Community discussions

 
Yekver
just joined
Topic Author
Posts: 17
Joined: Fri Jan 31, 2014 9:47 pm

Mysterious traffic on wlan interface

Sat Jan 16, 2016 12:57 pm

I've got really strange traffic on my LocalAP wlan1-gateway interface. I was using mikrotik wireless sniffer and Wireshark to get sniff traffic and got a lot of broadcast packages.
This traffic exists even if ether1-local interface is disabled! And I've got no idea what has happend in 4a.m. in the morning and led to the hop on the graphic.

wlan1-gateway (LocalAP)
wlan1-gateway (LocalAP)
ether1-local (LocalAP)
ether1-local (LocalAP)

Topology:
RemoteAP <------ wi-fi bridge ----> LocalAP <----> switch <----> wired clients & some cAP 2n
Sniffing results: https://yadi.sk/i/aPCPuf7gn5BoD

RemoteAP config (not full):
/interface bridge
add mtu=1500 name=bridge1 protocol-mode=none
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n country=russia disabled=no frequency=5650 frequency-mode=superchannel \
    guard-interval=long ht-supported-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 \
    hw-protection-mode=rts-cts hw-retries=15 mode=bridge name=wlan1-gateway nv2-cell-radius=10 nv2-preshared-key=xxx \
    nv2-security=enabled radio-name=RemoteAP scan-list=default,5630-5670 ssid=netx tx-power=14 tx-power-mode=\
    card-rates wireless-protocol=nv2
/queue type
set 1 pfifo-limit=500
set 2 kind=pfifo pfifo-limit=500
/interface bridge port
add bridge=bridge1 interface=wlan1-gateway
add bridge=bridge1 interface=ether1-local
/ip address
add address=192.168.87.1/24 comment=LAN interface=bridge1 network=192.168.87.0
LocalAP config (not full):
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce country=russia disabled=no frequency=5650 frequency-mode=superchannel guard-interval=long \
    ht-supported-mcs=mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15 hw-protection-mode=rts-cts hw-retries=15 \
    mode=station-bridge name=wlan1-gateway nv2-preshared-key=xxx nv2-security=enabled radio-name=LocalAP scan-list=5630-5670,default ssid=netx \
    tx-power=13 tx-power-mode=card-rates wireless-protocol=nv2
/interface vlan
add interface=ether1-local l2mtu=1594 name=vlan47 vlan-id=47
add interface=ether1-local l2mtu=1594 name=vlan101 vlan-id=101
/queue type
set 1 pfifo-limit=500
set 2 kind=pfifo pfifo-limit=500
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established,related
add action=drop chain=input dst-address=192.168.47.1 protocol=tcp src-address=192.168.47.0/24
add action=drop chain=input comment="default configuration" connection-state=invalid
add action=fasttrack-connection chain=forward comment="default configuration" connection-state=established,related
add chain=forward comment="default configuration" connection-state=established,related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat out-interface=wlan1-gateway
/ip route
add distance=1 gateway=130.20.17.1
/ip address
add address=192.168.88.1/24 comment="Admin LAN" interface=ether1-local network=192.168.88.0
add address=192.168.87.2/24 comment="Bridge LAN" interface=wlan1-gateway network=192.168.87.0
add address=130.20.17.17/24 comment=WAN interface=wlan1-gateway network=185.92.147.0
add address=192.168.101.1/24 comment="Home LAN" interface=vlan101 network=192.168.101.0
add address=192.168.47.1/24 comment="Guest LAN" interface=vlan47 network=192.168.47.0
You do not have the required permissions to view the files attached to this post.
 
Van9018
Long time Member
Long time Member
Posts: 515
Joined: Mon Jun 16, 2014 6:26 pm
Location: Canada - Abbotsford

Re: Mysterious traffic on wlan interface

Mon Jan 18, 2016 1:05 am

Repost the pcap file. Your link says file not found.
 
Yekver
just joined
Topic Author
Posts: 17
Joined: Fri Jan 31, 2014 9:47 pm

Re: Mysterious traffic on wlan interface

Mon Jan 18, 2016 1:09 am

I found that the problem was in extensive DNS flood. So I blocked 53 port for UDP & TCP connections. And this works for me!
 
p3rad0x
Long time Member
Long time Member
Posts: 603
Joined: Fri Sep 18, 2015 5:42 pm
Location: South Africa
Contact:

Re: Mysterious traffic on wlan interface

Mon Jan 18, 2016 3:28 pm

Hi,

Disabling allow remote requests should also solve this issue
There you go then you touched something ;-) : it only takes a change in wind direction to screw with your nat :-)
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4051
Joined: Wed May 11, 2011 6:08 pm

Re: Mysterious traffic on wlan interface

Mon Jan 18, 2016 5:07 pm

Hi,

Disabling allow remote requests should also solve this issue
True, but if someone is making use of the router's DNS proxy, then simply turning this off will break their network until they change the assigned DNS server in DHCP.

Of course then the client devices will all need to either renew their leases, or else disconnect/reconnect on the network in order to learn the new settings, or else they will need to change DNS in DHCP, and wait for all leases to expire before disabling the DNS proxy.
When given a spoon,
you should not cling to your fork.
The soup will get cold.

Who is online

Users browsing this forum: No registered users and 36 guests