Okay, so this means that your side of the PPPoE tunnel is shutting down, leaving the question, why ;).
Ah thanks, yes this rather looks like GPON, but I had thought that in GPON the downstream packets are encrypted individually for each user, so your neighbourrs PADTs should never ever show up readable on your link.
Mmmh, 44:4E:6D AVM Audiovisuelles Marketing und Computersysteme GmbH, so it seems Nokia wants to talk to a Fritzbox somewhere, you do not happen to use a secondary fritzbox as VoIP-box inside your network? Just asking, probably not...
I think we are looking at a red herring. These bad packets are received and acted upon because the interface is in the promiscuous mode, and this is because you didn't add the "-p" option to tcpdump. On the other hand, the earlier "ifconfig" output says that, without tcpdump, the interface is not in promiscuous mode. This is really confusing. Please always use the "-p" option.
Anyway, we already have a verbose tcpdump log with the "-p" option, and it does not show the PADT message. Perhaps because of the wrong filter? How about:
tcpdump -evpni eth1.3902 '(not ether[0x14:2] = 0x21 and not ether[0x14:2] = 0x57) or pppoed'
Yes, but this is GPON, and there the downstream should be individually encrypted per subscriber/ONT, so these PADTs for MACs not on his network should never reach him at all I believe?
Apparently ifconfig does not show if eth1 is in promiscuous mode or not.
Neither does ip link.
I started 'tcpdump -e -v -i eth1.3902 pppoed' for a few seconds to trigger promiscuous mode, and then compared the output of the above commands. There was no difference (except the packet counts).
ip monitor link showed up a line for start and stop, but no details hinting at promiscuous mode:
[2020-04-29 14:43:24] 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default
[2020-04-29 14:43:24] link/ether c4:XX:XX:XX:XX:ed brd ff:ff:ff:ff:ff:ff
[2020-04-29 14:43:24] 48: eth1.3902@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
[2020-04-29 14:43:24] link/ether c4:XX:XX:XX:XX:ed brd ff:ff:ff:ff:ff:ff
[2020-04-29 14:43:38] 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default
[2020-04-29 14:43:38] link/ether c4:XX:XX:XX:XX:ed brd ff:ff:ff:ff:ff:ff
[2020-04-29 14:43:38] 48: eth1.3902@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
[2020-04-29 14:43:38] link/ether c4:XX:XX:XX:XX:ed brd ff:ff:ff:ff:ff:ff
only syslog said the promiscuous mode was activated and then deactivated.
Do you have any idea what sort of equipment your ISP is using as the access concentrator (i.e. PPPoE server)?
I may have seen something like this in the past, where I would lose the PPPoE session randomly from minutes up to days (very rarely got more than 10 days, usually less than 96 hours). I tried an OPNSense setup (FreeBSD based) to see whether a different PPP code heritage changed things but saw the same behaviour. I haven't seen the same behaviour for some months and my current PPPoE session has now been up for just over 35 days, so I suspect either a software update or hardware change to my ISP's AC... (and I know what AC setup they were using while I was experiencing the issue).
You'd have to ask, and you'd probably not be told (because security through obscurity ).
Have you submitted a ticket to your ISP reporting that you're receiving PADTs for a device other than yours? and the link is being terminated because of this? [I wouldn't tell them you're patching around it!]
I understand that the ISP equipment in use when I had similar symptoms was by Microtik but I don't know model numbers.
Yes, if you can find other packets that you shouldn't be getting you can call that a security issue. ISP will probably try and duck that too based on above .
At least you have a solution! BTW, in case the kernel-land patch goes nowhere you might try sending the patch to OpenWrt so it could be incorporated pending a kernel resolution.
There is a bunch of DNS, NTP, XMPP and some HTTPS packets visible (packets sent to some other MAC addr, it is the same MAC for the day, then it changes and packets for a different MAC addr start arriving).
So a couple of days short of 6 weeks the random PPPoE drops have reappeared - now had 2 in 48 hours. Will have to see whether I can apply your patch to my firmware build to see whether it helps...
The patch just adds two lines to the pppoe kernel module, so you can just build the module and insert it into the running OpenWRT system:
stop ppp (it uses the kernel module when connected): ifdown wan
rmmod pppoe
insmod /root/new_module/pppoe.ko
ifup wan
Just to be sure, you can use the verbose patch (" patch with debug output"), it prints a message when it is loaded (or first used, not sure), just so you can see that the patched module is in use (sometimes insmod loads the original module, from the /lib/modules/ folder, not sure why...).
Also note that you must use the stripped module file, not the one in the build folder! That one might crash your router.
Just compare md5sum of unchanged modules with the installed ones, to find the folder with the "correct" version.
(sorry for this if you are an openwrt build expert, it confused me on my first tries)
PS: the debug version also writes a log when a PADT is recevied, noting the destination address, so you can see of "wrong" packets arrive on your connection. (if they don't then the reason for your problem might be something else)