It may be something like a default route is being used for that traffic due to an upstream router that normally handles the default route not forwarding such traffic that was destined to RFC1918 space. A traceroute to the "weird" IP from other routers would help to indicate that.
On Tue, Jun 13, 2017 at 9:14 PM, Steve Jones <[email protected]> wrote: > yep, but those subnets aren't present on the network, first step on > installation of a new mikrotik is default, remove config. Theres no routes > in the tables to these subnets, and other than when I toss it on for > testing those subnets don't exist anywhere in the network > > > On Tue, Jun 13, 2017 at 8:32 PM, [email protected] < > [email protected]> wrote: > >> Are you redistributing connected and/or static routes by chance? >> >> On Tue, Jun 13, 2017 at 4:40 PM, Steve Jones <[email protected]> >> wrote: >> >>> I don't know if this is normal to see or what. I cant figure it out >>> We have sites that are all isolated by mikrotiks and use ospf between >>> them >>> >>> what I'm seeing is stuff like site A having a customer on 1.2.3.4 at >>> both sites A and B I'm seeing conversations between 1.2.3.4 from site A and >>> 192.168.2.1 at site B. Site B does not have the 192.168.2 subnet even >>> present. when I put an IP in that subnet on site B mikrotik I see a MAC >>> matching that IP, it is also present for an actual customer, we will say >>> 5.6.7.8 >>> >>> I'm wondering if there isn't some form of tunnel between these two >>> customers isolated by multiple routers that is leaking internal traffic out >>> or something of that nature. I'm currently dropping that traffic now, I >>> should have been from the get go, but what I don't understand is how, with >>> no routes or subnets present this communication is even happening. >>> >>> Scared me assumes the CIA hacked all my mikrotiks, then hijacked >>> customer routers and are somehow using my network to mine bitcoin to fund >>> black site operations. Reality tells me its misconfiguration somewhere on >>> my part >>> >>> any ideas? >>> >> >> >
