I have used up all my ISP download limit of 50GB in 6 days, sadly looking on the Draytek Traffic Graph, this was all too obvious with constant 1Mbps since the router last rebooted.

Looking at Data Flow monitor, I could see a Raspberry Pi with usage spikes, however having removed this and got the total data flow form all devices (Hue lights, Smappee etc.) down to less than 10Kbps, my traffic is still stuck up at around 1Mbps, which would approximately account for 50GB in 6 days.

So am I right to assume that it is my router which is creating all this traffic or have I missed something obvious?

If it is my router then what on my router would do this and what should I do?

I do not allow log into the router from the internet, DOS protection is enabled, SNMP is disabled, I have changed the strong password to another strong password, only two users defined on the router admin and system reservation.

Any pointers would be most helpful, as searching the web takes me largely to Draytek pages which seem to say Draytek routers do not suffer from all the reported exploits due to DrayOS.

Thanks, Simon

Having seen a weird issue like this before with a static IP range I had to troubleshoot - try connecting a PC directly to the WAN that the 2920 router connects to and observe with Wireshark what you see incoming.

In my case it was one IP in a static range that had apparently previously been used for bittorrent and was being spammed with bittorrent requests despite there being no server there any more. The IP wasn't even in use on the router but these packets were being sent by the ISP to the router and the router was just ignoring it, but it still used up bandwidth.

Thanks for your informative reply, which seemed to fit the data.

Fortunately / unfortunately the data I stated isn't quite right, it appears the data flow monitor values are instanteous values, whereas the traffic graph gives the value averaged over the time period, so basically I think the data flow monitor values potentially miss big data flow.

Currently it looks like the problem is all my own fault - :oops: .

I have 2 Wan connections, 1 over long range WiFi and 1 by fibre - the long range WiFi performance became unreliable (it turns out due to a bees nest on one of the antennas), so I have been running speedtest-cli every 5 minutes on 2 Raspberry Pis and using this to switch link when performance became too poor on the unlimited WiFi and swith to the limited fibre if the fibre performance was significantly better than WiFi.

Now having got home and stripped everything out, then added things back in one at a time, all was ok, until I added the speedtest system back in. It looks like speedtest-cli, downloads 30MB in order to check the speed, I had assumed it would be more like 1MB at most, but it isn't. So 30MB every 5 minutes for 6 days is 50GB, a not very clever way to eat up my limited allowance.

I don't really understand why the speedtest downloads / uploads don't show up clearly in data flow monitor, as while they are rapid/maximum throughput 30MB at 10Mbps will still take 30 seconds so should be obvious in the data flow data.

I will keep monitoring my usage and think of another way to try to respond to changes in performance between the two Wans.

Thanks, Simon