I’m having trouble tracing traffic on my network.
All clients (CPEs) on wireless network is natted, but yet, I still get 192.168.0.0/24 traffic on my network.
That IP range is nowhere, there are no routes to that range, but all CPEs use hat as local LAN ip range.
It seems there are more than 1 that do this, but I traced by using torch and packet sniffer to a specific router.
There are no Proxy ARP or anything else except these setting below, default route and DHCP settings, yet the 192.168.0.xx ips on this router is broadcast right up to my breakout router. I mean broadcast that I can see it with torch.
How is this possible? According to my backbone network this IP range does not exist. If this LAN IPs are masqueraded, how can it get past the CPE?
/ip address> pr
ADDRESS NETWORK INTERFACE
0 192.168.0.1/24 192.168.0.0 LAN
1 10.1.6.22/24 10.1.6.0 PUBLIC
Can’t speculate on what causes the invalid connections, but they will not be subject to NAT, and will pass out the uplink interface with the source IP intact.
I have seen some cases where a PC has an old printer driver that is trying to talk to a network printer that was set up with a fixed IP address. After the PC moves to a new subnet, it keeps trying to check the status of it’s lost printer. It doesn’t seem likely in your case with everyone natted.
You could try setting up the DHCP server alert to see if there are any rogue DHCP servers online.
I am currently trying to track down some 192.168.1.x traffic on my network that doesn’t belong but I don’t have an answer yet. One of the packets that I captured has something to do with multicast. I will be looking at it more tomorrow. I have considered the possibility that some of the traffic is just “responses” to the original trigger packets, whatever those are.
You could try setting up the DHCP server alert to see if there are any rogue DHCP servers online.
Here, all client CPEs are natted and all have DHCP running on the local, natted interface. There are no DHCP servers on the ‘public’ wireless backbone side. I don’t use bridges and everything, even links between routers are subnetted. APs have /24 and uplinks have /30 and /29 subnets.
So I do not understand how that ip range (and it is a lot, almost all client 192.168.0.xx ips) can even get across the network, but I suppose the default route does not care if it is private IP range or not.
I suppose I can block it on every CPE or highsite with filter rules, but it should not be like that. NAT is supposed to, well, NAT everything.
This only happens on Mikrotik CPEs, but not on all. Ubiquity CPEs does not seem to do this, but I might be wrong.
Do you think it is possible that there is a bug with MT NATting that does not NAT UDP or broadcast or something like that?
How this all came to my attention is whilst implementing new traffic recording software, I started to get heaps of notification mails of IP addresses not assigned to clients as my breakout routers does not know who 192.168.0.xx is, but get packets originating from them.