This is great!!!

If I have more interfaces to monitor I just have to duplicate the interface line changing the actual interface and ip address?

Is this OK for adding 3 VLANS ?

interface vtnet0 filter "ip and dst net 192.168.2.0/24 and not src net 10.0.0.0/ 8 and not 172.16.0.0/12 and not 192.168.0.0/16"; interface vtnet0.3 filter "ip and dst net 192.168.3.0/24 and not src net 10.0.0. 0/8 and not 172.16.0.0/12 and not 192.168.0.0/16"; interface vtnet3.4 filter "ip and dst net 192.168.4.0/24 and not src net 10.0.0. 0/8 and not 172.16.0.0/12 and not 192.168.0.0/16"; interface vtnet3.5 filter "ip and dst net 192.168.5.0/24 and not src net 10.0.0. 0/8 and not 172.16.0.0/12 and not 192.168.0.0/16";

I no longer see the service crashing at least for now.

I have disabled all data retention and also the following alert:

Enable Hosts Malware Blacklists
Enable alerts generated by traffic sent/received by malware-marked hosts. Overnight new blacklist rules are refreshed.

I'm letting it run for few more days and then I will enable data retention one at a time and make sure it doesn't crash… I'm under the impression the crash was caused by Enable Hosts Malware Blacklists.

Interesting.

There really shouldn't be too much to it.  I've run it on old 2.x setups and recently set it up again on 2.4.1

Here are my settings:

Enable BandwidthD should be selected

BandwidthD Interface: LAN
Subnets for Statistics Collection:  Select ALL interfaces (hold down CTRL and click) except your CARP/SYNC interface
Extra Subnets for Statistics Collection:  (Enter other subnets as needed) I have one other.
Promiscuous Mode:  Unchecked
SensorID:  <make up="" a="" name="" of="" your="" choosing="">Draw Graphs:  Checked
Meta REfresh: <default>Skip Intervals <default>Graph Cutoff: <default>Output to CDF: Unchecked
Recover CDF:  Unchecked
Graph and Log Info:  <informational>PostgreSQL Options (All Blank and Unchecked).</informational></default></default></default></make>

Are you sure those aren't the "Day" markers on the graph, and not ICMP traffic?

I'm having the same problem. Anyone figure this out?

Thanks!

During a "successful" Speedtest, I get the following output:

last pid: 46610;  load averages:  0.41,  0.25,  0.16  up 3+02:46:41    15:48:56
202 processes: 8 running, 152 sleeping, 42 waiting

Mem: 43M Active, 262M Inact, 391M Wired, 178M Buf, 7192M Free
Swap: 8192M Total, 8192M Free

PID USERNAME      PRI NICE  SIZE    RES STATE  C  TIME    WCPU COMMAND
  11 root          155 ki31    0K    64K RUN    3  73.8H  88.77% [idle{idle: cpu3}]
  11 root          155 ki31    0K    64K RUN    0  73.9H  80.08% [idle{idle: cpu0}]
  11 root          155 ki31    0K    64K RUN    1  73.9H  79.59% [idle{idle: cpu1}]
  11 root          155 ki31    0K    64K RUN    2  73.8H  58.69% [idle{idle: cpu2}]
    0 root          -92    -    0K  560K CPU2    2  3:41  38.28% [kernel{igb1 que (qid 3)}]
  12 root          -92    -    0K  704K WAIT    0  14:30  18.99% [intr{irq256: igb0:que 0}]
  12 root          -92    -    0K  704K CPU1    1  14:27  15.48% [intr{irq257: igb0:que 1}]
  12 root          -92    -    0K  704K WAIT    3  15:08  7.18% [intr{irq260: igb1:que 1}]
  12 root          -92    -    0K  704K RUN    2  17:17  4.05% [intr{irq259: igb1:que 0}]
31309 nobody        23    0 14920K  5084K select  3  3:01  3.08% /usr/local/sbin/darkstat -i igb0 -b 192.168.0.1 -p 666
84405 root          21    0  263M 38676K piperd  0  0:01  0.59% php-fpm: pool nginx (php-fpm)
    0 root          -92    -    0K  560K -      1  0:02  0.20% [kernel{igb0 que (qid 0)}]
    0 root          -92    -    0K  560K -      3  2:43  0.10% [kernel{igb1 que (qid 2)}]
5207 squid          20    0  281M  132M kqread  3  38:15  0.00% (squid-1) -f /usr/local/etc/squid/squid.conf (squid)
27498 root          20    0 12696K  2356K bpf    3  2:54  0.00% /usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
  17 root          -16    -    0K    16K -      0  2:14  0.00% [rand_harvestq]
  12 root          -60    -    0K  704K WAIT    0  1:57  0.00% [intr{swi4: clock (0)}]
2954 root          20    0 10484K  2540K select  0  1:46  0.00% /usr/sbin/syslogd -s -c -c -l /var/dhcpd/var/run/log -P /var/run/syslog.pid -f /etc/syslog.conf

During an unsuccessful Speedtest with bandwidthd enabled, I get:

top: warning: process display count should be non-negative – using default
....
last pid: 17290;  load averages:  0.97,  0.48,  0.26  up 3+02:48:48    15:51:03
75 processes:  1 running, 74 sleeping

Mem: 47M Active, 260M Inact, 396M Wired, 178M Buf, 7184M Free
Swap: 8192M Total, 8192M Free

@virgiliomi:

A variety of things could explain different numbers.

DNS lookups from cache would show traffic on LAN but not WAN or OPT1.  Any other caching you might be doing (like using Squid as a cache) can also have such an effect.

Data compression on the OpenVPN connection could also cause differences.

Depending on the media of your ISP, you could be receiving a variety of broadcast traffic on WAN. There are likely external connection attempts that are being blocked by the firewall on WAN too… those still get counted as traffic on the interface.

The numbers aren't different enough that I would think there are problems. If one interface were double the amount of the other two, then I might find reason for concern... but a difference of a couple of megabytes in an hour isn't a big deal IMHO.

Thank you.  Much appreciated.

I use Squid as a transparent proxy and LightSquid for reporting web traffic. For other forms of traffic you can use ntopng though it's not intuitive. And both of these solutions are not per-user but rather per-device. If you need per-user monitoring you'll need to look at something installed on the client workstation.

It's available in 2.4.0 and on 2.3.5 snapshots.

Thanks for the info
I corrected my post…

Hi luckman212. FlowTraq Exporter works fine for me. I still have no way to run it on pfSenese. So I still run it on dedicated Windows box. The results are quite accurate, 2-3% difference with controlled measurements.

You are using outdated package version.

https://redmine.pfsense.org/issues/7649

Seeing the same error. The IP is behind the firewall so this could only be happening from an internal IP, maybe the bridge?
Any possibility to see what source IP triggered this?

That's very off-topic for this thread / board, you should post a new thread on the OpenVPN board here asking for help: https://forum.pfsense.org/index.php?board=39.0

Though if you search, there are many how-to documents out there, including those on the doc wiki.