Hi.
There is an AP that is empty and no users are connected. But there is traffic between 10 and 50 mbps at the ether1 input. What could be the reason for this?
Can you help me?
Thanks in advance.
Port,Protocol and VLAN id could be added as information.
If Torch is not specific enough then use “Packet Sniffer”.
There is not much information but in normal cases if this interface is UPLink there might be an attack in your router! If you have an public IP, on IP Settings check TCP-SYN Cookies. Also check if you have DNS Allow Remote Request checked!
Hi,
packet sniffer link: https://servis.4gnet.com.tr/uploads/servis/2010/201020_packetsniff.zip
Even with no ip config and vlan, the problem still persists.
I ran Packetsniffer. I created 2 files.
Thanks.
Pull your files in Wireshark. Look and analyze, this should ring a bell.
Did you observe the issue to be present while taking the captures? Because your initial screenshot from torch shows that majority of the frames seen were PPPoE ones, and there is not a single PPPoE frame in either of your two capture files. If the issue was there while you were sniffing, was any sniffer filter configured (I suppose not as CDP is there)?
The reason why PPPoE traffic was reaching the AP may be that the switch to which both the actual recipient of the PPPoE traffic and the AP are connected (directly or indirectly) did not know where to send the traffic, so it was broadcasting it to all ports. This can happen if the forwarding table in some switch between the source and the destination is too small to handle the number of MAC addresses appearing in the network. Cheap switches may handle just 1024 addresses. It may also be a consequence of an attack, where the attacker keeps sending frames with different source MAC addresses, so it fills up the switches’ forwading tables. When the forwarding table is full, the oldest record is removed as the newest one is added, so the traffic is always broadcast and the attacker can intercept it. Another reason may be that the destination does not respond, so its corresponding record in the forwarding table times out on the switch, and the switch keeps broadcasting until it gets a frame from the destination. But this last possibility is quite unlikely as the PPPoE protocol uses quite a lot of overhead communication which is bidirectional, so it should not last long if no other issue is there.
Indeed only the B->A part of the sessions, seeing the responses only.
I did not apply any filtering while capturing traffic.
Thank you very much for your answers and attention. I guess I am very inexperienced in these matters. I cannot find the source or cause of the problem.
I think the most likely cause is swicths. I will work on it.
Is it possible for you to review the screenshot below? We have a management vlan. The switch in the image does not participate in this vlan. But there are 2700 registered macs.
If I turn off the administrator vlan on the main router, the number of macs drops to 400.
It is not possible for me to restart all switches while doing these operations.
Problematic traffic is decreasing but not disappearing completely.
Could the cause of the problem be management vlan?
As stated by Sindy the traffic is coming to your ether2 interface, probably because some switch or other device does not know the exact path to the intended destination, and therefore a switch/bridge will send that traffic to all ports. A switch learns the path from the incoming packets (coming from 172.16.x.x in your case).The other reason might be that the switch only has 2048 (or even 1024) entries for its MAC table, so it could not store the proper path as there are 2700 entries at least.) Nothing the Mikrotik can do about this traffic, this is pure incoming traffic delivered to ether2, even if it is consumed elsewhere. (The 172.16.x.x initiate a lot of connections, the answer to them also comes to this ether2 interface, they should only follow the path to 172.16.x.x if the switch is able to learn, store and be selective) I don’t know your network, but the path to 172.16.x.x should be identified. When traffic stops the ARP entries will disappear on their own.
We may be getting somewhere. Your test shows that there are more than 2048 MAC addresses in your network; whereas Mikrotik’s software bridging can handle far more than that, that’s not the case with the switch chips used in the lower end models, some of them even handle only 1024 items, like e.g. the 8227 chip used in the hEX PoE lite you took as an example.
So if the “hardware acceleration” of bridging is activated on these Mikrotik devices (the default hw=yes on /interface bridge port rows), which means that transit L2 traffic is handled by their switch chips, this is a likely explanation.
A restart would not help as the switch chip MAC table capacity doesn’t change by restart, and as all the 2500 MAC addresses are always active so the MAC table is constantly updated with new records, squeezing out the old ones, so part of the traffic is always broadcasted.
What would help would be disabling of the hardware forwarding on all small devices (smaller than CRS, that is), but this would rapidly increase their CPU load, possibly up to loss of management control over them, so not a good idea to do that remotely.
The problem is that you have too many devices in a single L2 segment, no matter whether in a management VLAN or in another one. Whereas you can activate per-VLAN MAC learning, it won’t increase the capacity of the forwarding tables either, rather the opposite as each remote device which uses an interface in multiple VLANs then occupies as many slots in the table as many VLAN interfaces it uses.
Partitioning the network into multiple L2 domains with routing between them is the best way to get rid of the issue. Not knowing the complete topology of the network, I cannot give any more detailed suggestions. And partitioning the network does NOT mean that all VLANs will be brought all the way to the central router - doing it this way wouldn’t change anything. You need to make some devices in regions routers for the management network.
Probably stupid question since I don’t know the layout of your network, could it be someone connected a wire to ether1?
Not sure where you keep this equipment, while I was in a rehabilitation we had very bad wifi reception so I looked around and found one of the switches opened, you could use 10 meters of cable and connect your laptop directly to it, there was no any sort of cover as a protection on it. I assume it’s not the case with your AP.