hint000 , Anatoly , BasiC2k , Talyan , CityCat4 ,
guys, in general the answer was like this!
On Saturday I raised vlans on Mikrotiks. Lord, what a hemorrhoids) and while chopping off the equipment again caught this elusive IP hard cornered it by disabling ports) and then victory! Basically like you all said. in general, a worm-pi .... p turned out to be a running line. before that, I already knew that they wildly spam DHCP on the network, and how BE I was more than sure that it was them. now he proved it to himself. in general, for those who encounter such a trouble. in my case, the installation of a wifi router helped, which by default has ....0.50 IP as well as DHCP Alerts and the best way to disable patch cords and identify where the "intruder" is located. thank you all for your help! Thank you all for your patience. We got a very interesting story)

Looked at the previous threads. You are mixing tracer, ping, dhcp, network scanning all in one pile.
Judging by the first topic, there is an alternative dhcp in your network. It should be understood that this is not necessarily the server itself, it can be realy. At the same time, it can be either your relay due to configuration errors, or the "left" one.
But you should understand that if the dhcp address is not on your subnet, it may be two different hosts. Those. a host on your subnet or relay received a dhcp broadcast request from you, responded to you, and presented itself with a specific ip. But since this ip is not in your subnet, traffic to it will go through the gateway, so you can go to a completely different node.
Example:
I raise dhcp in your network and manually assign it ip yandex. You got an address and are trying to ping my ip, but the traffic will go to the gateway and the gateway will send it to yandex and the yandex node will answer you.
You need to find dhcp on the network that "does dirty tricks" to you. First, look at the wireshark mak address that answers you. Try to find it on switches. In the worst case, narrow the domain, you can even physically turn off the switches or insert a well-configured Mikrotik into the cut.

Perhaps your network has video surveillance elements from the Chinese set. Some network cameras and recorders can raise DHCP. The settings of such a device may be reset to "default" due to a power failure.

From the very beginning, I didn’t follow it, as an option: make a rule on the router to drop dhcp packets that do not come from LAN

I'm surprised no one has answered this before, but... it could be a virus.

The provider does not have a locale, such as a beeline?
Perhaps someone connected a second Internet channel, and confused WAN with LAN.
What's stopping you from finding a third-party DHCP? "arp -a" has not been canceled))
...
change admin