1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Tomato consumes traffic?

Discussion in 'Tomato Firmware' started by Anzial, Oct 17, 2009.

  1. Anzial

    Anzial Addicted to LI Member

    I had my Asus 520GU running Tomato for about 3 days now (first plain 1.25 and then switched to Teddy Bear's mod v35) and it generates traffic for no apparent reason (see attached graphs). I've used the router to download 1gb worth of files around 4pm but before that, I only browsed internet, checked email and stuff at 9-10am, 12-1pm and 3-4pm. The rest of the time my computers were off or sleeping. Wireless is disabled.

    As you can see, Vlan1 which supposed to measure traffic coming into and out of WAN port on the router, shows up ~6.5gb of data. Vlan0 which shows internal LAN ports, shows only 1gb or so. Can anyone tell me, what is going on here? I don't understand it, is that real traffic or some sort of glitch in Tomato programming or 520gu hardware? What kind I do to track down the source of the problem?

    Update: I've stuck the router behind one of my computers with lan ports, so it's like that:

    ISP --> computer with shared LAN --> router --> laptop
    1hour and so far, doesn't seem to generate any traffic... So, my guess is - the Tomato is interacting with ISP switch or something... What might be the cause of that, can someone offer a guess?
     

    Attached Files:

  2. TexasFlood

    TexasFlood Network Guru Member

    You could try logging some traffic and having a look. Last time that I looked was years ago when I was running DD-WRT sent logging to one of my Windows desktop PCs running kiwi syslog software. Found that I was getting hit on the WAN side by portscans/attacks from all over the world looking for open FTP ports and other vulnerabilities.
     
  3. Anzial

    Anzial Addicted to LI Member

    IC... I guess it's a possibility. but it seems like that traffic does NOT pass through to the computer, does it? Besides, AFAIK my ISP is filtering portscans/attacks..

    I have another question - assuming my router is under attack, isn't it supposed to slow down? Also, does the attack count as traffic by ISP?
     
  4. TexasFlood

    TexasFlood Network Guru Member

    Right, didn't look like it was passing through. I don't know who your ISP is but as of when I scanned, Comcast was letting an awful lot through, I particular remember a ton of FTP port 21 attempts and SQL slammer taffic on port 1434. I admit that I haven't checked lately but I'd bet there is still lots of that type of traffic. I'd bet that if Comcast were to start filtering those valid ports, folks would complain more then not doing so.
     
  5. Anzial

    Anzial Addicted to LI Member

    I guess it shows that Tomato firewall was working lol :D I'm also running software firewalls (Symantec Endpoint Protection). BTW, I'm really a noob at this, would you be kind to point in the direction of a guide for setting up traffic logging? :)
     
  6. TexasFlood

    TexasFlood Network Guru Member

    Administration => Logging, for the sort of traffic I was referring to, it's probably "Connection Logging, Inbound Connection" traffic that you're interested in. Be warned, there is liable to be a lot of it. If you want to capture much of it at all, the router isn't going to hold much internally, you'll probably want to set up a syslog server on a PC (set up under "Log to Remote System"), something like Kiwi or Wallwatcher. By default, Tomato exposes no ports to the Internet so only the ports you've forwarded are open to attack, but that doesn't stop anyone from trying.
     
  7. Anzial

    Anzial Addicted to LI Member

    Thank you for the tip, I've setup Wallwatcher and in just a few minutes of running on the network I've got 2k hits, all the same, more or less: ip such and such (99% from my domain), protocol UDP, L and R port (frequently 137, mostly less than 200 or above 55k), and some "local ip" which doesn't really correspond to mine. Now, are these attacks or just packets bouncing through which don't really belong to me? I mean, I'm completely clueless at how to interpret these logs lol :) When I hook up a computer to ISP, it's software firewall doesn't seem to see any attacks (Symantec Endpoint Protection)

    BTW, the reason I flashed to Tomato from DD-WRT was because DD-WRT was resetting itself every now and then (sometimes after half-hour, sometimes after a few hours), which meant I was losing traffic logs. I suspect, DD-WRT wasn't coping with so many hits lol :)

    Small portion of the log:
     
  8. TexasFlood

    TexasFlood Network Guru Member

    That doesn't really look like an obvious attack to me, although the port 137 netbios stuff might be suspicious. Are those 95.38.23x.xx IP adresses similar to yours and probably folks using the same ISP?
     
  9. Anzial

    Anzial Addicted to LI Member

    Yep, except for the last number, the rest is the same, I suspect most of those IPs are physically in the same building as me. So, if it's not an attack, what's going on?
     
  10. TexasFlood

    TexasFlood Network Guru Member

    Not sure, but if you keep logging, you should see whatever it is. Perhaps that traffic bleeding over from your neighbors is just adding up over time, or maybe there is something more that didn't show up in the sample. But whatever it is should show up in that log.
     
  11. Anzial

    Anzial Addicted to LI Member

    what exactly does it mean, 'traffic bleeding from neighbors'? Is there a problem with building switch? Or is Tomato logging packets addressed to someone else?

    Edit: ran the WW for about an hour, Tomato logged over 500mb incoming traffic! 99.99% is of course what I'm dealing with - all those random things in the log. They still look the same as I posted, is there something specific I should be looking for?

    EDIT2: 2 hours, and traffic is over 1gb, only 50mb or so passed on to the computers. Man, is there any way to make Tomato ignore all that crap?
     
  12. TexasFlood

    TexasFlood Network Guru Member

    Find a list of known ports such as the Wikipedia List of TCP and UDP port numbers, or google up one of the many others. Then go through and do some analysis. Actually wallwatcher should do some analysis for you.

    I'm not going to do try to manually do what you should be able to easily do automatically with a tool, but I'll provide an example. Everything in your sample are sending to broadcast addresses, not to your specific IP. The 255 numbers are special, like a wildcard, meaning to match any number in that position. So this is traffic being sent out by your neighbors to broadcast or "wildcard' destinations which match your WAN IP so your get those packets along with anyone else matching the destination pattern.

    Of course this is a bit oversimplified. The broadcast addresses for a network really depend on how many bits are allocated to network and how many to hosts. But this description should work for common /24 networks.

    The first entry is a udp from source IP 95.38.235.163 port 631 to destination IP 95.38.235.255 port 631
    This port is defined as Internet Printing Protocol (IPP).
    The last part of the IP, the 255, means this is a broadcast address.
    The entries with a destination address of 255.255.255.255 match any IP address on the subnet.
     
  13. TexasFlood

    TexasFlood Network Guru Member

    It's not a Tomato thing, it's a network thing. I would say Tomato is effectively "ignoring" the traffic as near as I can tell it it getting dropped at the WAN side of the router. The fact that you are receiving the traffic is just the way networks work. The destination addresses are broadcasts that include your IP so you get the packets. It is getting reported since it is network traffic being received. If you want to change the way it's getting reported on the graphs, that's beyond me and my available time but maybe there are others around with more expertise in that area. Just be glad you have the extra layer of protection that Tomato affords.
     
  14. Anzial

    Anzial Addicted to LI Member

    yeah, wallwatcher doesn't do the analysis at all. Maybe I didn't install it properly lol but even the helpfiles don't work (the list comes up but no individual pages). Analysis just relists the log and that's it
     
  15. Anzial

    Anzial Addicted to LI Member

    lol, I'd really like to have some sort of daily report being accurate and not have some wild numbers in gigabytes (I think 20gb or so is not unexpected with this setup lol). Oh well, I guess if I can't do anything about it, I guess I'll just watch my vlan0 or something

    TexasFlood, thanks for taking your time to help, I really appreciate it.
     
  16. TexasFlood

    TexasFlood Network Guru Member

    Sounds like the report is accurate just not measuring what you wanted or expected. As I think you are saying, if you watch your LAN and not the WAN, maybe that is a better fit for your needs.
     
  17. Toastman

    Toastman Super Moderator Staff Member Member

    The answer to this is probably to change the subnet of your building, hopefully you will then stop receiving this traffic. If addresses are issued by your router by DHCP there will be very little disturbance to other users.
     
  18. Anzial

    Anzial Addicted to LI Member

    not sure what you mean but I don't think I can change the subnet lol :) It is really annoying that there's so much of crap coming into my router and it's even more annoying that it's counted by the wan port even though it's rejected by the firewall...
     
  19. Toastman

    Toastman Super Moderator Staff Member Member

    Perhaps I don't understand the setup there.

    If the router is under your control, then I was assuming you can select the range of IP addresses on your own network. Are all of your users allocated a public IP address in the 95.38.235.xxx by the ISP? That would be extremely unusual. Or are you allocated a dynamic IP by DHCP which you then NAT to your network? I'm not clear on that.

    At the moment you say your ISP connects to PC, and a router is "behind" the PC ??? Does your PC do NAT ? How is it sharing?

    The more normal way is ISP > Modem (bridged) > Tomato router > All PC's on your network. The network would have a different subnet - say 192.168.1.xxx. with addresses allocated by your router's DHCP.

    It may in the long run do the same thing, but since your router is presently "behind" a PC, I can't see why you are getting this traffic.

    Perhaps you can post some more details of your setup to clear up my confusion :biggrin:


    [I think the firewall is doing what it should. It has to process the incoming traffic in order to know whether to reject it or not. So it really should show in the stats. But I do see the problem!]
     
  20. Anzial

    Anzial Addicted to LI Member

    I do control the router but the broadcast packets come in from outside of it. The thing is, I live in an apartment building where each apartment has an ethernet jack all hooked to the ISP so whenever I plug my tomato router in, it starts receiving all that broadcast traffic from the neighbors (at least, I think it's my neighbors). In other words, I can't control 95.x.x.x, I can only control 192.168.x.x with the router.

    As for PC, I have a dual-LAN pc which I can setup to share networking - so one LAN is connected to ISP and the other one I hook up the same tomato router which no longer registers 95.x.x.x broadcast packets (there's a little chatter from the network share PC but it's very minimal). But I don't like having this setup since I won't have any network if I shut down the PC, so I prefer to have router hooked up to ISP

    I should note, I suspect that something has been changed recently in the way ISP setup the network throughout the building so that I get hit with so much broadcast traffic. Before tomato, I used DD-WRT which was usually spot on in terms of traffic logging but a few weeks ago, it started to have same symptoms.

    Well, it's understandable that WAN port should receive all the packets but what I can do to mod Tomato so that it would show only the traffic passed through WAN? Because otherwise I'm getting 7gb or traffic through the night! and there's no way of telling if any of that is legit or not...

    Check this out: [​IMG]
    If I read this picture correctly, 8,000mb data entered WAN but only 147mb went on to my LAN. How messed up is that?
     
  21. Toastman

    Toastman Super Moderator Staff Member Member

    Aha I see now. I didn't realize you are already on a wired apartment LAN of some sort. Well, seems to me that if there are so many other PC's on the same network, and they are all broadcasting regularly, netbios, printservers, etc. then there's nothing you can do about it. Tomato is keeping it out, that's the purpose of the firewall, and it's working fine. It becomes only a problem of "juggling the figures" that you wish to see in the stats.

    There might be some scripts that could achieve this. There are a few people on here who are pretty good at scripts, maybe someone will have a suggestion how to achieve a total figure which excludes other machines on that LAN.

    I'll have a think about it, if anything else occurs to me I'll post it!
     
  22. TexasFlood

    TexasFlood Network Guru Member

    I suppose it is the rstats program that jon wrote for tomato that is gathering this data. If so the question is can rstats be modified to not count broadcasts or could something be done with iptables maybe to provide an alternative way of counting? Like you, I don't know of a way offhand but suspect there are folks on this forum who might.
     
  23. Joshe

    Joshe Addicted to LI Member

    Well, I have de same question, let me explain:
    My connexion is:

    ISP --> MODEM (ethernet connexion)--> Router --> PC (Wifi)

    If the all computer are shutdown the Internet LED blinking without reason in the Router and MODEM.
    But if I disconnect the Router from MODEM, the LED in MODEM don't blinking that indicates the router with Tomato consumes traffic.

    Do you have Any idea about what TOMATO's service, consumes traffic?

    My Firmware Version is:
    Tomato Firmware v1.25.8515 .2RAF ND
    Built on Fri, 24 Jul 2009 04:22:28 +0200

    Please any help will be appreciated
     
  24. brokenmind

    brokenmind Addicted to LI Member

    I posted the same finding a while ago when upgrading from 1.19 to 1.23;
    unfortunately I never found a solution or explanation for this issue, it would be nice to know the reason...
     
  25. TexasFlood

    TexasFlood Network Guru Member

    Not quite sure what is meant by "Tomato consumes traffic", but Anzial started this thread after noticing a large quantity of unexplained traffic as measured in his bandwidth stats. After installing wallwatcher and checking the logs, this was discovered to be broadcast traffic hitting his tomato router on the WAN side. This had nothing specific to do with tomato, rather it has to do with unwanted traffic coming in from other ISP customers. Perhaps the way tomato logging works and/or the router lights work has changed in one of the Tomato versions, I really don't know. If you want to investigate your network traffic, I'd recommend the same approach Anzial took, install wallwatcher or your favorite syslog logging software and take a look.
     
  26. Joshe

    Joshe Addicted to LI Member

    Ok TexasFlood, let me try with wallwatcher. Thank you.
     

Share This Page