Broadcast traffic from ISP exhausting conntrack

I have a PPPoE connection configured as below:

network.wan=interface
network.wan.ifname='eth0.2'
network.wan.proto='pppoe'
network.wan.peerdns='0'
network.wan.metric='10'
network.wan.password='xxxxx'
network.wan.dns='8.8.8.8' '8.8.4.4'
network.wan.username='xxxxx'

Firewall zone config:

config zone
        option name 'wan'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option input 'DROP'
        option mtu_fix '1'
        option network 'wan wan2 wan3'

Traffic on pppoe-wan is fine as seen in the packet dump and firewall INPUT policy applies.

But when I do tcpdump on eth0.2, I see broadcast UDP traffic from an IP address owned by the same ISP:

13:53:16.000207 IP 2x2.9x.8x.3x.57840 > 255.255.255.255.7777: UDP, length 153
13:53:16.000939 IP 2x2.9x.8x.3x.54355 > 255.255.255.255.7777: UDP, length 153
13:53:16.001606 IP 2x2.9x.8x.3x.59027 > 255.255.255.255.7777: UDP, length 153
13:53:16.010933 IP 2x2.9x.8x.3x.39438 > 255.255.255.255.7777: UDP, length 153
13:53:16.011405 IP 2x2.9x.8x.3x.51119 > 255.255.255.255.7777: UDP, length 153
13:53:16.011939 IP 2x2.9x.8x.3x.50290 > 255.255.255.255.7783: UDP, length 153
13:53:16.021571 IP 2x2.9x.8x.3x.41155 > 255.255.255.255.7777: UDP, length 153
13:53:16.022020 IP 2x2.9x.8x.3x.43419 > 255.255.255.255.7777: UDP, length 153
13:53:16.027471 IP 2x2.9x.8x.3x.57443 > 255.255.255.255.7777: UDP, length 153
13:53:16.027890 IP 2x2.9x.8x.3x.45020 > 255.255.255.255.7777: UDP, length 153
13:53:16.028221 IP 2x2.9x.8x.3x.33599 > 255.255.255.255.7777: UDP, length 153
13:53:16.035869 IP 2x2.9x.8x.3x.35006 > 255.255.255.255.7777: UDP, length 153
13:53:16.036303 IP 2x2.9x.8x.3x.54200 > 255.255.255.255.7783: UDP, length 153
13:53:16.036677 IP 2x2.9x.8x.3x.42414 > 255.255.255.255.7783: UDP, length 153
13:53:16.042278 IP 2x2.9x.8x.3x.36553 > 255.255.255.255.7781: UDP, length 153
13:53:16.042865 IP 2x2.9x.8x.3x.43441 > 255.255.255.255.7777: UDP, length 153
13:53:16.043143 IP 2x2.9x.8x.3x.54709 > 255.255.255.255.7777: UDP, length 153
13:53:16.048883 IP 2x2.9x.8x.3x.42064 > 255.255.255.255.7777: UDP, length 153
13:53:16.049842 IP 2x2.9x.8x.3x.40016 > 255.255.255.255.7777: UDP, length 153
13:53:16.050527 IP 2x2.9x.8x.3x.52474 > 255.255.255.255.7777: UDP, length 153
13:53:16.050806 IP 2x2.9x.8x.3x.44512 > 255.255.255.255.7777: UDP, length 153
13:53:16.051098 IP 2x2.9x.8x.3x.33929 > 255.255.255.255.7777: UDP, length 153
13:53:16.051789 IP 2x2.9x.8x.3x.50446 > 255.255.255.255.7781: UDP, length 153
13:53:16.059777 IP 2x2.9x.8x.3x.45481 > 255.255.255.255.7777: UDP, length 153
13:53:16.069020 IP 2x2.9x.8x.3x.38773 > 255.255.255.255.7777: UDP, length 153
13:53:16.069888 IP 2x2.9x.8x.3x.57203 > 255.255.255.255.7777: UDP, length 153
13:53:16.075331 IP 2x2.9x.8x.3x.45431 > 255.255.255.255.7777: UDP, length 153
13:53:16.080961 IP 2x2.9x.8x.3x.40398 > 255.255.255.255.7777: UDP, length 153
13:53:16.083437 IP 2x2.9x.8x.3x.39019 > 255.255.255.255.7783: UDP, length 153
13:53:16.084224 IP 2x2.9x.8x.3x.42246 > 255.255.255.255.7783: UDP, length 153
13:53:16.102502 IP 2x2.9x.8x.3x.50498 > 255.255.255.255.7777: UDP, length 153
13:53:16.102871 IP 2x2.9x.8x.3x.40983 > 255.255.255.255.7781: UDP, length 153
13:53:16.103203 IP 2x2.9x.8x.3x.35621 > 255.255.255.255.7777: UDP, length 153
13:53:16.107508 IP 2x2.9x.8x.3x.42484 > 255.255.255.255.7777: UDP, length 153
13:53:16.108085 IP 2x2.9x.8x.3x.48536 > 255.255.255.255.7783: UDP, length 153
13:53:16.119025 IP 2x2.9x.8x.3x.53749 > 255.255.255.255.7783: UDP, length 153
13:53:16.119496 IP 2x2.9x.8x.3x.41059 > 255.255.255.255.7777: UDP, length 153
13:53:16.123973 IP 2x2.9x.8x.3x.59927 > 255.255.255.255.7777: UDP, length 153
13:53:16.125280 IP 2x2.9x.8x.3x.34545 > 255.255.255.255.7781: UDP, length 153
13:53:16.136031 IP 2x2.9x.8x.3x.47502 > 255.255.255.255.7777: UDP, length 153
13:53:16.145226 IP 2x2.9x.8x.3x.43860 > 255.255.255.255.7777: UDP, length 153
13:53:16.146005 IP 2x2.9x.8x.3x.59849 > 255.255.255.255.7777: UDP, length 153
13:53:16.149948 IP 2x2.9x.8x.3x.57230 > 255.255.255.255.7777: UDP, length 153
13:53:16.150804 IP 2x2.9x.8x.3x.55460 > 255.255.255.255.7777: UDP, length 153
13:53:16.151218 IP 2x2.9x.8x.3x.44835 > 255.255.255.255.7777: UDP, length 153
13:53:16.151449 IP 2x2.9x.8x.3x.53129 > 255.255.255.255.7777: UDP, length 153
13:53:16.151926 IP 2x2.9x.8x.3x.60766 > 255.255.255.255.7777: UDP, length 153
13:53:16.152536 IP 2x2.9x.8x.3x.44695 > 255.255.255.255.7777: UDP, length 153

The rate is approx 50 requests per second.

conntrack -L shows following:

udp      17 45 src=2x2.9x.8x.3x dst=255.255.255.255 sport=54545 dport=7777 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=54545 packets=0 bytes=0 mark=16128 use=1
udp      17 26 src=2x2.9x.8x.3x dst=255.255.255.255 sport=45901 dport=7777 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=45901 packets=0 bytes=0 mark=16128 use=1
udp      17 58 src=2x2.9x.8x.3x dst=255.255.255.255 sport=37610 dport=7777 packets=3 bytes=543 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=37610 packets=0 bytes=0 mark=16128 use=1
udp      17 7 src=2x2.9x.8x.3x dst=255.255.255.255 sport=39670 dport=7777 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=39670 packets=0 bytes=0 mark=16128 use=1
udp      17 15 src=2x2.9x.8x.3x dst=255.255.255.255 sport=60739 dport=7777 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=60739 packets=0 bytes=0 mark=16128 use=1
udp      17 56 src=2x2.9x.8x.3x dst=255.255.255.255 sport=48340 dport=7777 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=48340 packets=0 bytes=0 mark=16128 use=1
udp      17 32 src=2x2.9x.8x.3x dst=255.255.255.255 sport=50975 dport=7777 packets=2 bytes=362 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=50975 packets=0 bytes=0 mark=16128 use=1
udp      17 15 src=2x2.9x.8x.3x dst=255.255.255.255 sport=53364 dport=7777 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=53364 packets=0 bytes=0 mark=16128 use=1
udp      17 29 src=2x2.9x.8x.3x dst=255.255.255.255 sport=49431 dport=7777 packets=2 bytes=362 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=49431 packets=0 bytes=0 mark=16128 use=1
udp      17 32 src=2x2.9x.8x.3x dst=255.255.255.255 sport=42719 dport=7777 packets=2 bytes=362 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=42719 packets=0 bytes=0 mark=16128 use=1
udp      17 4 src=2x2.9x.8x.3x dst=255.255.255.255 sport=58759 dport=7777 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=58759 packets=0 bytes=0 mark=16128 use=1
udp      17 1 src=2x2.9x.8x.3x dst=255.255.255.255 sport=51883 dport=7783 packets=1 bytes=181 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7783 dport=51883 packets=0 bytes=0 mark=16128 use=1
udp      17 27 src=2x2.9x.8x.3x dst=255.255.255.255 sport=36145 dport=7777 packets=2 bytes=362 [UNREPLIED] src=255.255.255.255 dst=2x2.9x.8x.3x sport=7777 dport=36145 packets=0 bytes=0 mark=16128 use=1

From what I understand, pppoe-wan becomes part of the zone WAN and policies are applied, but no more on eth0.2. The broadcast traffic is not encapsulated in PPPoE tunnel and is thus reaching eth0.2 directly.

How do I get out of this situation without involving the ISP?

You can early-drop those packets in raw table:
iptables -t raw -I PREROUTING -i eth0.2 -s 2x2.9x.8x.3x -j DROP
Requires package kmod-ipt-raw.

1 Like

Thanks a lot!

It worked. But the IP address keeps changing.

Is there a way to apply zone wan INPUT policy on the underlying interface for pppoe-wan, which is eth0.2 here?

If I drop all the incoming traffic on eth0.2, would it affect the PPPoE encapsulated traffic?

No. iptables works at network layer, while PPPoE is a link-layer protocol.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.