In need of help to solve a bandwidth issue
-
In a pfSense console session run pftop to get dynamic display of current firewall states (connections). Type h too get a display of the options. The R option should sort connections on rate and that should give you some clues about who is using the bandwidth.
-
True. I forgot that about your post. Let me run this by some of my colleagues at work and see if I can give you a better hint.
Thanks for this.. looking forward to what you come up with..
-
In a pfSense console session run pftop to get dynamic display of current firewall states (connections). Type h too get a display of the options. The R option should sort connections on rate and that should give you some clues about who is using the bandwidth.
I have done this, at a time when the WAN says 20mb usage, and below is what i see, i can't understand it well enough to see if it actually gives me an answer or not (i see alot of INBOUND traffic with port 127.0.0.1:3128 (squid Proxy Port).. is that my problem? and what uses that port?)
Getting confused with what In and Out refer to here..
-
Squid uses 3128 by default.
-
In and Out are interface related - so a download will generally be In on WAN and Out on LAN (and so on).
-
Right, just saw that in my squid config. So, what i am not understanding is this… if it is possibly ptp traffic, wouldnt that show up on the Traffic Graph also on the LAN interface, where all my clients are connected? This high WAN usage issue to me seems like i am leaking bandwidth somehow, somewhere.. cause the LAN interface is always quite low in usage, but just the WAN is max'd. Does that pftop output make any sense to you?
-
Have you looked at the reverse DNS (rDNS) and WhoIS of the highest volume remote nodes? The top 2 I picked both related to Google services.
What is 192.168.10.240, since it seems associated with some of the highest transfers, through Squid.
-
@Cry:
Have you looked at the reverse DNS (rDNS) and WhoIS of the highest volume remote nodes? The top 2 I picked both related to Google services.
What is 192.168.10.240, since it seems associated with some of the highest transfers, through Squid.
192.168.10.240 is one of my clients.. who according is limited to maximum 2mb/1mb.. as are all my clients
Here is a current snapshot of my pftop… currently my WAN is showing 20mb usage.. I have no idea what is going down... all my clients are limited via captive portal to 2mb, and are also limited on my AP (wireless cliente connecting via antenna).. when this shows 20mb usage, my LAN (192.168.10.0) is showing 4mb usage
-
Three of your top 4 lines refer to 65.54.93.42 (cds39.mia9.msecn.net.). I don't know what that is - does it make sense to you?
-
No.. not at all.. Currently it is chewing up 20mb.. and that IP is no longer there in the pftop output.
-
Also, i should add that this just became more confusing.. i thought it would be some clients doing alot of ptp or torrenting or something, but i just completely turned all the clients off for 10 minutes and the bandwidth never changes, was still max'd at 20mb with no one using the box..
-
Try to change admin passwords and disable outbound ssh connection for testing
-
Ok, just changed passwords and disabled SSH.. will report back in a little while
-
Ok, so its currently back up stuck at 20mb usage.. this just makes no sense.. the LAN traffic is only 2mb usage.. Can i have been hacked or something? Is it even possible that squid or something else is using up all the bandwidth?
-
Ok, so its currently back up stuck at 20mb usage.. this just makes no sense.. the LAN traffic is only 2mb usage.. Can i have been hacked or something? Is it even possible that squid or something else is using up all the bandwidth?
Did you try and disabling squid and see if that cuts the bandwidth down?
-
Thats the only thing i havent already done.. as i am a little worried if this will delete my cache or something? Cache is something that i really need running as i havent got a great deal of bandwidth.. If its ok to disable it and then re-enable it then i'll give it shot
-
It has been a long time since I used squid. I don't think I remember if it clears it or not.
-
Just quickly.. what do you mean by 'disable' squid? I dont see a disable check bo like some other packages have.. do you mean just stop int binding to the interface? Mine currently binds to my LAN and OPT1 interface, and not my WAN interface..
-
Sorry, just stopping it will disable it until reboot or until you start it again.
-
Any idea how to STOP it? i have just done it a few times via the dashboard 'Services" widget, but it keeps just turning itself back on..
