Someone is using a lot of bandwidth, who is it?

wrtfan · April 28, 2022, 10:27am

I check the real time connections tab. I see a ipv6 source and destination with a lot of transfer.

There are a lot of users in our network but the network becomes unresponsive from time to time which I try to fix.

This ipv6 address is not in the list of Active DHCPv6 Leases.

How is it possible that that ipv6 address is not in the list of Active DHCPv6 Leases?

How can I figure out who it is (hostname) ?

Is it possible to get the mac address of the unknown ipv6 address somehow ?

This 'device/person' is using about 95 percent of our bandwidth ;/

I hope someone can help me !

slh · April 28, 2022, 10:44am

SLAAC addresses (android) aren't known to odhcpd and therefore won't be listed. Modern smartphones randomize their MAC addresses by default, so that won't help you much either.

Ban the IP/ user (keep in mind, they can/ will easily change the MAC), change access credentials, wait for complaints.

The wireless side will be easier to control than 'unattended' ethernet ports, for the later you'd need managed switches. Consider ieee802.1x (wired with managed switches and wireless) for the future radius accounting (individual per-user accounts) and quotas (all of which will imply a steep learning curve).

nlbwmon might help you identify the MAC.

wrtfan · April 28, 2022, 10:46am

Thanks for the response.

How can I check the MAC adress of the ipv6 user ? (even tough it might change) ?

I think I will block it.

angola1 · April 28, 2022, 10:47am

you can install luci-app-nlbwmon it's bandiwdth monitor it will help you indentify which one uses the highest amount of bandwidth

richb-hanover-priv · April 28, 2022, 10:58am

Good thoughts already coming in. Here are two others for your review, although these will be more work than the previous suggestions...

YAMON is an add-on for OpenWrt (and DD-WRT, and other routers) that uses iptables to record who's sending what to whom. It displays traffic charts by device. Cons: It's a pain in the patootie to install, doesn't seem to be maintained (I still use the 3.4.7 version), and probably won't work on OpenWrt 22.03 which has switched to nftables...
netflow "exports" data from your router about what packets are flowing and sends the summary to a separate "netflow collector" program that displays traffic patterns. I currently use the OpenWrt_softflowd_ package to do this. I wrote a series of blog articles about configuring softflowd and various netflow collector programs at: Netflow Collectors for Home Networks

slh · April 28, 2022, 11:01am

That's why I'd recommend luci-app-nlbwmon, it may not be perfect, but it's an easy start (at most you'll have to increase the memory limits and configure persistent external storage for the database). It does work with fw4/ nftables.

moeller0 · April 28, 2022, 11:07am

Maybe sqm with cake configured for per-IP fairness can solve the issue without having to locate the "offender", because if everybody does not get more than their fair capacity share the "offense" will cease to exist? The only way to game the per-IP-fairness is to use many IP addresses in parallel, which only works well for IPv6 and I doubt your offender will do this.

Other than that `iftop -i br-lan' should give you an online updated view of internal and external address pairs and the according instantaneous traffic, sorted by magnitude, which might help in quickly finding the IPv6 address that hogs the capacity?

lleachii · April 28, 2022, 1:09pm

ip -6 neigh

system · May 8, 2022, 1:10pm

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.