Community discussions

MUM Europe 2020
 
geebs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Tue Jan 04, 2005 3:22 am
Location: Melbourne, Australia.

eth. protocol 8864 (pppoe) hitting physical interface

Tue Nov 06, 2012 12:25 am

Hello,

We run a large wireless network which connects back to an rb1200 terminating pppoe sessions.
Basically all clients have a router (in many cases a mikrotik routerboard), and they connect via pppoe.
Radios connect to ETH1 and then we run pppoe interface on that, this is standard across the board.
Radios used are pretty much the default settings, they range from Ubiquitis, Skypilots and Motorolas.

Recently, we've noticed some strange large continuous traffic spikes being broadcast around the network, hitting certain parts of the wireless network, not isolated to any particular parts, just random.
These traffic spikes saturate the client links but they do not hit the pppoe client interface, they hit the physical interface only.
I'm scratching my head on this one, I'm sure it's something simple I've missed, I'd appreciate if anyone could give me some clues as to what this can be.

Attached is a screen shot of a client affected router, you can see that traffic hitting the physical connected interface ETH1, but not the pppoe interface.
Capture.GIF
thanks.
You do not have the required permissions to view the files attached to this post.
 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 5:02 am

Does anybody found an answer to this issue? We are experiencing exactly the same...

Regards

J. Boardman
 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 6:59 pm

Anyone?

Regards

J. Boardman
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 7:09 pm

Can you grab some of the traffic to a pcap file?
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 7:43 pm

It's going to be complicated but I'll try.

JB
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8346
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 7:54 pm

complicated? just run Packet Sniffer on necessary interface with saving to file :)
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 8:03 pm

complicated? just run Packet Sniffer on necessary interface with saving to file :)
Oh, not technically complicated, what is complicated is this network segment is inside Mexico's customs building, in a very sensitive area, what's complicated is to obtain all the necessary permits to access the premises.

Regards

J. Boardman
 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 8:05 pm

complicated? just run Packet Sniffer on necessary interface with saving to file :)
Oh, not technically complicated, what is complicated is this network segment is inside Mexico's customs building, in a very sensitive area, what's complicated is to obtain all the necessary permits to access the premises.

Regards

J. Boardman

Mmhh!! Damn.

You mean with the routerboard itself, sorry it's Saturday... I'll get in a few minutes.

Jorge
 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 8:34 pm

Can you grab some of the traffic to a pcap file?
Here is a Packet Sniffer file pcap_all.zip with all MAC protocol filter disabled on ether1


pcap_pppoe_disc.zip is a a Packet Sniffer file with all MAC protocol filter enabled except pppoe-discovery on ether1

pcap_pppoe_sess.zip is a a Packet Sniffer file with all MAC protocol filter enabled except pppoe-session on ether1

I manually added .zip extensions, please remove it first, forum won't let me upload with different extensions but the files are exactly as they were downloaded from the Routerboard.


Thanks for the help

J. Boardman
You do not have the required permissions to view the files attached to this post.
 
CelticComms
Forum Guru
Forum Guru
Posts: 1766
Joined: Wed May 02, 2012 5:48 am

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat Mar 02, 2013 9:46 pm

Little PPPoE discovery traffic. PPPoE session traffic dominated by exchanges involving a Dell, Fortinet and TP-Link device. Does that make sense? Use my email if easier to explain situation.
Interlynx | Networking and Information Security Consultants & Trainers | Email: routerlynx@gmail.com
BGP | EIGRP | OSPF | MPLS | Firewall | VPN | IPsec | Multicast | QOS | IPv4/6 | STP | VLAN | PON | AE | M2M | and more!

 
geebs
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 88
Joined: Tue Jan 04, 2005 3:22 am
Location: Melbourne, Australia.

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sun Mar 03, 2013 2:07 am

I should have reported what we found.

It was a rogue router on the network generating that traffic.
When we disconnected it, the traffic disappeared.
From memory it was a D-link, apparently a firmware upgrade fixed the issue.

Sorry to be so vague, that's all I really recall.
 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sun Mar 03, 2013 8:21 pm

Little PPPoE discovery traffic. PPPoE session traffic dominated by exchanges involving a Dell, Fortinet and TP-Link device. Does that make sense? Use my email if easier to explain situation.
Hi, thanks for offering your help,

Yes I, somehow found what you are mentioning, a Dell, a Fortinet and TP-Link device, yesterday we were able to identify the Fortinet and the TP-Link, so we disconnected those two customers and the traffic went down a lot, not quite to zero (still the Dell that we haven’t found yet) but quite lot less, any idea how can I block those?

Or do you believe there’s something wrong with those devices? Poor configuration?, defectives? What can I tell the customers in order to point them in the right direction to get their stuff fixed…

Thanks a lot.

Jorge E. Boardman
 
boardman
Member Candidate
Member Candidate
Posts: 260
Joined: Fri May 28, 2004 11:10 pm
Location: Mexico
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sun Mar 03, 2013 8:23 pm

I should have reported what we found.

It was a rogue router on the network generating that traffic.
When we disconnected it, the traffic disappeared.
From memory it was a D-link, apparently a firmware upgrade fixed the issue.

Sorry to be so vague, that's all I really recall.
Thanks a lot for the help, what is a rogue router?

Hi, thanks for offering your help,

Somehow we found what you are mentioning, a Dell, a Fortinet and TP-Link devices, so we disconnected those customers and the traffic went down,

Thanks a lot.

Jorge E. Boardman
 
markos808
just joined
Posts: 1
Joined: Fri Mar 20, 2015 12:34 am

Re: eth. protocol 8864 (pppoe) hitting physical interface

Fri Mar 20, 2015 12:52 am

i have the same problem here :) but i didnt find any rogue router on the network any suggestion ?
 
Afidz
just joined
Posts: 3
Joined: Wed May 20, 2015 11:14 am

Re: eth. protocol 8864 (pppoe) hitting physical interface

Wed May 20, 2015 11:24 am

i have the same problem, can somebody help me ?
You do not have the required permissions to view the files attached to this post.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8346
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Wed May 20, 2015 2:23 pm

i have the same problem, can somebody help me ?
your pppoe client receives 5 Mbps of traffic - use Torch on it, not on ether1
also, 5 Mbps on pppoe-out1 = 3 Mbps on ether2 + 2 Mbps on ether4. what's the problem?
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
soueidan
just joined
Posts: 7
Joined: Sun Nov 25, 2012 9:49 pm

Re: eth. protocol 8864 (pppoe) hitting physical interface

Sat May 23, 2015 8:50 pm

Having exactly the same problem with no solution!! I've searched everywhere, can someone explain what is this ?

Having 2 sxt both set to AP bridge mode, however, one receives such traffic (8864) on ethernet and Trasmits them through WLAN, and the other one receives the traffic without transmitting them to WLAN!

What could be wrong ? I've searched everything, and both having the same configuration!

Please help!
 
Afidz
just joined
Posts: 3
Joined: Wed May 20, 2015 11:14 am

Re: eth. protocol 8864 (pppoe) hitting physical interface

Thu May 28, 2015 7:34 am

sorry I was wrong upload files, i should upload this file..
You do not have the required permissions to view the files attached to this post.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8346
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Thu May 28, 2015 9:03 pm

sorry I was wrong upload files, i should upload this file..
Anyway,
your pppoe client receives 5 Mbps of traffic - use Torch on it, not on ether1
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
Afidz
just joined
Posts: 3
Joined: Wed May 20, 2015 11:14 am

Re: eth. protocol 8864 (pppoe) hitting physical interface

Fri May 29, 2015 10:43 am

I've torch on pppoe interface, or interfaces eth1, but eth. 8864 protocol (pppoe) is still visible when I torch interface pppoe or ether1.
whether it occurs because the broadcast pppoe?
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8346
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Fri May 29, 2015 5:26 pm

I've torch on pppoe interface, or interfaces eth1, but eth. 8864 protocol (pppoe) is still visible when I torch interface pppoe or ether1.
whether it occurs because the broadcast pppoe?
it's because you have traffic on pppoe interface. that traffic is encapsulated in 8864 protocol (pppoe) and is visible on ethernet interface. so if you see traffic on pppoe and no traffic on LAN - seems like your router is used as proxy or for amplification attack. Torch on pppoe interface will show exact traffic
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.
 
santoshk
just joined
Posts: 5
Joined: Tue Jul 22, 2014 4:34 pm

Re: eth. protocol 8864 (pppoe) hitting physical interface

Thu Jan 11, 2018 1:00 pm

Hi
we face same problem here.i am running pppoe server on mikrotik router when i check ap device interface port by tourch so i received unused traffic.kindly provide solution ...
You do not have the required permissions to view the files attached to this post.
 
User avatar
Chupaka
Forum Guru
Forum Guru
Posts: 8346
Joined: Mon Jun 19, 2006 11:15 pm
Location: Minsk, Belarus
Contact:

Re: eth. protocol 8864 (pppoe) hitting physical interface

Thu Jan 11, 2018 1:25 pm

Please move your "Torch" window a bit down - I cannot switch to "Interface List" window for some reason
Russian-speaking forum: https://forum.mikrotik.by/. Welcome!

For every complex problem, there is a solution that is simple, neat, and wrong.

MikroTik. Your life. Your routing.

Who is online

Users browsing this forum: johnwilliam00, lweidig, marek263, rioven and 61 guests