I'm currently blocking nearly 1000 high-volume inbound hosts (those that sent amprgw more than 10,000 packets a minute at the times of sampling), which may account for some of the change of traffic you're seeing get through the router.
None of the gateways are on that block list, so that doesn't account for the drop in inbound encap traffic.
I'm usually seeing around 20 million packets a minute (about 25 MB/s) at the inbound interface. Your 10-15 packets a minute is an awfully small amount to leak through. I must be doing a good job of filtering. - Brian
On Thu, May 18, 2017 at 09:46:55AM +0300, Marius Petrescu wrote:
The volume did not change (some 10-15 packets per minute), just the type.
I suspected at some point that there is a network using 44 addresses internally, had some leaks on them and that the garbage (DNS replies, ICM rejects, IP fragments and such stuff) were the replies from hosts on the internet receiving that traffic and sending replies back via the ampr-gw.
These are gone at the moment.