and send message to email

To send Telegram message, I use the function call – MikroTik Scripts: Sending Notifications and Files to Email (function).

Let’s create a script:

[System] -> [Scripts] -> [+] -> [Name: DiscoverUnknownDHCPServer] -> [Policy: read, write, polisy, test]

This script does not use file upload, so the FileName parameter is assigned an empty value “”.

Script code:

# Find DHCP Alert 
:local CurrentTime [/system clock get time];
:local MsgID [/log find where message ~"dhcp alert" time =$CurrentTime];
:local MsgText [/log get number=$MsgID message];

# Send Email
:local DeviceName [/system identity get name];
:local Time [/system clock get time];
:local Date [/system clock get date];

:local SendTo "mail@mail.com";
:local Subject "\F0\9F\94\B4 CRITICAL: $DeviceName [$Date $Time] UNKNOWN DHCP SERVER FOUND!";
:local MessageText "$MsgText";
:local FileName "";

:local SendEmail [:parse [/system script get SendEmailFunction source]];
$SendEmail SendTo=$SendTo TextMail=$MessageText Subject=$Subject FileName=$FileName;

One-line script

Sending a notification about an unknown DHCP server in Telegram:

/tool fetch url="https://api.telegram.org/bot<BotToken>/sendMessage\?chat_id=<GroupID>&text=Unknown DHCP server on interface: $interface (IP: $address, MAC:$"mac-address")" keep-result=no;

Sending a notification about an unknown DHCP server to email:

/tool e-mail send to=dest_mail@mail.com server=[:resolve "smtp.mail.com"] port=465 start-tls=tls-only user="my_mail@mail.com" password="Pa$$woRD"  from="my_mail@mail.com" subject="$[/system identity get name] UNKNOWN DHCP SERVER FOUND!" body="Unknown DHCP server on interface: $interface (IP: $address, MAC:$"mac-address")"

---

? How to discovered the appearance of an unknown DHCP server on the local network (a problem in small networks) and send a notification in Telegram or email was discussed in this article. I hope that a quick way to find out about an unauthorized DHCP server on the local network will allow you to respond faster and make your work easier. However, if you run into any problems while setting up, feel free to write in the comments. I will try to help.

✅ The script is checked: hAP ac lite [RouterBOARD 952Ui-5ac2nD], RouterOS 6.47.8 (stable).