We have been struggling with a rogue DHCP server for quite some time now.
Users are meant to be on a network of 192.168.10.xx with .14 as the DNS, and .254 as the gateway, but this will set users on a subnet of 192.168.30.xx with both DNS and gateway as x.x.30.1.
Our site consists of a Windows Server 2012, with 2 virtual machines also running Server 2012 (an Exchange Server and a Terminal Server).
Our main Draytek router (x.x.10.254) connects to an ISP provided ethernet WAN switch and radio ethernet modem. It points users to the pre-configured .14 DNS/DHCP Windows server.
Then a Netgear R7000 is used as a wireless access point. DHCP is disabled, and points users to x.x.10.14. This provides extra WiFi coverage for the factory laptops.
Initially I suspected it was the R7000, but after putting it on custom firmware, the issue persists.
The issue can happen to both users on the ethernet hardwire, AND both WiFis.
Running some network scans, I can see x.x.30.1 has a MAC address of 00-ac-a8-72-ed-2e. But this doesn't seem to give me any help in finding it. As it doesn't belong to any known manufacturers.
Thanks in advance, and I hope this is enough information.
EDIT: I found the answer!
Turns out there was an old VPN (SoftEther) service that was enabled with a DHCP service for incoming connections. Not sure how, but it mustve got mixed up and was handling half the PC's in the network
