We are running on wireless internet here and our quota basically disappears every month while hardly using the internet. I would like to answer 2 questions, what device or devices are using all this quota and what they are connecting to. Is it windows updates, is it facebook etc? I have followed online guides to enable netflow on the mikrotik and forward it to nprobe/ntop running on a ubuntu VM. I have it all running but there are several problems.
Amount of downloads shown against hosts in simply not accurate. I can download 100MB from my PC and it still say my traffic was 5MB.
Traffic for a device resets if the device is idle for a certain time. So the download it is showing is for only a short period of time (this is not the cause of problem 1). Is there a setting to stop this happening?
Total received traffic shows 3GB where our service provider shows 5.8GB used
Sent vs received traffic is not accurate. For many devices it shows 100% received, 0% sent
In RouterOS I have the follow settings under “IP->Traffic Flow” (everything is default except the interface)
Enabled - ticked
Interface - lte (this is the USB dongle from the service provider)
Cache Entries - 16k
Active Flow timeout - 00:30:00
Inactive Flow timeout - 00:00:15
Everything else ticked
If I select the interface as ether1 then I get no stats in ntop at all.
Setup is:
RouterOS v6.39.2 (stable)
Board is: 912UAG-2HPnD
Wifi on the mikrotik is disabled and using 2 ubiquiti access points
USB 4G dongle for WAN is E3372 using optus network in Australia
Pretty much everything on the router as default, only minimal setup done to get the dongle to work and dhcp, nat etc.
Mobile service providers often have quite creative ways of counting traffic…
received and transmitted are added together
there is some fixed increment (like 1MB) counted in a certain time interval even when there is only a single packet
incoming traffic to the IP address may be counted even when you did not ask for it
(when you are behind NAT at the provider this does not apply. when you have a public IP though, be very wary
of this. the continuous portscans on internet may be adding up to your traffic)
This is a very good point. Could you probably be a victim of a DNS amplification attack?
Check if you have enabled remote requests for DNS and if udp/53 might be open on your WAN-facing interface.
-Chris
Thanks guys, I am behind service provider NAT. I have disabled fastpath as suggested by normis and it appears I am getting closer to accurate results. The total traffic is actually starting to look at least reasonable. I am getting a reasonable ratio of send/receive. The lack of traffic I mentioned when downloading something from my PC I think is due to delays. Maybe NetFlow doesn’t forward the data on immediately? I have discovered my 3 chromecasts have used about 500MB traffic each in 2 days updating the background pic from google photos! They show a new pic every 60 seconds or so and were doing this all day every day (4000 high res images a day basically). It sounds obvious but when setting them up I just didn’t think about bandwidth usage. I’m still not getting completely accurate results but I have definitely achieved some of what I was hoping to do. Stats for hosts still reset when they go to sleep but I think that is due to ntop. Would anyone happen to know if there is a setting to stop this happening? I tried toggling a few things but nothing helped. I an going to try a windows based netflow collector and see what results I get there.
Is this background reload happening even when you define a static background picture from the default set?
That kind of thing indeed can waste a lot of bandwidth, I also know this from Windows where people run a slideshow
on their desktop and it wastes bandwidth even when they do not see it at all.
Try to discourage people from making such settings, but of course it can be difficult.
I have found this is a known bug with ChromeCast. I call it a bug because there is an option to turn the background off but it does not work. It simply switches to some default full HD images supplied by google. Amazingly you can’t set it to a static image or change the time between image changes. The only thing people have been able to do is create an album with 2 very low res images. If you don’t have 2 it starts cycling through the default images again. This has been reported since 2015 and probably earlier. It’s amazingly short sighted on google part. I tried some firewall rules but the chromecast complained it didn’t have internet and refused to work.
Edit: I found you can change the time but you can only slow it to half. I’ve just set it to display a pair of 1x1 pixel images of different colours
As a side note one of the things I find annoying with most apps/OS these days is you can’t set wifi as being expensive but you can with mobile data. I’m back to front as I would prefer everything to use the data my work provides me. This often goes unused.
Sorry I had misinterpreted your reference to ChromeCast as ChromeBook as I had been struggling with my chromebook earlier on that day.
The background picture is static by default on that. But indeed, on ChromeCast it is a photo slideshow. Bummer.