Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-19 Thread Ty Featherling 
Cassidy deduced the MAC earlier in the thread. I found that thread in the
switch table to determine which AP it was. I confirmed it was found in the
bridge table of the AP on the WLAN0 interface. From there there isn't an
easy way to trace it to a single radio. I used to log into each radio and
check its bridge table for the MAC but now I run a script to dump all of
the bridge tables to all the radios and grep for the offending mac. Led me
right to the right IP address.

-Ty



-Ty

On Fri, Feb 19, 2016 at 8:29 PM, Sterling Jacobson <sterl...@avative.net>
wrote:

> How did you trace that to the customer/port?
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Ty Featherling
> *Sent:* Friday, February 19, 2016 7:05 PM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv6 traffic to ff02::1:2
>
>
>
> Forgot to update: had the customer reboot his router and the traffic
> disappeared. Watching it carefully for a return but good for 24 hrs so far.
>
> -Ty
>
> On Feb 18, 2016 2:33 PM, "David" <dmilho...@wletc.com> wrote:
>
> I like this guy!
>
> On 02/18/2016 12:21 PM, Chris Wright wrote:
>
> It just really, REALLY wants everyone to know it exists. Cute little thing.
>
>
>
> Set it on fire.
>
>
>
> Chris Wright
>
> Network Administrator
>
> Velociter Wireless
>
> 209-838-1221 x115
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Ty Featherling
> *Sent:* Thursday, February 18, 2016 10:08 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv6 traffic to ff02::1:2
>
>
>
> Found the offending customer and looking at their radio I can see the
> actual traffic is about 5Mbps worth but the traffic shaping knocks it down
> to 1.5 before it reaches our network. Makes me think this is more like a
> malfunctioning router than a feature.
>
>
>
> -Ty
>
>
>
>
>
>
> -Ty
>
>
>
> On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling <tyfeatherl...@gmail.com>
> wrote:
>
> 1 layer 2 network per tower. All APs and CPE bridged to that one broadcast
> domain.
>
>
>
> -Ty
>
>
>
>
>
>
> -Ty
>
>
>
> On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson <c...@infowest.com>
> wrote:
>
> How big is your layer2 network?  Ideally, with multicast, your switch
> should only be sending it to the hosts that subscribe to that multicast IP.
>
>
>
> > On Feb 17, 2016, at 10:54 AM, Ty Featherling <tyfeatherl...@gmail.com>
> wrote:
> >
> > So it's DHCPv6 discovery? Why the hell so much traffic then? If I can
> find the source radio I will definitely turn off multicast. Good idea.
> >
>
>
>
>
>
>
>
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-19 Thread Sterling Jacobson 
How did you trace that to the customer/port?

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ty Featherling
Sent: Friday, February 19, 2016 7:05 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv6 traffic to ff02::1:2


Forgot to update: had the customer reboot his router and the traffic 
disappeared. Watching it carefully for a return but good for 24 hrs so far.

-Ty
On Feb 18, 2016 2:33 PM, "David" 
<dmilho...@wletc.com<mailto:dmilho...@wletc.com>> wrote:
I like this guy!

On 02/18/2016 12:21 PM, Chris Wright wrote:
It just really, REALLY wants everyone to know it exists. Cute little thing.

Set it on fire.

Chris Wright
Network Administrator
Velociter Wireless
209-838-1221 x115

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ty Featherling
Sent: Thursday, February 18, 2016 10:08 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] IPv6 traffic to ff02::1:2

Found the offending customer and looking at their radio I can see the actual 
traffic is about 5Mbps worth but the traffic shaping knocks it down to 1.5 
before it reaches our network. Makes me think this is more like a 
malfunctioning router than a feature.

-Ty



-Ty

On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling 
<tyfeatherl...@gmail.com<mailto:tyfeatherl...@gmail.com>> wrote:
1 layer 2 network per tower. All APs and CPE bridged to that one broadcast 
domain.

-Ty



-Ty

On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson 
<c...@infowest.com<mailto:c...@infowest.com>> wrote:
How big is your layer2 network?  Ideally, with multicast, your switch should 
only be sending it to the hosts that subscribe to that multicast IP.


> On Feb 17, 2016, at 10:54 AM, Ty Featherling 
> <tyfeatherl...@gmail.com<mailto:tyfeatherl...@gmail.com>> wrote:
>
> So it's DHCPv6 discovery? Why the hell so much traffic then? If I can find 
> the source radio I will definitely turn off multicast. Good idea.
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-19 Thread Ty Featherling 
Forgot to update: had the customer reboot his router and the traffic
disappeared. Watching it carefully for a return but good for 24 hrs so far.

-Ty
On Feb 18, 2016 2:33 PM, "David" <dmilho...@wletc.com> wrote:

> I like this guy!
>
>
> On 02/18/2016 12:21 PM, Chris Wright wrote:
>
> It just really, REALLY wants everyone to know it exists. Cute little thing.
>
>
>
> Set it on fire.
>
>
>
> Chris Wright
>
> Network Administrator
>
> Velociter Wireless
>
> 209-838-1221 x115
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com <af-boun...@afmug.com>] *On
> Behalf Of *Ty Featherling
> *Sent:* Thursday, February 18, 2016 10:08 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv6 traffic to ff02::1:2
>
>
>
> Found the offending customer and looking at their radio I can see the
> actual traffic is about 5Mbps worth but the traffic shaping knocks it down
> to 1.5 before it reaches our network. Makes me think this is more like a
> malfunctioning router than a feature.
>
>
>
> -Ty
>
>
>
>
>
>
> -Ty
>
>
>
> On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling <tyfeatherl...@gmail.com>
> wrote:
>
> 1 layer 2 network per tower. All APs and CPE bridged to that one broadcast
> domain.
>
>
>
> -Ty
>
>
>
>
>
>
> -Ty
>
>
>
> On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson <c...@infowest.com>
> wrote:
>
> How big is your layer2 network?  Ideally, with multicast, your switch
> should only be sending it to the hosts that subscribe to that multicast IP.
>
>
>
> > On Feb 17, 2016, at 10:54 AM, Ty Featherling <tyfeatherl...@gmail.com>
> wrote:
> >
> > So it's DHCPv6 discovery? Why the hell so much traffic then? If I can
> find the source radio I will definitely turn off multicast. Good idea.
> >
>
>
>
>
>
>
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-18 Thread David 

I like this guy!


On 02/18/2016 12:21 PM, Chris Wright wrote:


It just really, REALLY wants everyone to know it exists. Cute little 
thing.


Set it on fire.

Chris Wright

Network Administrator

Velociter Wireless

209-838-1221 x115

*From:*Af [mailto:af-boun...@afmug.com] *On Behalf Of *Ty Featherling
*Sent:* Thursday, February 18, 2016 10:08 AM
*To:* af@afmug.com
*Subject:* Re: [AFMUG] IPv6 traffic to ff02::1:2

Found the offending customer and looking at their radio I can see the 
actual traffic is about 5Mbps worth but the traffic shaping knocks it 
down to 1.5 before it reaches our network. Makes me think this is more 
like a malfunctioning router than a feature.


-Ty


-Ty

On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling 
<tyfeatherl...@gmail.com <mailto:tyfeatherl...@gmail.com>> wrote:


1 layer 2 network per tower. All APs and CPE bridged to that one 
broadcast domain.


-Ty


-Ty

On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson <c...@infowest.com 
<mailto:c...@infowest.com>> wrote:


How big is your layer2 network?  Ideally, with multicast, your switch 
should only be sending it to the hosts that subscribe to that 
multicast IP.




> On Feb 17, 2016, at 10:54 AM, Ty Featherling 
<tyfeatherl...@gmail.com <mailto:tyfeatherl...@gmail.com>> wrote:

>
> So it's DHCPv6 discovery? Why the hell so much traffic then? If I 
can find the source radio I will definitely turn off multicast. Good idea.

>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-18 Thread Paul Stewart 
ROFL .. that’s awesome… 

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Chris Wright
Sent: Thursday, February 18, 2016 1:22 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv6 traffic to ff02::1:2

 

It just really, REALLY wants everyone to know it exists. Cute little thing.

 

Set it on fire.

 

Chris Wright

Network Administrator

Velociter Wireless

209-838-1221 x115

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ty Featherling
Sent: Thursday, February 18, 2016 10:08 AM
To: af@afmug.com <mailto:af@afmug.com> 
Subject: Re: [AFMUG] IPv6 traffic to ff02::1:2

 

Found the offending customer and looking at their radio I can see the actual 
traffic is about 5Mbps worth but the traffic shaping knocks it down to 1.5 
before it reaches our network. Makes me think this is more like a 
malfunctioning router than a feature.

 

-Ty




 

 

-Ty

 

On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling <tyfeatherl...@gmail.com 
<mailto:tyfeatherl...@gmail.com> > wrote:

1 layer 2 network per tower. All APs and CPE bridged to that one broadcast 
domain. 

 

-Ty




 

 

-Ty

 

On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson <c...@infowest.com 
<mailto:c...@infowest.com> > wrote:

How big is your layer2 network?  Ideally, with multicast, your switch should 
only be sending it to the hosts that subscribe to that multicast IP.



> On Feb 17, 2016, at 10:54 AM, Ty Featherling <tyfeatherl...@gmail.com 
> <mailto:tyfeatherl...@gmail.com> > wrote:
>
> So it's DHCPv6 discovery? Why the hell so much traffic then? If I can find 
> the source radio I will definitely turn off multicast. Good idea.
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-18 Thread Paul Stewart 
Sounds about right ….. there’s a lot of shit routers on the market more than 
ever, especially with IPv6 stuff unfortunately …

 

We just finished an internal study of several different common household 
routers and how they handle IPv6 – was a disappointing set of results.  Anybody 
can say “IPv6 compatible” etc for marketing … we tested if they can actually 
function properly without breaking…  

 

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ty Featherling
Sent: Thursday, February 18, 2016 1:08 PM
To: af@afmug.com
Subject: Re: [AFMUG] IPv6 traffic to ff02::1:2

 

Found the offending customer and looking at their radio I can see the actual 
traffic is about 5Mbps worth but the traffic shaping knocks it down to 1.5 
before it reaches our network. Makes me think this is more like a 
malfunctioning router than a feature.

 

-Ty




 

 

-Ty

 

On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling <tyfeatherl...@gmail.com 
<mailto:tyfeatherl...@gmail.com> > wrote:

1 layer 2 network per tower. All APs and CPE bridged to that one broadcast 
domain. 

 

-Ty




 

 

-Ty

 

On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson <c...@infowest.com 
<mailto:c...@infowest.com> > wrote:

How big is your layer2 network?  Ideally, with multicast, your switch should 
only be sending it to the hosts that subscribe to that multicast IP.



> On Feb 17, 2016, at 10:54 AM, Ty Featherling <tyfeatherl...@gmail.com 
> <mailto:tyfeatherl...@gmail.com> > wrote:
>
> So it's DHCPv6 discovery? Why the hell so much traffic then? If I can find 
> the source radio I will definitely turn off multicast. Good idea.
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-18 Thread Ty Featherling 
Overachiever.

-Ty



-Ty

On Thu, Feb 18, 2016 at 12:21 PM, Chris Wright <ch...@velociter.net> wrote:

> It just really, REALLY wants everyone to know it exists. Cute little thing.
>
>
>
> Set it on fire.
>
>
>
> Chris Wright
>
> Network Administrator
>
> Velociter Wireless
>
> 209-838-1221 x115
>
>
>
> *From:* Af [mailto:af-boun...@afmug.com] *On Behalf Of *Ty Featherling
> *Sent:* Thursday, February 18, 2016 10:08 AM
> *To:* af@afmug.com
> *Subject:* Re: [AFMUG] IPv6 traffic to ff02::1:2
>
>
>
> Found the offending customer and looking at their radio I can see the
> actual traffic is about 5Mbps worth but the traffic shaping knocks it down
> to 1.5 before it reaches our network. Makes me think this is more like a
> malfunctioning router than a feature.
>
>
>
> -Ty
>
>
>
>
>
>
> -Ty
>
>
>
> On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling <tyfeatherl...@gmail.com>
> wrote:
>
> 1 layer 2 network per tower. All APs and CPE bridged to that one broadcast
> domain.
>
>
>
> -Ty
>
>
>
>
>
>
> -Ty
>
>
>
> On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson <c...@infowest.com>
> wrote:
>
> How big is your layer2 network?  Ideally, with multicast, your switch
> should only be sending it to the hosts that subscribe to that multicast IP.
>
>
>
> > On Feb 17, 2016, at 10:54 AM, Ty Featherling <tyfeatherl...@gmail.com>
> wrote:
> >
> > So it's DHCPv6 discovery? Why the hell so much traffic then? If I can
> find the source radio I will definitely turn off multicast. Good idea.
> >
>
>
>
>
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-18 Thread Chris Wright 
It just really, REALLY wants everyone to know it exists. Cute little thing.

Set it on fire.

Chris Wright
Network Administrator
Velociter Wireless
209-838-1221 x115

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ty Featherling
Sent: Thursday, February 18, 2016 10:08 AM
To: af@afmug.com
Subject: Re: [AFMUG] IPv6 traffic to ff02::1:2

Found the offending customer and looking at their radio I can see the actual 
traffic is about 5Mbps worth but the traffic shaping knocks it down to 1.5 
before it reaches our network. Makes me think this is more like a 
malfunctioning router than a feature.

-Ty



-Ty

On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling 
<tyfeatherl...@gmail.com<mailto:tyfeatherl...@gmail.com>> wrote:
1 layer 2 network per tower. All APs and CPE bridged to that one broadcast 
domain.

-Ty



-Ty

On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson 
<c...@infowest.com<mailto:c...@infowest.com>> wrote:
How big is your layer2 network?  Ideally, with multicast, your switch should 
only be sending it to the hosts that subscribe to that multicast IP.


> On Feb 17, 2016, at 10:54 AM, Ty Featherling 
> <tyfeatherl...@gmail.com<mailto:tyfeatherl...@gmail.com>> wrote:
>
> So it's DHCPv6 discovery? Why the hell so much traffic then? If I can find 
> the source radio I will definitely turn off multicast. Good idea.
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-18 Thread Ty Featherling 
Found the offending customer and looking at their radio I can see the
actual traffic is about 5Mbps worth but the traffic shaping knocks it down
to 1.5 before it reaches our network. Makes me think this is more like a
malfunctioning router than a feature.

-Ty



-Ty

On Wed, Feb 17, 2016 at 2:43 PM, Ty Featherling 
wrote:

> 1 layer 2 network per tower. All APs and CPE bridged to that one broadcast
> domain.
>
> -Ty
>
>
>
> -Ty
>
> On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson 
> wrote:
>
>> How big is your layer2 network?  Ideally, with multicast, your switch
>> should only be sending it to the hosts that subscribe to that multicast IP.
>>
>>
>> > On Feb 17, 2016, at 10:54 AM, Ty Featherling 
>> wrote:
>> >
>> > So it's DHCPv6 discovery? Why the hell so much traffic then? If I can
>> find the source radio I will definitely turn off multicast. Good idea.
>> >
>>
>
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-17 Thread Ty Featherling 
1 layer 2 network per tower. All APs and CPE bridged to that one broadcast
domain.

-Ty



-Ty

On Wed, Feb 17, 2016 at 2:32 PM, Cassidy B. Larson  wrote:

> How big is your layer2 network?  Ideally, with multicast, your switch
> should only be sending it to the hosts that subscribe to that multicast IP.
>
>
> > On Feb 17, 2016, at 10:54 AM, Ty Featherling 
> wrote:
> >
> > So it's DHCPv6 discovery? Why the hell so much traffic then? If I can
> find the source radio I will definitely turn off multicast. Good idea.
> >
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-17 Thread Cassidy B. Larson 
How big is your layer2 network?  Ideally, with multicast, your switch should 
only be sending it to the hosts that subscribe to that multicast IP.


> On Feb 17, 2016, at 10:54 AM, Ty Featherling  wrote:
> 
> So it's DHCPv6 discovery? Why the hell so much traffic then? If I can find 
> the source radio I will definitely turn off multicast. Good idea.
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-17 Thread Ty Featherling 
So it's DHCPv6 discovery? Why the hell so much traffic then? If I can find
the source radio I will definitely turn off multicast. Good idea.

-Ty



-Ty

On Wed, Feb 17, 2016 at 11:51 AM, Cassidy B. Larson 
wrote:

> Look for the mac: a813.430a.5950 I think. That’s the source MAC, assuming
> I flipped the right bit.  I know the last 8 are right at least.
>
> You could just turn off multicast on his radio or the AP, but his router
> is looking for a DHCP server and sending to that multicast address in
> question.
> If you turn off multicast IPv6 will fail to function as it relies on
> multicast to function.. no more broadcasts! :)
>
>
>
>
> > On Feb 17, 2016, at 10:46 AM, Ty Featherling 
> wrote:
> >
> > A few times now I have noticed all customers in a given broadcast domain
> all seeing download traffic at about 1.5Mbps. My gut reaction is broadcast
> traffic of some sort so I go to Torch on the Mikrotik router at that site.
> What I saw that first time is the same thing I have seen every time since
> and what is shown in the attached image. IPv6 traffic from some IPv6 host's
> link-local address to ff01::1:2 with a rate that matches the traffic I am
> seeing everywhere. I enable IPv6 on that router if it isn't already and
> just add a firewall rule that drops all IPv6 traffic since I am not running
> any on network at this time. But what is it?
> >
> >  It looked to me like an IPv6 broadcast address of some type so I
> googled it and found:
> >
> > FF02::1:2 All DHCPv6 agents (servers and relays) within the link-local
> scope
> >
> > This makes sense since I bet it is coming from a customer's router on
> that segment. Is this device malfunctioning, plugged in backwards, or what?
> How can I use the Mikrotik to narrow down where it it located? There isn't
> a mac-table for IPv6 that I can find.
> >
> > Anyone else seen this?
> >
> >
> > -Ty
> > 
>
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-17 Thread Cassidy B. Larson 
Look for the mac: a813.430a.5950 I think. That’s the source MAC, assuming I 
flipped the right bit.  I know the last 8 are right at least.

You could just turn off multicast on his radio or the AP, but his router is 
looking for a DHCP server and sending to that multicast address in question.
If you turn off multicast IPv6 will fail to function as it relies on multicast 
to function.. no more broadcasts! :)




> On Feb 17, 2016, at 10:46 AM, Ty Featherling  wrote:
> 
> A few times now I have noticed all customers in a given broadcast domain all 
> seeing download traffic at about 1.5Mbps. My gut reaction is broadcast 
> traffic of some sort so I go to Torch on the Mikrotik router at that site. 
> What I saw that first time is the same thing I have seen every time since and 
> what is shown in the attached image. IPv6 traffic from some IPv6 host's 
> link-local address to ff01::1:2 with a rate that matches the traffic I am 
> seeing everywhere. I enable IPv6 on that router if it isn't already and just 
> add a firewall rule that drops all IPv6 traffic since I am not running any on 
> network at this time. But what is it?
> 
>  It looked to me like an IPv6 broadcast address of some type so I googled it 
> and found:
> 
> FF02::1:2 All DHCPv6 agents (servers and relays) within the link-local scope
> 
> This makes sense since I bet it is coming from a customer's router on that 
> segment. Is this device malfunctioning, plugged in backwards, or what? How 
> can I use the Mikrotik to narrow down where it it located? There isn't a 
> mac-table for IPv6 that I can find.
> 
> Anyone else seen this?
> 
> 
> -Ty
>

Re: [AFMUG] IPv6 traffic to ff02::1:2

2016-02-17 Thread Sterling Jacobson 
Yes, I see it too.

Was wondering exactly what is going on and how to ‘trim’ the chatter down.

It’s about a meg of traffic on my system too.

Dennis? Any ideas?

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Ty Featherling
Sent: Wednesday, February 17, 2016 10:47 AM
To: af@afmug.com
Subject: [AFMUG] IPv6 traffic to ff02::1:2

A few times now I have noticed all customers in a given broadcast domain all 
seeing download traffic at about 1.5Mbps. My gut reaction is broadcast traffic 
of some sort so I go to Torch on the Mikrotik router at that site. What I saw 
that first time is the same thing I have seen every time since and what is 
shown in the attached image. IPv6 traffic from some IPv6 host's link-local 
address to ff01::1:2 with a rate that matches the traffic I am seeing 
everywhere. I enable IPv6 on that router if it isn't already and just add a 
firewall rule that drops all IPv6 traffic since I am not running any on network 
at this time. But what is it?

 It looked to me like an IPv6 broadcast address of some type so I googled it 
and found:

FF02::1:2 All DHCPv6 agents (servers and relays) within the link-local scope

This makes sense since I bet it is coming from a customer's router on that 
segment. Is this device malfunctioning, plugged in backwards, or what? How can 
I use the Mikrotik to narrow down where it it located? There isn't a mac-table 
for IPv6 that I can find.

Anyone else seen this?


-Ty