Tu penses donc que les adresses que j'ai laissées dans la trace ci-dessus ne sont pas chez toi ?
De plus en plus fort, tu verrais donc les broadcasts de LAN d'autres clients K-Net ?
Il y a toujours eu des paquets APIPA et en 192.168… qui traînent dans le GPON…
J'en avais détecté pas mal il y a quelques années, venant d'appareils divers et variés (deux Synology, des IOT genre thermostats, et autres interfaces et même une Freebox…)
Je pensais à l'époque que ça venait de quelqu'un qui avait mis son switch au mauvais endroit, mais c'était peut-être quelqu'un victime de de bogue Icotera…
À l'époque, VincentO2 qui était encore chez K-Net s'était penché sur la question, et la plus grosse difficulté pour K-Net était qu'ils n'ont pas accès au GPON, car ce qu'il s'y passe est filtré avant que ça leur parvienne et ils ne peuvent pas voir tous ces paquets ; je lui avais envoyé une base de donnée avec toutes les adresses MAC de ces appareils, et il a fait ce qu'il a pu, je crois en vain, ça n'avait jamais pu être résolu…
Il y avait tout un sujet dédié que j'avais ouvert sur le forum Caps…
Au final, entre les personnes qui établissent leur réseau incorrectement, ceux qui ont activé par mégarde ou négligence un port mirroring, ceux qui ont du matériel perso et ne savent pas l'utiliser, il y a toujours des fuites de certains LAN sur le GPON.
Mon routeur filtre déjà ces paquets, mais comme ils sont broadcast/multicast, ils forçaient mon routeur à utiliser plus de ressources que nécessaire.
Comme je suis puriste et que j'aime optimiser, j'ai établi des règles ebtables et iptables sur mon routeur pour filtrer tout cela au plus tôt :
root@HERMES:~$ ebtables -L
Bridge table: filter
Bridge chain: INPUT, entries: 1, policy: ACCEPT
-i ethwan -j auth_macs
Bridge chain: FORWARD, entries: 1, policy: ACCEPT
-i ethwan -j auth_macs
Bridge chain: OUTPUT, entries: 0, policy: ACCEPT
Bridge chain: auth_macs, entries: 2, policy: ACCEPT
-s 20:e0:9c:53:7a:9 -j RETURN
-j DROP
20:e0:9c:53:7a:9, c'est la MAC de ma passerelle Covage.
Cela signifie que tout ce qui provient depuis le WAN d'un appareil avec une MAC différente de la passerelle Covage sur laquelle je suis relié est rejeté à l'entrée du routeur.
De plus, j'ai aussi cette règle iptables (et son équivalent en ip6tables que je ne mets pas ici pour ne pas surcharger) :
-P PREROUTING ACCEPT
-A PREROUTING -i brwan -m set ! --match-set brwan_in_auth dst -j DROP
Avec
root@HERMES:~$ ipset -L brwan_in_auth
Name: brwan_in_auth
Type: hash:ip
Revision: 5
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xb7ec9594
Size in memory: 240
References: 1
Number of entries: 3
Members:
[MON IP]
255.255.255.255
[LE BROADCAST DE MON SOUS-RÉSEAU]
Cette combinaison iptables et ipset s'assure que tout paquet qui arrive du WAN qui n'est pas un broadcast global, un broadcast de mon sous-réseau ou destiné à mon adresse IP est automatiquement rejeté au plus tôt (la table raw étant la première, j'évite que les paquets indésirables polluent les règles suivantes dans les tables mangle, filter, etc…).
J'ai un peu simplifié mes règles ici à celle qui sont pertinentes… Elles sont un peu plus complexes, car j'accède à mon ONT pour du monitoring par exemple…
Et bien ça filtre en masse…
Voici par exemple le tcpdump depuis le routeur qui montre sur 2 secondes tout ce qui ne vient pas en broadcast ou multicast de ma passerelle Covage (donc qui est stoppé par ma règle ebtables) :
root@HERMES:~$ tcpdump -i ethwan -ne ether broadcast or ether multicast | grep -ve 20:e0:9c:53:7a:9
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ethwan, link-type EN10MB (Ethernet), capture size 262144 bytes
13:32:31.781315 00:1e:80:74:7b:98 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 180: fe80::21e:80ff:fe74:7b98.546 > ff02::1:2.547: dhcp6 solicit
13:32:31.798841 00:1e:80:7b:90:e8 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 180: fe80::21e:80ff:fe7b:90e8.546 > ff02::1:2.547: dhcp6 solicit
13:32:31.802434 00:11:32:81:d5:f0 > 33:33:ff:7f:de:3e, ethertype IPv6 (0x86dd), length 86: 2a03:4980:200:4a00:211:32ff:fe81:d5f0 > ff02::1:ff7f:de3e: ICMP6, neighbor solicitation, who has fe80::21e:80ff:fe7f:de3e, length 32
13:32:32.130331 00:1e:80:27:e6:cc > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::21:0:14f4 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::21:0:1, length 32
13:32:32.135705 00:1e:80:21:6c:85 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 222: fe80::21e:80ff:fe21:6c85.546 > ff02::1:2.547: dhcp6 request
13:32:32.216961 40:3f:8c:85:8a:5a > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.1 tell 192.168.1.36, length 46
13:32:32.267601 00:11:2a:22:48:e7 > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 62: 2.59.236.124.49150 > 255.255.255.255.49152: UDP, length 20
13:32:32.291344 00:1e:80:8e:91:8c > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 180: fe80::21e:80ff:fe8e:918c.546 > ff02::1:2.547: dhcp6 solicit
13:32:32.346701 bc:a5:11:31:f7:ae > 33:33:ff:53:78:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980:132:1a1f::1 > ff02::1:ff53:7801: ICMP6, neighbor solicitation, who has fe80::22e0:9cff:fe53:7801, length 32
13:32:32.365227 10:0d:7f:91:6f:e4 > 33:33:ff:05:90:58, ethertype IPv6 (0x86dd), length 86: 2a03:4980:200:4a00::1 > ff02::1:ff05:9058: ICMP6, neighbor solicitation, who has 2a03:4980:200:4a00:ea44:7eff:fe05:9058, length 32
13:32:32.411618 00:1e:80:21:6c:9d > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:301 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:32.482065 e8:fc:af:8f:1c:2d > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::eafc:afff:fe8f:1c2d > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:32.512524 90:6c:ac:84:9e:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 2.59.238.185 tell 0.0.0.0, length 46
13:32:32.582659 28:c6:8e:92:4e:33 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:cf > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:32.770194 00:11:32:76:4a:7a > 33:33:ff:8e:91:8e, ethertype IPv6 (0x86dd), length 86: fe80::211:32ff:fe76:4a7a > ff02::1:ff8e:918e: ICMP6, neighbor solicitation, who has fe80::21e:80ff:fe8e:918e, length 32
13:32:32.802215 00:11:32:81:d5:f0 > 33:33:ff:7f:de:3e, ethertype IPv6 (0x86dd), length 86: 2a03:4980:200:4a00:211:32ff:fe81:d5f0 > ff02::1:ff7f:de3e: ICMP6, neighbor solicitation, who has fe80::21e:80ff:fe7f:de3e, length 32
13:32:32.814336 00:1e:80:1d:7b:69 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:369 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:32.949325 00:1e:80:93:a9:84 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:302 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:32.965383 00:1e:80:38:76:1c > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:363 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:32.978816 e8:fc:af:8f:21:89 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 2.59.239.254 tell 2.59.237.58, length 46
13:32:33.149232 00:1e:80:80:1d:3c > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:324 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:33.174286 00:1e:80:7f:57:e4 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 180: fe80::21e:80ff:fe7f:57e4.546 > ff02::1:2.547: dhcp6 solicit
13:32:33.230331 00:0e:58:f6:36:3e > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 735: 192.168.1.58.50091 > 255.255.255.255.1900: UDP, length 693
13:32:33.231144 40:3f:8c:85:8a:5a > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.56 tell 192.168.1.36, length 46
13:32:33.365320 10:0d:7f:91:6f:e4 > 33:33:ff:05:90:58, ethertype IPv6 (0x86dd), length 86: 2a03:4980:200:4a00::1 > ff02::1:ff05:9058: ICMP6, neighbor solicitation, who has 2a03:4980:200:4a00:ea44:7eff:fe05:9058, length 32
13:32:33.439391 00:1e:80:a8:43:0c > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 90: fe80::21e:80ff:fea8:430c > ff02::16: HBH ICMP6, multicast listener report v2, 1 group record(s), length 28
13:32:33.441828 00:1e:80:a8:32:5c > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 180: fe80::21e:80ff:fea8:325c.546 > ff02::1:2.547: dhcp6 solicit
13:32:33.446576 00:1e:80:a8:43:0c > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 110: fe80::21e:80ff:fea8:430c > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
13:32:33.452668 00:1e:80:a8:43:0c > 33:33:00:00:00:16, ethertype IPv6 (0x86dd), length 110: fe80::21e:80ff:fea8:430c > ff02::16: HBH ICMP6, multicast listener report v2, 2 group record(s), length 48
13:32:33.482128 e8:fc:af:8f:1c:2d > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::eafc:afff:fe8f:1c2d > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:33.509182 00:1e:80:a8:43:0c > 33:33:ff:a8:43:0c, ethertype IPv6 (0x86dd), length 78: :: > ff02::1:ffa8:430c: ICMP6, neighbor solicitation, who has 2a03:4980:200:4a00:21e:80ff:fea8:430c, length 24
13:32:33.511056 bc:a5:11:31:f7:ae > 33:33:ff:53:78:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980:132:1a1f::1 > ff02::1:ff53:7801: ICMP6, neighbor solicitation, who has fe80::22e0:9cff:fe53:7801, length 32
13:32:33.520647 90:6c:ac:84:9e:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 2.59.238.185 tell 0.0.0.0, length 46
13:32:33.570631 00:1e:80:7f:5d:f0 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 180: fe80::21e:80ff:fe7f:5df0.546 > ff02::1:2.547: dhcp6 solicit
13:32:33.582909 28:c6:8e:92:4e:33 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:cf > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:33.609619 10:0d:7f:91:6f:c5 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::120d:7fff:fe91:6fc5 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:33.630269 00:1e:80:32:5a:e5 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::21:0:7a6 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::21:0:1, length 32
13:32:33.662852 00:1e:80:7b:66:d0 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:29a > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:33.772631 00:11:32:76:4a:7a > 33:33:ff:8e:91:8e, ethertype IPv6 (0x86dd), length 86: fe80::211:32ff:fe76:4a7a > ff02::1:ff8e:918e: ICMP6, neighbor solicitation, who has fe80::21e:80ff:fe8e:918e, length 32
13:32:33.802278 00:11:32:81:d5:f0 > 33:33:ff:7f:de:3e, ethertype IPv6 (0x86dd), length 86: 2a03:4980:200:4a00:211:32ff:fe81:d5f0 > ff02::1:ff7f:de3e: ICMP6, neighbor solicitation, who has fe80::21e:80ff:fe7f:de3e, length 32
13:32:34.130456 00:1e:80:27:e6:cc > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::21:0:14f4 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::21:0:1, length 32
13:32:34.216961 40:3f:8c:85:8a:5a > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.26 tell 192.168.1.36, length 46
13:32:34.365258 10:0d:7f:91:6f:e4 > 33:33:ff:05:90:58, ethertype IPv6 (0x86dd), length 86: 2a03:4980:200:4a00::1 > ff02::1:ff05:9058: ICMP6, neighbor solicitation, who has 2a03:4980:200:4a00:ea44:7eff:fe05:9058, length 32
13:32:34.411931 00:1e:80:21:6c:9d > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:301 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:34.506620 bc:a5:11:31:f7:ae > 33:33:ff:53:78:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980:132:1a1f::1 > ff02::1:ff53:7801: ICMP6, neighbor solicitation, who has fe80::22e0:9cff:fe53:7801, length 32
13:32:34.530550 90:6c:ac:84:9e:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 2.59.238.185 tell 0.0.0.0, length 46
13:32:34.583002 28:c6:8e:92:4e:33 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::2ac6:8eff:fe92:4e33 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:34.609682 10:0d:7f:91:6f:c5 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::120d:7fff:fe91:6fc5 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:34.647389 2c:30:33:e6:0f:15 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::2e30:33ff:fee6:f15 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:34.747982 60:a4:b7:ef:cc:2e > ff:ff:ff:ff:ff:ff, ethertype IPv4 (0x0800), length 777: 192.168.1.56.43756 > 255.255.255.255.29810: UDP, length 735
13:32:34.773224 00:11:32:76:4a:7a > 33:33:ff:8e:91:8e, ethertype IPv6 (0x86dd), length 86: fe80::211:32ff:fe76:4a7a > ff02::1:ff8e:918e: ICMP6, neighbor solicitation, who has fe80::21e:80ff:fe8e:918e, length 32
13:32:34.808776 00:1e:80:93:a5:b8 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 222: fe80::21e:80ff:fe93:a5b8.546 > ff02::1:2.547: dhcp6 request
13:32:34.814493 00:1e:80:1d:7b:69 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:369 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:34.951137 00:1e:80:93:a9:84 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:302 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:34.965570 00:1e:80:38:76:1c > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:363 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:35.039610 00:1e:80:9b:a2:b0 > 33:33:00:01:00:02, ethertype IPv6 (0x86dd), length 180: fe80::21e:80ff:fe9b:a2b0.546 > ff02::1:2.547: dhcp6 solicit
13:32:35.082378 e8:fc:af:8f:1c:2d > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::eafc:afff:fe8f:1c2d > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:35.189032 60:31:97:7a:84:da > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 45.83.231.254 tell 45.83.228.34, length 46
13:32:35.213462 80:37:73:ee:26:ad > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::8237:73ff:feee:26ad > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:35.360572 00:1e:80:90:48:64 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 45.83.231.3 tell 0.0.0.0, length 46
13:32:35.480847 a4:2b:8c:92:87:6b > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:176 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:35.506651 bc:a5:11:31:f7:ae > 33:33:ff:53:78:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980:132:1a1f::1 > ff02::1:ff53:7801: ICMP6, neighbor solicitation, who has fe80::22e0:9cff:fe53:7801, length 32
13:32:35.527207 00:1e:80:80:1d:3c > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::1a:0:324 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:35.540797 90:6c:ac:84:9e:e0 > ff:ff:ff:ff:ff:ff, ethertype ARP (0x0806), length 60: Request who-has 2.59.238.185 tell 0.0.0.0, length 46
13:32:35.609650 10:0d:7f:91:6f:c5 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: fe80::120d:7fff:fe91:6fc5 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::1a:0:1, length 32
13:32:35.630581 00:1e:80:32:5a:e5 > 33:33:ff:00:00:01, ethertype IPv6 (0x86dd), length 86: 2a03:4980::21:0:7a6 > ff02::1:ff00:1: ICMP6, neighbor solicitation, who has 2a03:4980::21:0:1, length 32
^C68 packets captured
72 packets received by filter
0 packets dropped by kernel
La plupart de ces paquets sont normaux (en particulier les paquets DHCP (v4 ou v6) [du moment qu'ils ne sont pas spammés 4 000 fois par seconde
![Grimace ;D](https://lafibre.info/Smileys/default/grin.gif)
]) et auraient été bloqués plus loin par mon routeur qui ne les auraient pas routé vers mon LAN.
On voit des paquets anormaux comme 192.168.1.56 venant de la fuite WAN/LAN chez quelqu'un ou une mauvaise configuration de leur réseau ou paramètres, qui eux aussi auraient été bloqués plus loin par mon routeur. Ce sont d'ailleurs les mêmes paquets que Superpicsou voit arriver dans son LAN, puisqu'on est sur le même GPON.
Avec ces règles spécifiques, je bloque ces paquets le plus tôt possible
![Clin d'oeil ;)](https://lafibre.info/Smileys/default/wink.gif)