eir F2000 modem NAT at 100%

god's toy

Anyone have an insight as to why every hour my NAT usage on my eir F2000 goes up to 100% and for 3 mins the internet just stops working?

Connection stays up only no data flows until the NAT usage drops back down to it's normal level of 1 to 2% :eek:

Thanks.

johnplayerblue

At a guess I'd say it sounds something like a DHCP starvation attack. How long has it been happening?

Have you or anyone on the LAN installed anything that might be running in the background that might be depleting your ports which would leave NAT at full tilt.

In saying that it would take something very noticable for this to happen as you have a lot of ports to play with and use in NAT.

When it happens agin use say the netstat cmd in a cmd box and see what ports are open and what or who is using them.

Tcpview is a handy and I think free tool which might also help. For a home user with even a half dozen devices connected you shouldn't be above a couple %.

Process of elimination followed by a hard reset of the F2K.

Packet

After you've identified whatever is driving up the NAT usage you could have traffic bypass the NAT by turning on dual-stack.
Internet tab->Internet settings->WAN interface->IP protocol version->"IPv4+IPv6".
Traffic to/from the growing list of sites on IPv6 will bypass the NAT.

ED E

I'd hazard a guess its not the NAT queue thats actually the problem. If the next hop is going dead packets will queue up not because the F2000 cant handle the translations but because they've nowhere to go.

Check your error correction numbers and see if they spike when it happens.

johnplayerblue

ED E wrote: »

I'd hazard a guess its not the NAT queue thats actually the problem. If the next hop is going dead packets will queue up not because the F2000 cant handle the translations but because they've nowhere to go.

The above explanation is in all probability more likley to be the cause of your NAT issue.

Man I have to stop thinking so locally.

NAT on a consumer grade device requires little to zero input from a user and even more so in the case of the F2K.

It really is a network function/service that requires very little interaction once configured even on hign end equipment. And so I'd agree with the above/previous poster that it's more likely than not a destination (Eir) rather than source (F2K) issue.

Might be time to give Eir a bell if it continues.

You don't live near me by any chance? I was reading a very interesting post very recently about how a user sharing the same exchange has the potential to deplete all available public IP address which could be the cause of your NAT issues.

Just a thought


Be interesting to hear back what the resolution was. NAT as I said is usually rock solid.

god's toy

johnplayerblue wrote: »

At a guess I'd say it sounds something like a DHCP starvation attack. How long has it been happening?

Have you or anyone on the LAN installed anything that might be running in the background that might be depleting your ports which would leave NAT at full tilt.

In saying that it would take something very noticable for this to happen as you have a lot of ports to play with and use in NAT.

When it happens agin use say the netstat cmd in a cmd box and see what ports are open and what or who is using them.

Tcpview is a handy and I think free tool which might also help. For a home user with even a half dozen devices connected you shouldn't be above a couple %.

Process of elimination followed by a hard reset of the F2K.

It also coincided with my dial tone/phone line went under two weeks ago however the internet still worked even though I couldn't make phone calls through the phone line... But when the line was fixed the problem didn't go away
On scanning my PC last night (pc was in safe mode) was the first time in two weeks it didn't happen... Makes me think it's something in my pc. It's usually every hour to the second it comes back..

god's toy

Packet wrote: »

After you've identified whatever is driving up the NAT usage you could have traffic bypass the NAT by turning on dual-stack.
Internet tab->Internet settings->WAN interface->IP protocol version->"IPv4+IPv6".
Traffic to/from the growing list of sites on IPv6 will bypass the NAT.

Will be trying that too. Thanks.

Already tried a hard reset but didn't help.

ED E

johnplayerblue wrote: »

You don't live near me by any chance? I was reading a very interesting post very recently about how a user sharing the same exchange has the potential to deplete all available public IP address

Wouldnt impact him unless his modem was off/disconnected for an hour or so.

god's toy wrote: »

It also coincided with my dial tone/phone line went under two weeks ago however the internet still worked even though I couldn't make phone calls through the phone line... But when the line was fixed the problem didn't go away
On scanning my PC last night (pc was in safe mode) was the first time in two weeks it didn't happen... Makes me think it's something in my pc. It's usually every hour to the second it comes back..

Running windows 8 or 10? I've seen from my logs that 8/10 machines can go absolutely bat**** and spam UPnP requests. This could come under the umbrella of NAT. Never tracked down what service was triggering them.

UPnP set event: add_nat_rule] from source 192.168.2.4, Friday, March 04,2016 23:10:55
[UPnP set event: add_nat_rule] from source 192.168.2.4, Friday, March 04,2016 23:10:54
[UPnP set event: add_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:53:02
[UPnP set event: del_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:52:59
[UPnP set event: add_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:52:52
[UPnP set event: add_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:52:51
[UPnP set event: del_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:52:50
[UPnP set event: del_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:52:49
[UPnP set event: add_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:50:26
[UPnP set event: del_nat_rule] from source 192.168.2.4, Friday, March 04,2016 22:50:26

johnplayerblue

god's toy wrote: »

It's usually every hour to the second it comes back..

That timing pattern sounds very very suspicious. It has all the hallmarks of malware using your machine to launch DDOS attacks. That's a worst case scenario. However, the timing aspect I don't like the sound of.


ED E's suggestion still sounds the more likley cause. If you can, try and get a spare machine from a friend or if you have one that you're 100% positive hasn't connected to your network since the problem started and try using that to see if you get the same result.

Make sure to physically remove your ethernet cable and or remove/disable your wireless on both computer, laptop and F2000. Make sure the new machine is the only device connected and see what happens.

It's an unusual sounding problem. Isolate all machines and use the borrowd one. This method could save you a whole lot of time and narrow down the problem. Hopefully it's just a matter of calling Eir.

Just make sure phones, tablets and all existing machines are in NO WAY connected before you plug the test machine into your modem. Again, process of elimination.

god's toy

Yep I have a laptop that hasn't been booted in 6 months so that should be free.
When I get home, first I will first make sure the problem is still there than pull the cables and kill the wifi and than connect the backup laptop.

Will report back.

Thanks everyone.

god's toy

Packet wrote: »

After you've identified whatever is driving up the NAT usage you could have traffic bypass the NAT by turning on dual-stack.
Internet tab->Internet settings->WAN interface->IP protocol version->"IPv4+IPv6".
Traffic to/from the growing list of sites on IPv6 will bypass the NAT.

FYI I have turned on dual stack IPv4+IPv6 in the settings

tonight when I came home, it was at 100% before I had logged into the main computer tonight.
I pulled the network cables but it stayed at 100%
I restarted it and it sat at 10% for about 10 minutes before dropping to 5% for another 10 and its now sitting at 3% for the last half an hour.

Memory is at 75% and cpu jumps between 9% and 22%

johnplayerblue

Those mem and cpu numbers sound about normal for that modem.

Sounds like the worst case scenario isn't so which is a good thing.

It also sounds like a call to Eir needs to be made. I wouldn't complicate things any by mentioning anything about mem or cpu. Just ask about the NAT issue and loss of service. More often than not it's best to stick to the point when dealing with tech support.

Mind you it still sounds like an odd problem. Add to that the fact that you could set your watch by when it's going to happen again sounds a little odd. They'll have logs which will show up error correction numbers and the like. I dealt with Eircom more than once and by and large they are pretty good if you're an Eir customer.

god's toy

So tonight I formatted the main computer and it looks to have stopped.

Last nights testing was inconclusive as the main pc was disconnected just as the NAT was starting to rise but it didn't stop it. In the end I said this build is a few years old so I may as well format out and rebuild and see if it comes back.

So far we are three hours in and its been sitting down in the 1 to 3% mark.
Have changed passwords too as at this stage I don't know what the heck could be compromised.