We run a large wireless network which connects back to an rb1200 terminating pppoe sessions.
Basically all clients have a router (in many cases a mikrotik routerboard), and they connect via pppoe.
Radios connect to ETH1 and then we run pppoe interface on that, this is standard across the board.
Radios used are pretty much the default settings, they range from Ubiquitis, Skypilots and Motorolas.
Recently, we’ve noticed some strange large continuous traffic spikes being broadcast around the network, hitting certain parts of the wireless network, not isolated to any particular parts, just random.
These traffic spikes saturate the client links but they do not hit the pppoe client interface, they hit the physical interface only.
I’m scratching my head on this one, I’m sure it’s something simple I’ve missed, I’d appreciate if anyone could give me some clues as to what this can be.
Attached is a screen shot of a client affected router, you can see that traffic hitting the physical connected interface ETH1, but not the pppoe interface.
thanks.
Oh, not technically complicated, what is complicated is this network segment is inside Mexico’s customs building, in a very sensitive area, what’s complicated is to obtain all the necessary permits to access the premises.
Here is a Packet Sniffer file pcap_all.zip with all MAC protocol filter disabled on ether1
pcap_pppoe_disc.zip is a a Packet Sniffer file with all MAC protocol filter enabled except pppoe-discovery on ether1
pcap_pppoe_sess.zip is a a Packet Sniffer file with all MAC protocol filter enabled except pppoe-session on ether1
I manually added .zip extensions, please remove it first, forum won’t let me upload with different extensions but the files are exactly as they were downloaded from the Routerboard.
Little PPPoE discovery traffic. PPPoE session traffic dominated by exchanges involving a Dell, Fortinet and TP-Link device. Does that make sense? Use my email if easier to explain situation.
It was a rogue router on the network generating that traffic.
When we disconnected it, the traffic disappeared.
From memory it was a D-link, apparently a firmware upgrade fixed the issue.
Yes I, somehow found what you are mentioning, a Dell, a Fortinet and TP-Link device, yesterday we were able to identify the Fortinet and the TP-Link, so we disconnected those two customers and the traffic went down a lot, not quite to zero (still the Dell that we haven’t found yet) but quite lot less, any idea how can I block those?
Or do you believe there’s something wrong with those devices? Poor configuration?, defectives? What can I tell the customers in order to point them in the right direction to get their stuff fixed…
your pppoe client receives 5 Mbps of traffic - use Torch on it, not on ether1
also, 5 Mbps on pppoe-out1 = 3 Mbps on ether2 + 2 Mbps on ether4. what’s the problem?
Having exactly the same problem with no solution!! I’ve searched everywhere, can someone explain what is this ?
Having 2 sxt both set to AP bridge mode, however, one receives such traffic (8864) on ethernet and Trasmits them through WLAN, and the other one receives the traffic without transmitting them to WLAN!
What could be wrong ? I’ve searched everything, and both having the same configuration!
I’ve torch on pppoe interface, or interfaces eth1, but eth. 8864 protocol (pppoe) is still visible when I torch interface pppoe or ether1.
whether it occurs because the broadcast pppoe?
