dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
445
share rss forum feed

jcremin

join:2009-12-22
Siren, WI
kudos:3

Very strange PPPoE traffic question

I'm seeing something very unusual at one of my towers.

First, I have a central PPPoE server at my main tower on my bridged network. There's a backhaul from this tower to another tower, which has 3 MT access points. All of the clients connecting to these AP's are using PPPoE, and none of their internal traffic is allowed onto my network.

Now for the strange part... There is ONE specific client on one of the AP's that whenever they have traffic on their connection, the same amount of traffic shows up on the ethernet ports of the other AP's. There are 9 other clients on the same AP as this one customer, yet none of their traffic behaves this way.

I tried doing a torch on the other ethernet ports, but the traffic didn't even show up there. Only thing I saw was my winbox traffic, and a few discovery requests floating around, which is to be expected since everything runs through the PPPoE tunnels.

I've searched through all the settings on the client, the AP, and the PPPoE server, and I can't find anything that looks out of place for this client. I just can't figure out why one client's traffic would be showing up, yet nobody else's is. Especially since I'm using a switch and not a hub, and since all the traffic should be tunneled anyway.

Has anyone else ever seen anything like this? Anything that I should be looking at which wouldn't be obvious? Doesn't seem to be causing any problems, but I also don't want it to be happening if it shouldn't.

OHSrob

join:2011-06-08
Try putting the offending Client in router mode with nat and do the PPPOE on the CPE.

That said you don't want your customers having a direct layer 2 connection to your switch it is opening you up to many attacks.

I don't have any clients with a layer 2 connection to my switch's. If they need a public ip to their router I sell them a /30 subnet and route it to them. Even with ARP inspection, DHCP snooping, Limiting learnt mac's per port to slightly more then is on the AP and the rest of the port security features. There are just too many attack vectors that can be done on layer 2 and im sure I only know a small percentage of what is possible I don't feel comfortable putting clients on it.

I use to have this wonderful build of 5.3 SDK that I added PPPOE relay support it also had that rather major arbitrary shell command execution vulnerability patched (Using the Ubiquiti provided patch). But Ubiquiti revoked the SDK and changed their mac's to prevent wisp's from customizing Air Os to suit their needs.

That build made things really easy and fast to get people a public address to their router without compromising the security of my network as well as keeping what my customer plugs in their POE as its own broadcast domain.
--
www.ontariohighspeed.ca

jcremin

join:2009-12-22
Siren, WI
kudos:3
said by OHSrob:

Try putting the offending Client in router mode with nat and do the PPPOE on the CPE.

That's how every customer is already setup. Every CPE does NAT on the rooftop in router mode.

said by OHSrob:

If they need a public ip to their router I sell them a /30 subnet and route it to them.

Same here. My office is literally the only CPE on the entire network that bridges direct access to the backhaul network.

OHSrob

join:2011-06-08
said by jcremin:

said by OHSrob:

Try putting the offending Client in router mode with nat and do the PPPOE on the CPE.

That's how every customer is already setup. Every CPE does NAT on the rooftop in router mode.

said by OHSrob:

If they need a public ip to their router I sell them a /30 subnet and route it to them.

Same here. My office is literally the only CPE on the entire network that bridges direct access to the backhaul network.

That's a very strange issue your having.

If you clone that switch port and plug a laptop running wireshark in do you see anything that torch doesn't show ?.
--
www.ontariohighspeed.ca