While working on our bandwidth monitoring system, we noticed a lot of strange traffic that had no apparent route through our system, but was coming across the wire between our core router and our NAT router. The traffic would be destined for addresses like '192.168.0.10', '192.168.4.5' and the like. I couldn't understand how this traffic was even getting this far across our network, as it is fully routed and none of these subnets are even in our routing tables. We do use 192.168.x.x addresses to give to our customers but they are from 192.168.33.0 to 192.168.255.0, and this traffic was definitely not destined for legitimate hosts on our network.
As we watched one IP address that was spewing this traffic, we looked it up and found out that it was actually sourced from the wireless connection at my home. The traffic was UDP packets of SNMP destined to a 192.168.4.x address (internal to our main office) and a 192.168.5.x address (internal at my wife's studio). After shutting down all of the PCs at home, she turned her laptop back on and the traffic started up again. Turns out that she had two Brother printer drivers for older printers that were mapped to TCP/IP ports. We used to have a VPN box at home to tie into those networks, but took it out about a year ago and now just have a Belkin router that does the NAT for the house. With the VPN gone, apparently the printer drivers were still sending out SNMP traffic with UDP and somehow that traffic was getting through our NAT router and going into our network. Once the printer drivers were deleted, the traffic stopped. After we removed the filter for my IP, we started seeing all kinds of similar UDP traffic coming across the wire from many different customers, mostly intended for IP addresses on the 192.168.0.0 and 192.168.1.0 networks. So now I'm trying to figure out a way to block this traffic at the AP so that it doesn't consume backbone resources. I can only imagine how much of the traffic on our network is this kind of garbage. There are a couple of catches here. We use StarOS APs, but connection tracking is turned off to save on CPU, so I don't think that I can do any of the standard firewalling on the APs. We do use Mikrotik routers in our NOC and a couple of spots where we have licensed links, bu since StarOS is on our APs and our backhauls and also handles all of our OSPF routing - the traffic will go a long way before it gets blocked by anything. My initial thought is that we could just setup a static route of 192.168.0.0/19 to 127.0.0.1 on each access point. Then that traffic basically goes to /dev/null. Anyone else have any ideas on how to handle this? Matt Larsen vistabeam.com -------------------------------------------------------------------------------- WISPA Wants You! Join today! http://signup.wispa.org/ -------------------------------------------------------------------------------- WISPA Wireless List: [email protected] Subscribe/Unsubscribe: http://lists.wispa.org/mailman/listinfo/wireless Archives: http://lists.wispa.org/pipermail/wireless/
