mattmcspirit
Occasional Visitor
Hi folks,
Long time reader, first time poster here, and I'm really hopeful someone on here can help. I'm running an RT-AC86U as my primary router at home, and that's hooked up to a Motorola MB8600 DOCSIS 3.1 Modem, on Wave Broadband (West Coast ISP), internet only package, 250Mb. The RT-AC-86U has been running Asuswrt-merlin for a long time now, and it's been rock solid (really fantastic work, thank you and kudos to all of you that contribute).
Our usage, according to Wave's online portal, generally falls in the range of 270-350GB for a regular month. Like many of you, plenty of devices connected, Fire TVs, Xbox, PS4, iPhones, Laptops etc, but I don't download games, no online gaming, and i'd say streaming patterns are normal to low - an hour or two a day.
Fast forward to early January, and I check out our Wave usage for December, and it's showing 595GB. What made this more confusing, was that the house was empty from the 13th-26th December. We live in a sleepy suburb of a few houses, so someone compromising the (strong Wi-Fi and even stronger router password) network seems slim, and many of the devices were off (as in unplugged), like the Xbox and PS4, so no unexpected big game downloads etc.
On the 86U, i did have 'Respond to ping on WAN' enabled (for UptimeRobot), and I wasn't using DOS Protection, so I guess it could have been traffic generated that way, but at this stage, I can't prove that. I didn't have Traffic Monitor/Analyzer enabled/configured. I also didn't have SSH accessible from WAN, just the LAN.
So, in early January, I reset Wi-Fi passwords (even stronger/longer), updated to the latest firmware (i was one behind the latest), configured USB support for logs, and enabled Traffic Monitor/Analyzer. Since then, I've been getting what I believe to be accurate readings of our usage at the router level, however, they aren't lining up with what Wave's portal shows again. Wave's showing higher usage.
To add an extra layer of monitoring, between the modem and the AC86U, I added an N66U, factory reset, running the latest available merlin build, configured purely for WAN/LAN and no Wi-Fi, and the only device plugged into the N66U, is the AC86U. Lan port on the N66U, to WAN port on the AC86U. USB and logging set up correctly, and although the traffic monitor on the N66U isn't as detailed (specifically not having Traffic Analyzer), I am using Traffic Monitor. NAT Acceleration is disabled. Respond to WAN is disabled, SSH on LAN only, very strong credentials etc. All ports are closed based on online port scans. I've been tracking results in a table for the last few days (since I added the N66U)
As you can see, Wave's usage is showing gain of 13-14GB per day, yet the AC86U is showing lower than this, but more specifically, the N66U, which if you recall, is the router connected to the MB8600 modem, shows higher usage than the AC86U. This varies from 500MB on 1/12, to 1.5GB difference on 1/14. This router data is gathered from the 'Daily' view, on the Traffic Monitor page on each respective router. Interestingly, it's the download usage that varies between the devices - the upload data is typically within ~10MB.
So, the AC86U is measuring all the traffic, up and down, from my devices, and yet either the AC86U itself is generating/consuming data for it's own use (not tracked in traffic monitor) or it's the N66U generating/consuming data for it's own use, that would account for the difference between the 2 routers.
I don't intend running this configuration for the long term, i'm just trying to figure out where this data consumption is coming from.
What made this more interesting, is that i read this a few days back: https://forums.xfinity.com/t5/Your-Home-Network/Unusually-high-data-usage-megathread/m-p/3297788/highlight/true#M314094, specifically relating to the modem model I have, so I wonder if that could be a cause.
Either way, I'm hopeful someone can offer some advice as to what to check - logs on the N66U show a large number of dropped packets (I configured the firewall to log the drops), so I wonder if I was hit in December due to having the 'Ping from WAN' enabled, but outside of that, If anyone has any suggestions on the data usage tracking, and also why the 2 routers report differently, it would be much appreciated.
Long time reader, first time poster here, and I'm really hopeful someone on here can help. I'm running an RT-AC86U as my primary router at home, and that's hooked up to a Motorola MB8600 DOCSIS 3.1 Modem, on Wave Broadband (West Coast ISP), internet only package, 250Mb. The RT-AC-86U has been running Asuswrt-merlin for a long time now, and it's been rock solid (really fantastic work, thank you and kudos to all of you that contribute).
Our usage, according to Wave's online portal, generally falls in the range of 270-350GB for a regular month. Like many of you, plenty of devices connected, Fire TVs, Xbox, PS4, iPhones, Laptops etc, but I don't download games, no online gaming, and i'd say streaming patterns are normal to low - an hour or two a day.
Fast forward to early January, and I check out our Wave usage for December, and it's showing 595GB. What made this more confusing, was that the house was empty from the 13th-26th December. We live in a sleepy suburb of a few houses, so someone compromising the (strong Wi-Fi and even stronger router password) network seems slim, and many of the devices were off (as in unplugged), like the Xbox and PS4, so no unexpected big game downloads etc.
On the 86U, i did have 'Respond to ping on WAN' enabled (for UptimeRobot), and I wasn't using DOS Protection, so I guess it could have been traffic generated that way, but at this stage, I can't prove that. I didn't have Traffic Monitor/Analyzer enabled/configured. I also didn't have SSH accessible from WAN, just the LAN.
So, in early January, I reset Wi-Fi passwords (even stronger/longer), updated to the latest firmware (i was one behind the latest), configured USB support for logs, and enabled Traffic Monitor/Analyzer. Since then, I've been getting what I believe to be accurate readings of our usage at the router level, however, they aren't lining up with what Wave's portal shows again. Wave's showing higher usage.
To add an extra layer of monitoring, between the modem and the AC86U, I added an N66U, factory reset, running the latest available merlin build, configured purely for WAN/LAN and no Wi-Fi, and the only device plugged into the N66U, is the AC86U. Lan port on the N66U, to WAN port on the AC86U. USB and logging set up correctly, and although the traffic monitor on the N66U isn't as detailed (specifically not having Traffic Analyzer), I am using Traffic Monitor. NAT Acceleration is disabled. Respond to WAN is disabled, SSH on LAN only, very strong credentials etc. All ports are closed based on online port scans. I've been tracking results in a table for the last few days (since I added the N66U)
As you can see, Wave's usage is showing gain of 13-14GB per day, yet the AC86U is showing lower than this, but more specifically, the N66U, which if you recall, is the router connected to the MB8600 modem, shows higher usage than the AC86U. This varies from 500MB on 1/12, to 1.5GB difference on 1/14. This router data is gathered from the 'Daily' view, on the Traffic Monitor page on each respective router. Interestingly, it's the download usage that varies between the devices - the upload data is typically within ~10MB.
So, the AC86U is measuring all the traffic, up and down, from my devices, and yet either the AC86U itself is generating/consuming data for it's own use (not tracked in traffic monitor) or it's the N66U generating/consuming data for it's own use, that would account for the difference between the 2 routers.
I don't intend running this configuration for the long term, i'm just trying to figure out where this data consumption is coming from.
What made this more interesting, is that i read this a few days back: https://forums.xfinity.com/t5/Your-Home-Network/Unusually-high-data-usage-megathread/m-p/3297788/highlight/true#M314094, specifically relating to the modem model I have, so I wonder if that could be a cause.
Either way, I'm hopeful someone can offer some advice as to what to check - logs on the N66U show a large number of dropped packets (I configured the firewall to log the drops), so I wonder if I was hit in December due to having the 'Ping from WAN' enabled, but outside of that, If anyone has any suggestions on the data usage tracking, and also why the 2 routers report differently, it would be much appreciated.
