I have no idea, but still improving my MT troubleshooting ability, so if you make a read-only account I'd be willing to log in and take a look.
On Tue, Jun 13, 2017 at 3:40 PM, Steve Jones <[email protected]> wrote: > I don't know if this is normal to see or what. I cant figure it out > We have sites that are all isolated by mikrotiks and use ospf between them > > what I'm seeing is stuff like site A having a customer on 1.2.3.4 at both > sites A and B I'm seeing conversations between 1.2.3.4 from site A and > 192.168.2.1 at site B. Site B does not have the 192.168.2 subnet even > present. when I put an IP in that subnet on site B mikrotik I see a MAC > matching that IP, it is also present for an actual customer, we will say > 5.6.7.8 > > I'm wondering if there isn't some form of tunnel between these two > customers isolated by multiple routers that is leaking internal traffic out > or something of that nature. I'm currently dropping that traffic now, I > should have been from the get go, but what I don't understand is how, with > no routes or subnets present this communication is even happening. > > Scared me assumes the CIA hacked all my mikrotiks, then hijacked customer > routers and are somehow using my network to mine bitcoin to fund black site > operations. Reality tells me its misconfiguration somewhere on my part > > any ideas? >
