Anomal Traffic and Process

Deal Community,

I all my Homelab ist complete down because of anomal traffic on my Network.

I reach the Router:

Dhcp realese –> yes but not internet

VPN connection with another Server in Network, to client (site-to-site) –> But no Traffic

The Router CPU ist 100% . All traffic trouth the Router ist down.

How i can identify what make all this traffic on my Network and how i block and solve as soon as this problem?

I dont have all of esperience in Netwwork and Security but i like Openwrt. i am just ein entusiate and i need seriosly your help. Thanks

AnomalTraffic752×586 56.5 KB

AnomalTraffic21645×712 117 KB

Thanks

Rolando

We can start by looking at your config...

Please connect to your OpenWrt device using ssh and copy the output of the following commands and post it here using the "Preformatted text </> " button (red circle; this works best in the 'Markdown' composer view in the blue oval):

Remember to redact passwords, VPN keys, MAC addresses and any public IP addresses you may have:

ubus call system board
cat /etc/config/network
cat /etc/config/wireless
cat /etc/config/dhcp
cat /etc/config/firewall

What barfs multicast in your network?

ubus call system board

{
        "kernel": "6.6.73",
        "hostname": "routertg",
        "system": "Intel(R) Celeron(R) CPU  N2807  @ 1.58GHz",
        "model": "clientron 1658",
        "board_name": "clientron-1658",
        "rootfs_type": "ext4",
        "release": {
                "distribution": "OpenWrt",
                "version": "24.10.0",
                "revision": "r28427-6df0e3d02a",
                "target": "x86/64",
                "description": "OpenWrt 24.10.0 r28427-6df0e3d02a",
                "builddate": "1738624177"
        }
}

cat /etc/config/network

config interface 'loopback'
        option device 'lo'
        option proto 'static'
        option ipaddr '127.0.0.1'
        option netmask '255.0.0.0'

config globals 'globals'
        option ula_prefix 'fa71:8899:b0c0::/48'
        option packet_steering '1'

config device
        option name 'br-lan'
        option type 'bridge'
        list ports 'eth0'

config interface 'lan'
        option device 'br-lan'
        option proto 'static'
        option ipaddr '192.168.5.1'
        option netmask '255.255.255.0'
        option ip6assign '60'

config interface 'wan'
        option device 'eth1'
        option proto 'dhcp'

config route
        option target '192.168.11.0/24'
        option gateway '192.168.5.12'

cat /etc/config/wireless

No Wireless

cat /etc/config/dhcp

config dnsmasq
        option domainneeded '1'
        option localise_queries '1'
        option rebind_protection '1'
        option rebind_localhost '1'
        option local '/lan/'
        option domain 'lan'
        option expandhosts '1'
        option cachesize '1000'
        option authoritative '1'
        option readethers '1'
        option leasefile '/tmp/dhcp.leases'
        option resolvfile '/tmp/resolv.conf.d/resolv.conf.auto'
        option localservice '1'
        option ednspacket_max '1232'
        option logqueries '1'

config dhcp 'lan'
        option interface 'lan'
        option start '100'
        option limit '150'
        option leasetime '1d'
        option dhcpv4 'server'
        option dhcpv6 'server'
        option ra 'server'
        list ra_flags 'managed-config'
        list ra_flags 'other-config'

config dhcp 'wan'
        option interface 'wan'
        option ignore '1'

config odhcpd 'odhcpd'
        option maindhcp '0'
        option leasefile '/tmp/hosts/odhcpd'
        option leasetrigger '/usr/sbin/odhcpd-update'
        option loglevel '4'

config host
        option name 'Vpn-Togo'
        option ip '192.168.5.12'
        list mac '00:02:2F:0R:05:A5'

cat /etc/config/firewall

config defaults
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option synflood_protect '1'
        option drop_invalid '1'

config zone
        option name 'lan'
        list network 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'ACCEPT'

config zone
        option name 'wan'
        list network 'wan'
        list network 'wan6'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'

config forwarding
        option src 'lan'
        option dest 'wan'

config rule
        option name 'Allow-DHCP-Renew'
        option src 'wan'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'

config rule
        option name 'Allow_MAC_Address'
        option src 'lan'
        option dest 'wan'
        option target 'ACCEPT'
        list proto 'all'
        list src_mac '00:02:2F:0R:05:A5'

config rule
        option name 'Reject_All_LAN_to_WAN'
        list proto 'all'
        option src 'lan'
        option dest 'wan'
        option target 'REJECT'

Thanks for you help

This is rather unusual.... why is this here?

Banause i block all Mac Adresse on my network und i autorize only declared MAC Adresse

Method 2: Firewall Traffic Rules (Wired or Wireless)

For a more general approach that works for both wired and wireless clients and controls access to the WAN (internet), you can use firewall rules. This involves creating a default rule to block all devices and then adding exceptions for the allowed ones.

1. Log in to your LuCI web interface.

2. Navigate to Network → Firewall → Traffic Rules.

3. Create a general rule to block all traffic from the LAN to the WAN zone:

4. Click Add in the "Traffic Rules" section.

5. Name: Reject_All_LAN_to_WAN

6. Protocol: Any

7. Source zone: lan

8. Destination zone: wan

9. Action: Reject

10. Click Save.

11. Create specific rules to allow traffic for each specified MAC address:

12. Click Add again.

13. Name: Allow_User1_MAC

14. Protocol: Any

15. Source zone: lan

16. Source MAC address: Enter the allowed MAC address (e.g., aa:bb:cc:dd:ee:ff)

17. Destination zone: wan

18. Action: Accept

19. Click Save.

20. Repeat the "Allow" rule for every MAC address you wish to grant access.

21. Ensure the "Allow" rules are placed above the "Reject_All_LAN_to_WAN" rule in the list, as rules are processed in order from top to bottom. You can reorder rules using the up/down arrows in the LuCI interface.

22. Click Save & Apply.

I understand how you achieved it. I'm asking why.

There are other (better) ways to accomplish this task.

Did you use AI to help you configure your router?

Yes only the last Mac Adress control, i use KI.

If you have another way to give internet access only to authorize mac Address kann you please share with me your /etc/config/firewall ?

Thanks

AI is entirely unreliable for technical things like OpenWrt. It will cause you many more problems than it will solve.

Remove the lan > wan forwarding, then add one rule that accepts lan > wan for a single authorized device (it's best to do this via IP address).

Thanks you for your answer.
This this new config i have despite anomal trafic.

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'

config forwarding
	option src 'lan'
	option dest 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

Do you have another idea ?
Thanks

Inbound is multicast. Like iptv or wifi speakers. monitor ethtool -S eth0 fields.

You didn't create the rule to allow the singular device to reach the internet.

But the CPU shouldn't be pegged like that...

Are you running other services?

Please kann you controll before i make the implementation ?
The Router ist in 5000 km far from me. If no Access

Is ok ? Thanks

config defaults
	option syn_flood '1'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'

config zone
	option name 'lan'
	list network 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'

config zone
	option name 'wan'
	list network 'wan'
	list network 'wan6'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'


config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config rule
	option name 'Allow_IP_Internet'
	option src 'lan'
	option dest 'wan'
	option target 'ACCEPT'
	list proto 'all'
	list src_ip		'192.168.5.5'
	list src_ip		'192.168.5.6'
	list src_ip		'192.168.5.7'
	list src_ip		'192.168.5.8'
	list src_ip		'192.168.5.9'
	list src_ip		'192.168.5.10'

ethtool -S eth0

On my network no device has no Internet Access...
I am with Cloudflare Zero Trust Tunnel Plugin to the Router (https and ttyd)

NIC statistics:
     tx_packets: 67649047
     rx_packets: 526654907
     tx_errors: 0
     rx_errors: 0
     rx_missed: 35524
     align_errors: 0
     tx_single_collisions: 0
     tx_multi_collisions: 0
     unicast: 308240
     broadcast: 417690474
     multicast: 526346669
     tx_aborted: 0
     tx_underrun: 0

As long as these are the correct addresses, this rule should work. However, since you have multiple allowed source IP addresses, this is usually best accomplished with ipsets.

This all comes from other machines.
tcpdump and wireshark and try to figure out whats wrong.

Hello,
I want seriostly a solution for security raison for this Probleme.

My Configuration:

Eth0 --> LAN (Dhcp: disable)
Eth1 --> WAN (active) 192.168.1.0/24

from Router terminal:
ping 1.1.1.1 OK

tcpdump -i eth0 -w capture.pcap

Why WAN (eth1) IP class on the capture.pcap.
These IP are note on my Network. 192.168.1.20 or 192.168.1.89
See the capture.pcap above:

Some sicurity bug ?

23:28:54.013386 78:8c:b5:d4:93:62 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.1 tell 192.168.1.111, length 46
23:28:54.013386 a8:6e:84:6e:c1:7f (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 330: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from a8:6e:84:6e:c1:7f (oui Unknown), length 288
23:28:54.013386 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 302: 192.168.1.20.47719 > 255.255.255.255.10001: UDP, length 260
23:28:54.013386 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.013386 ec:71:db:f2:cd:f7 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 347: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:f2:cd:f7 (oui Unknown), length 305
23:28:54.013386 78:8c:b5:d4:93:62 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 327: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 78:8c:b5:d4:93:62 (oui Unknown), length 285
23:28:54.013386 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.013396 f4:92:bf:29:02:9c (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 322: fe80::f692:bfff:fe29:29c.41895 > ip6-allnodes.10001: UDP, length 260
23:28:54.013396 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013396 a8:6e:84:6e:c1:7f (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.1 tell 192.168.1.117, length 46
23:28:54.013396 f4:92:bf:16:13:f9 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:13f9.43899 > ip6-allnodes.10001: UDP, length 257
23:28:54.013396 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013396 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.013396 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.36459 > 255.255.255.255.10001: UDP, length 257
23:28:54.013396 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013406 bc:24:11:f0:01:0b (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.7, length 46
23:28:54.013406 f4:92:bf:29:02:9c (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 322: fe80::f692:bfff:fe29:29c.42109 > ip6-allnodes.10001: UDP, length 260
23:28:54.013406 24:2f:d0:e8:9a:4e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:2f:d0:e8:9a:4e (oui Unknown), length 286
23:28:54.013406 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013406 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013406 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.43289 > 255.255.255.255.10001: UDP, length 257
23:28:54.013406 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013406 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013417 ec:71:db:f2:cd:f7 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 347: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:f2:cd:f7 (oui Unknown), length 305
23:28:54.013417 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013417 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.013417 f4:92:bf:16:14:03 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:1403.46024 > ip6-allnodes.10001: UDP, length 257
23:28:54.013417 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 342: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f4:92:bf:16:14:03 (oui Unknown), length 300
23:28:54.013417 24:2f:d0:e8:9a:4e (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.237, length 46
23:28:54.013417 24:2f:d0:e8:86:a1 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:2f:d0:e8:86:a1 (oui Unknown), length 286
23:28:54.013417 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013427 30:de:4b:62:14:86 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.229, length 46
23:28:54.013427 f0:09:0d:32:32:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:09:0d:32:32:f9 (oui Unknown), length 286
23:28:54.013427 80:64:7c:6d:4d:3d (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 350: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 80:64:7c:6d:4d:3d (oui Unknown), length 308
23:28:54.013427 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.013428 f0:09:0d:32:32:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:09:0d:32:32:f9 (oui Unknown), length 286
23:28:54.013428 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013428 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.013428 f4:92:bf:16:13:f9 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:13f9.45391 > ip6-allnodes.10001: UDP, length 257
23:28:54.013431 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 302: 192.168.1.20.44702 > 255.255.255.255.10001: UDP, length 260
23:28:54.013431 f4:92:bf:16:13:f9 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:13f9.44314 > ip6-allnodes.10001: UDP, length 257
23:28:54.013431 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 302: 192.168.1.20.59787 > 255.255.255.255.10001: UDP, length 260
23:28:54.013431 f4:92:bf:29:02:9c (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 322: fe80::f692:bfff:fe29:29c.45501 > ip6-allnodes.10001: UDP, length 260
23:28:54.013431 ec:71:db:df:13:9e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 345: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:df:13:9e (oui Unknown), length 303
23:28:54.013431 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.45705 > 255.255.255.255.10001: UDP, length 257
23:28:54.013431 f0:09:0d:32:32:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:09:0d:32:32:f9 (oui Unknown), length 286
23:28:54.013431 24:2f:d0:e8:86:a1 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:2f:d0:e8:86:a1 (oui Unknown), length 286
23:28:54.013996 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013996 bc:24:11:f0:01:0b (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.7, length 46
23:28:54.013996 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013996 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013996 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013996 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.013996 8c:90:2d:f5:cd:e0 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.137, length 46
23:28:54.013996 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014010 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014010 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014010 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.47845 > 255.255.255.255.10001: UDP, length 257
23:28:54.014010 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.32938 > 255.255.255.255.10001: UDP, length 257
23:28:54.014010 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014010 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 302: 192.168.1.20.44412 > 255.255.255.255.10001: UDP, length 260
23:28:54.014010 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.49373 > 255.255.255.255.10001: UDP, length 257
23:28:54.014011 8c:90:2d:f5:cd:e0 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.137, length 46
23:28:54.014020 f4:92:bf:29:02:9c (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 322: fe80::f692:bfff:fe29:29c.58946 > ip6-allnodes.10001: UDP, length 260
23:28:54.014020 bc:24:11:e5:23:9e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 339: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from bc:24:11:e5:23:9e (oui Unknown), length 297
23:28:54.014021 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014021 00:01:2e:58:c5:c9 (oui Unknown) > 33:33:00:01:00:02 (oui Unknown), ethertype IPv6 (0x86dd), length 151: fe80::1dac:701a:43ca:5219.546 > ff02::1:2.547: dhcp6 solicit
23:28:54.014021 ec:71:db:f2:cd:f7 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 347: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:f2:cd:f7 (oui Unknown), length 305
23:28:54.014021 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014021 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014021 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014032 ec:71:db:df:13:9e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 345: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:df:13:9e (oui Unknown), length 303
23:28:54.014032 f4:92:bf:16:14:03 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:1403.48164 > ip6-allnodes.10001: UDP, length 257
23:28:54.014032 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014032 a4:f0:0f:5f:57:60 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 350: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from a4:f0:0f:5f:57:60 (oui Unknown), length 308
23:28:54.014032 30:de:4b:62:14:86 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.229, length 46
23:28:54.014033 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 302: 192.168.1.20.33125 > 255.255.255.255.10001: UDP, length 260
23:28:54.014033 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014033 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014042 f0:09:0d:32:32:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:09:0d:32:32:f9 (oui Unknown), length 286
23:28:54.014042 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014043 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014043 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.41286 > 255.255.255.255.10001: UDP, length 257
23:28:54.014043 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014043 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014043 ec:71:db:df:13:9e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 345: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:df:13:9e (oui Unknown), length 303
23:28:54.014043 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014053 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014053 ec:71:db:df:13:9e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 345: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:df:13:9e (oui Unknown), length 303
23:28:54.014053 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014053 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014053 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014053 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.50772 > 255.255.255.255.10001: UDP, length 257
23:28:54.014053 f4:92:bf:16:14:03 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:1403.51202 > ip6-allnodes.10001: UDP, length 257
23:28:54.014053 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014064 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014064 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014064 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.60088 > 255.255.255.255.10001: UDP, length 257
23:28:54.014064 f4:92:bf:29:02:9c (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 322: fe80::f692:bfff:fe29:29c.54521 > ip6-allnodes.10001: UDP, length 260
23:28:54.014064 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014064 24:2f:d0:e8:9a:4e (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.237, length 46
23:28:54.014064 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.55327 > 255.255.255.255.10001: UDP, length 257
23:28:54.014064 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014068 a4:f0:0f:5f:57:60 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 350: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from a4:f0:0f:5f:57:60 (oui Unknown), length 308
23:28:54.014068 24:2f:d0:e8:86:a1 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from 24:2f:d0:e8:86:a1 (oui Unknown), length 286
23:28:54.014068 ec:71:db:df:13:9e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 345: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:df:13:9e (oui Unknown), length 303
23:28:54.014068 f4:92:bf:16:14:03 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:1403.37653 > ip6-allnodes.10001: UDP, length 257
23:28:54.014068 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.37702 > 255.255.255.255.10001: UDP, length 257
23:28:54.014068 f4:92:bf:16:13:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 299: 192.168.1.20.32769 > 255.255.255.255.10001: UDP, length 257
23:28:54.014068 f4:92:bf:16:13:f9 (oui Unknown) > 33:33:00:00:00:01 (oui Unknown), ethertype IPv6 (0x86dd), length 319: fe80::f692:bfff:fe16:13f9.59270 > ip6-allnodes.10001: UDP, length 257
23:28:54.014068 f0:09:0d:32:32:f9 (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 328: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from f0:09:0d:32:32:f9 (oui Unknown), length 286
23:28:54.014649 f4:92:bf:16:14:03 (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014650 38:a5:c9:dc:57:49 (oui Unknown) > Broadcast, 802.3, length 104: LLC, dsap Null (0x00) Individual, ssap Null (0x00) Command, ctrl 0x03: Unnumbered, ui, Flags [Command], length 104
        0x0000:  0000 0344 6561 7220 7377 6974 6368 6573  ...Dear.switches
        0x0010:  2c20 7765 2764 206c 696b 6520 746f 2064  ,.we'd.like.to.d
        0x0020:  7261 7720 796f 7572 2061 7474 656e 7469  raw.your.attenti
        0x0030:  6f6e 2074 6f20 7468 6520 6661 6374 2074  on.to.the.fact.t
        0x0040:  6861 7420 6164 6472 6573 7320 3338 3a61  hat.address.38:a
        0x0050:  353a 6339 3a64 633a 3537 3a34 3920 6861  5:c9:dc:57:49.ha
        0x0060:  7320 6d6f 7665 642e                      s.moved.
23:28:54.014650 f4:92:bf:29:02:9c (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.1.89 tell 192.168.1.20, length 46
23:28:54.014650 f4:92:bf:16:13:f9 (oui Unknown) > 01:00:5e:00:00:16 (oui Unknown), ethertype IPv4 (0x0800), length 60: 192.168.1.20 > igmp.mcast.net: igmp v3 report, 1 group record(s)
23:28:54.014650 bc:24:11:f0:01:0b (oui Unknown) > Broadcast, ethertype ARP (0x0806), length 60: Request who-has 192.168.50.1 tell 192.168.50.7, length 46
23:28:54.014650 ec:71:db:df:13:9e (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 345: 0.0.0.0.68 > 255.255.255.255.67: BOOTP/DHCP, Request from ec:71:db:df:13:9e (oui Unknown), length 303

You can (efficiently) drop incoming multicast packets, which look a lot like network noise
Seave following as a file in /etc/nftables.d named whatever.nft

chain raw_prerouting {
  type filter hook prerouting priority raw; policy accept;
  fib daddr type multicast counter drop
}

then reload firewall
then install htop and have a look at haviest (by cpu total / cpu% / rss)
press ctrl-s and show top few processes, maybe we are able to figure out which is culprit (ctrl-q to release)

Hi
Thanks! i do as you suggest but the problem remains.

This ist my top5 Process with htop:

Htop_Dnsmasq1541×346 29.4 KB

As you can see dnsmasq take 74 bis 80 % of my Router CPU.

Maybe the Problem ist dnsmasq?
What can i do ?

Thanks for you help