Traffic Graph for LAN and WAN showing outside IP Addresses
-
Can you post an example, I am running 2.1 and just looked and if I pick wan it shows me my wan IP, if lan then it shows me the IP of a HOST on my lan that is sending traffic.
Prob not going much going on right at the moment on my home network - but I toggled back and forth a few times and never saw any outside IPs
Is this outside IP your IP, or you mention outside IPs - are they hosts your talking too?
-
Hi
Here are some images. I've never seen this before. I usually just see our public IP attached to the WAN or the locally assigned IP's on the LAN side. Never outside addresses.
 -
I would have to keep an eye on mine - and generate some traffic from a box to something to see what it shows. But that 2nd IP on the list is mail.carsands.com so I assume that traffic is email
But sure it would be nice if showed the IP pair ;)
I do see some private 192.168.1.105, .153 and 125 on your lan generating traffic.
-
Yea..Carsands doesn't exist. The internet says it does, but it doesn't. Trust me on that! ;)
Outside IP addresses shouldn't be visible, as far as I know from what I've seen before though.
-
let me generate some traffic and take a look see.. So I can see multiple hosts on my lan, all private IPs. And watched my wan for a while - and only ever saw my IP
But I am on a slightly older snap than you
2.1-BETA1 (i386)
built on Mon Mar 4 08:19:15 EST 2013
FreeBSD 8.3-RELEASE-p6Maybe its a new feature where they show endpoints of the conversation - but I agree with you, if going to do that then they should show both endpoints.
edit: BTW it does exist
;; ANSWER SECTION:
mail.carsands.com. 14400 IN CNAME carsands.com.
carsands.com. 14400 IN A 85.13.199.75Just that the PTR does not match the forward. So who owns that 69.57 netblock needs to remove that reverse ;)
OrgName: Cable & Wireless Antigua and Barbuda Ltd
telnet 85.13.199.75 25
Trying 85.13.199.75…
Connected to 85.13.199.75.
Escape character is '^]'.
220-server10.gserverservice.com ESMTP Exim 4.80 #2 Wed, 06 Mar 2013 21:50:35 +0000
220-We do not authorize the use of this system to transport unsolicited,
220 and/or bulk e-mail.
-
Ok, thanks..
The current way traffic graph displays the IP addresses is confusing. I hope it is fixed because I need to see who, under LAN is using what bandwidth. Introducing external metrics in the current format is well, it's not LAN. Perhaps another kind of page can be made this, like traffic connection matrix or something.
Jits.
-
I upgraded to:
2.1-BETA1 (i386)
built on Wed Mar 6 14:18:05 EST 2013
FreeBSD 8.3-RELEASE-p6The traffic graph list of top bandwidth users is listing IPs for both directions - for WAN I get my WAN IP and the IPs of external sites. For LAN I get local LAN IPs of clients, plus IPs of sites I am accessing.
As it happens, I was looking at making this display have the option to show host names, rather than just IPs. Thankfully that pull request has not been committed, so that can't have caused the issue - https://github.com/bsdperimeter/pfsense/pull/464 (Edit: I just updated that pull request to give the user the option to display the FQDN or just the host name - seems to work nicely in conjunction with the extra feature we just got - sites that have reverse DNS available display their hostname/FQDN when selected)
Seems something else has changed in the last week or so that causes /usr/local/bin/rate to gather data in both directions and report separately. -
This looks like the feature that has changed:
https://github.com/bsdperimeter/pfsense-tools/commit/d09e8fddd50e95f731f7cef8d1db92ba1b4f2398
Now it seems to be giving back data separately about both directions.
Actually, I find that is quite handy in the display - we just need an option to display it also like it used to be, putting the traffic for both directions of a particular local (LAN…) IP together and not using the outside addresses. -
Hrm yeah that can be a consequence of the change.
Can probably change to only local hosts as it used to be before for aggregation.
-
I like the full display of bandwidth users with both the source and destination ends shown.
Maybe it would be easy to add an option to the display to filter the output to get the previous behaviour?
3 options - show all, show by source, show by destination. -
It gets complicated fast though :)
Also destination ips without resolving reverse dns are a bit vaguish on the lan/wan
-
The support for displaying reverse DNS host name or FQDN is in the code now, and it displays names for quite a few sites.
I am about to head home, so I am happy to have a look at ways to filter the rate utility output to display all/internal/external. -
I think the confusion is how do you know which outside IP is talking to which local IP. If on then its assumed those are all hosts talking to your 1 wan IP. But on the lan, it would be clearer if you showed both endpoints of the conversation on the same line.
-
https://github.com/bsdperimeter/pfsense/pull/468 - allows you to filter the display to just show the entries for local IPs, remote IPs, or all. Filter "Local" makes it look like it used to.
Adding a column so we can display source and destination address pairs on each row, and report by source/destination address pair is another thing altogether. And actually, I usually just want to see the total bandwidth that someone is using and then go and harrass them!
If someone really wants bandwidth by source/destination IP pairs then I suggest put in a request on Redmine and start working on it:) -
Note: If you are using Traffic Graph to display local host names/FQDN then it is also good to enable "Do not forward private reverse lookups" in DNS Forwarder. It is also good to enable this if you have other applications that are doing reverse DNS lookups of private addresses for which you don't actually have PTR records.
Often on the local LAN there can be many host IPs that do not have reverse DNS (PTR) entries. If this option is not enabled then those reverse DNS lookups will get forwarded to the default upstream DNServers (in most cases the real internet). Those queries will return nothing, the internet gets flooded with this rubbish and the display/application has to wait for a round-trip delay to get the negative answer. -
I just noticed some "stale" Host IPs in the traffic-graph table.
In the screen I have in front of me right now, among others it (wrongly) shows outbound traffic to 4 different IPs. These IPs belong to a local web-portal (CDN) and I connected to those 4 IPs about 15' ago, but the related states have expired (according to pfctl -ss).
-
I noticed that every now and then also. It happens when the table length reduces by more than 1 row between 1 update and the next. Seems to be a "feature" that has been in the code from day one. I believe this will fix it: https://github.com/bsdperimeter/pfsense/pull/469
-
Hi Guys,
Thanks very much for the fix. I updated via Git, but I noticed something else now…See picture attached...
WAN is selected..the graph is correct, however under the headings of Bandwidth IN and Bandwidth OUT, they don't match the graph. Bw OUT should be Bw IN and vice versa, if I'm correct.
Thanks.
 -
Now the bandwidth by IP table shows the data flowing with respect to addresses that are at both the external and internal ends of the network. So the column headings do not work either way round. For example, the screenshot shows me doing a download - the In and Out columns have the opposite figures with respect to the local machine and the server on the internet.
The column headings could be "Bandwidth From" and "Bandwidth To".
Any better suggestions for headings?
-
HI Phil,
As you can see from the attached, the bandwidth indicators are correct for ALL WAN and LOCAL LAN, but when ALL LAN is selected and LOCAL WAN, the bandwidth usage indicators are reversed and are not in sync with the graph.
Gifs attached, Just ignore me if I'm getting too "German" about the way things are displayed.
Thanks, Jits.
