I run a public wireless network, and I am somehow being bridged to a DHCP server on the Vodafone network. I am getting DHCP packets on my 192.168 network from an external 109.115.x.x. Vodafone has offered no help in locating the subscriber.
Of course not. But that isn't what you should be doing. You should
be finding out where the DHCP server is. You've no reason to
believe that it actually is on Vodafone's network, and
Vodafone's response to you is correct until you prove that
the network traffic really is coming from Vodafone. It's highly
probable, after all, that it isn't. Here's a tip: If it's truly a rogue
DHCP server, as claimed, then it has no reason to be telling the truth
about anything, including the IP address of the originating
machine. Get your network traffic analysis tools out and trace
the network datagrams. Find out which physical machine they are
coming from. It's highly probable that it's a machine that is
physically part of your network, not Vodafone's. (It's highly
probable that it's a machine that is attached wirelessly to your
network, too.)
You're wasting your time looking at the Internet Protocol layer.
Look at the data link and physical layers. It's almost certainly not
the case that the datagrams are coming over your border routers from
Vodafone via Internet at large. (Internet at large doesn't route
192.168/16 to your AS.) Yet that is what you need to prove before
going to Vodafone. And even then, this is in part a question of why
your border routers are letting 192.168/16 traffic cross them in either
direction, which they really should not be. (It's your border router
configurations that make such IP addresses site-local in the
first place, by not routing traffic using them across your site
borders.) When you actually look, you'll very probably find that
the traffic is confined to your network and is your internal problem,
not Vodafone's at all. You'll very probably find that your problem is
that you are letting any machine on your network send traffic with
source addresses that aren't in 192.168/16 (nor in any other link-local
or site-local address ranges). In which case, you have things about
your own network, and what you are letting members of the public do
within it, to think about.