Is it possible that a lower level network can provide IP addresses for the higher level network? And how to prevent that?
Solution 1:
If there are two or more DHCP servers, the one that answers your query first will "win". Your computer or any other device has no concept of "higher level network" or so, until it gets the IP address for itself and learns the netmask and the IP address of the gateway – but unless you use static settings, these information comes from (any) DHCP server.
If your router was able to filter packets travelling between LAN ports, it could filter out unwanted DHCP communication. But most probably all the LAN ports form a hardware switch or hub and you cannot separate these ports with software firewall of the router. Communication between LAN and Wi-Fi is probably bridged at software level and in theory you could filter it.
Properly configured firewall (extra device) inserted between your router and the "black box" part of the network would filter unwanted DHCP communication.
What you seek is called "blocking rogue DHCP". One method is to set local firewalls on affected devices to only accept DHCP offers from your router by its MAC address, or at least to block the known rogue DHCP by its MAC address.
- Blocking rogue DHCP in network
- pfsense: blocking a 2nd DHCP server
Assigning static IP addresses independent from DHCP is quite a sane solution in such a situation. Still, identifying rogue DHCP servers, cutting them off or making them stop is better.
Solution 2:
Something else is assigning IP addresses. If two devices on a network are serving two separate IP subnet DHCP pools you will get unexpected results.
It sounds like this mystery cable is the culprit. Try disconnecting it and see if the renewed IP addresses go back to normal. Whichever DHCP server responds first is what net addresses you will wind up with. I.e., something downwind is responding before your Wi-Fi router assigns your IP addresses.
Solution 3:
DHCP relies on IP broadcast when making a discovery. Authoritative DHCP will always answer these requests. Meaning if you have more than one of them on the same network segment then you'll get unpredictable behavior between which DHCP takes ownership of the network. If the DHCP is non-authoritative it will only answer requests on its subnet.
So you and your blackbox friend can agree to use separate IP subnets and use non-authoritative DHCP. Or you would need a managed switch which blocks broadcasts to and from that network port.
Also note when I say managed switch your router is ALSO a switch and if it has vlan features its also a managed switch.