Massive (>16TB) WAN traffic and almost no LAN traffic

Cutha

Hi,

I have searched for any hint of similar problems and I came up with one on this forum but the resolution was no help to me. I apologize if I have missed other posts regarding the same type of issue; unfortunately this is far enough beyond my understanding that I don't really even know what to search for.

My entire household went on Vacation July 31st and returned in the early AM of the 17th of August. I went to check my broadband bill today and noticed that there was an alarming amount of data consumption for August, 17TB! I called up our provider and they were of no help whats so ever. Luckily pfSense has historical records and they showed the crazy consumption started a few days after we left the house and stopped around the time we got home.

I tried to track down the computer that was using all that data but the WAN usage does not even remotely match the LAN usage for those two weeks.

It has been about 2 years since I went seriously over my usage cap and as a reward for that my ISP suspended our service for 3 or 4 days…

Anyway, hopefully the pictures tell a story that somebody can understand and than explain to me.

I am using pfSense 1.2.3, it is a very simple setup with two interfaces. I plan on updating it in the next month or so to the newest version.

Thanks for any help you may be able to provide and for reading my post.

Seamus
![17TB in 2 weeks.jpg](/public/imported_attachments/1/17TB in 2 weeks.jpg)
![17TB in 2 weeks.jpg_thumb](/public/imported_attachments/1/17TB in 2 weeks.jpg_thumb)
![pfSense WAN Traffic.JPG](/public/imported_attachments/1/pfSense WAN Traffic.JPG)
![pfSense WAN Traffic.JPG_thumb](/public/imported_attachments/1/pfSense WAN Traffic.JPG_thumb)
![pfSense LAN Traffic.JPG](/public/imported_attachments/1/pfSense LAN Traffic.JPG)
![pfSense LAN Traffic.JPG_thumb](/public/imported_attachments/1/pfSense LAN Traffic.JPG_thumb)
![pfSense WAN Packets.JPG](/public/imported_attachments/1/pfSense WAN Packets.JPG)
![pfSense WAN Packets.JPG_thumb](/public/imported_attachments/1/pfSense WAN Packets.JPG_thumb)
![pfSense LAN Packets.JPG](/public/imported_attachments/1/pfSense LAN Packets.JPG)
![pfSense LAN Packets.JPG_thumb](/public/imported_attachments/1/pfSense LAN Packets.JPG_thumb)
![pfSense WAN Quality.JPG](/public/imported_attachments/1/pfSense WAN Quality.JPG)
![pfSense WAN Quality.JPG_thumb](/public/imported_attachments/1/pfSense WAN Quality.JPG_thumb)

john.lucero

Did you found out what pc is it? and what services that running to it?

Cutha

Nope, there is no corresponding traffic on the LAN.

Harvy66

Got Squid installed? That's notorious for this kind of stuff, especially since stuff like Windows Updates and other services use HTTP, making Squid want to cache ridiculous amounts of data.

One of the issues has been HTTP request ranges. Sometimes a service may have something like an 8GiB file, but depending on what your system needs, only a small multi MiB range will be requested. But Squid will download the entire 8GiB, then return the 8MiB chunk to you. Not sure if this still applies, but it has in the far past.