1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Do the Bandwidth stats include traffic that doesn't touch the LAN?

Discussion in 'Tomato Firmware' started by kyphos, Dec 9, 2012.

  1. kyphos

    kyphos Serious Server Member

    I recently deployed a Tomato router (Toastman 1.28.7633.3 IPT-ND STD) behind a Comcast cable modem.The Bandwidth/Last 24 Hours page displays fairly constant RX (download) traffic on the WAN interface of about 20-25 kbps, 7x24. That's around 250 MB per day. I inspected the IP Traffic stats to determine which of the devices on my LAN (there are only two) was consuming all this traffic. None of them, it seems. The IP Traffic reports are minimal. The two devices on the LAN have been essentially dormant, doing little more than getting an NTP time update occasionally.

    Do the Bandwidth stats captured by Tomato include packets that don't traverse the router to the LAN?? These would include:
    • pings (ICMP packets) from the internet. These are dropped by the firewall.
    • packets from port scanners looking to break in (hitting ports 80, 22, 139, 445, etc etc). These are also dropped by firewall.
    • DHCP traffic flowing to/from Comcast's DHCP servers. These messages (DHCP Discover, Offer and Accept) are all broadcast messages sent to destination 255.255.255.255 on the subnet. It's my understanding that every router on a network segment sees every DHCP message sent to/from all the other routers (since they are all broadcast messages).
    • response to traffic initiated by Tomato itself. These would include responses to time queries (to NTP servers), and responses to DDNS address updates.
    If Tomato's bandwidth monitor is indeed counting all of the 'internet background' traffic, is there any way to configure the bandwidth logging process to only count 'legitimate' traffic originated or terminated by devices on the LAN? I'd just as soon not have 250MB/day of spurious noise included in the daily/weekly/monthly stats.

    Thanks.
     
  2. kyphos

    kyphos Serious Server Member

    Most of the background traffic on my WAN interface (250MB+ per day) appears to be a constant stream of DHCP broadcast messages coming from Comcast, destined for port 68. The conntrack table has an entry like this all the time:
    Code:
    udp      17 16 src=96.76.24.1 dst=255.255.255.255 sport=67 dport=68 packets=5706 bytes=1829820 [UNREPLIED]
    
    Is there any way to exclude this traffic from the Bandwidth stats?
     
  3. rafwes

    rafwes Serious Server Member

    Just if Toastman compiles the kernel with notrack. Shibby doesn't. Try this over ssh and see if it works:
    Code:
    iptables -t raw -A PREROUTING -i vlan2 -s 96.76.24.1 -p udp --dport 68 -j NOTRACK
     
  4. kyphos

    kyphos Serious Server Member

    @rafwes,
    Thanks a lot for responding, with an excellent idea. I would never have thought of using iptables in this manner. Or in any manner, since iptables is a mega-mystery to me. Unfortunately, the command you suggested doesn't work. My router (a Motorola WR850B) doesn't have a vlan2. The WAN interface is on vlan1. That's an easy fix.

    However, more challenging is the fact that the variant of Toastman's firmware I'm using (1.28.7633) doesn't appear to have support for the raw routing table.
    Code:
    root@MotoWR850G:/tmp/home/root# iptables -t raw --list
    iptables v1.3.8: can't initialize iptables table `raw': Table does not exist (do you need to insmod?)
    Perhaps iptables or your kernel needs to be upgraded. 
    Upgrading iptables is far beyond my level of competency. Ditto for insmod (whatever that is...). So for the time being, I'm stuck with all the DHCP bdcst traffic getting included in the stats. But thanks for the suggestion!
     
  5. rafwes

    rafwes Serious Server Member

    Well, it turns out Shibby does have NOTRACK, it is simply not active. Try
    Code:
    modprobe -l | grep raw
    modprobe -l | grep NOTRACK
    If it returns values for both you can activate the raw table and NOTRACK. All you got to do is execute modprobe %MODULENAME% for each before evoking the iptables rule.
     
  6. kyphos

    kyphos Serious Server Member

    I checked my Toastman build but there's no sign of raw or NOTRACK. Perhaps I'll give Shibby a try some day, if I can figure out which version is compatible with my WRT54GL.

    Thanks!
     

Share This Page