SOLVED Traffic on WAN interface only
-
Are you running Squid? I've seen cases where the caching by Squid shows a LOT of traffic, like Windows Updates, going to WAN that doesn't go anywhere else for some reason.
-
Ok, I am stupid, LOL. I was just too quickly changing between the interfaces on the Traffic Graph. It takes a while for it to start showing the data.
However I still cannot account for about half of the outgoing traffic on one of the internal interfaces. No Squid on this install.
-
Another strange thing. Despite creating A WAN rule blocking by IP address. A very small percentage of UDP packets still come through. The packets are incoming from the Internet, and the IP is most likely spoofed.
-
State not cleared from the firewall?
Steve
-
UDP - no state. Most of the packets get blocked, just a few single ones get through…
I am going to restart the box for good measure, and test again, though.
-
Ha! good point. ::)
-
I rebooted the pfSense and the packet leak has stopped. Hmmm…
-
I'd be looking for malware on my network. I doubt seriously its a pfsense problem.
-
It is smells like a reflected attack, not amplified though, since the packets in and out are the same size. I stopped the attack at the firewall level.
I think there is an issue with pfSense traffic graph, the traffic does not add up. I think it shows exactly double outgoing the traffic for local interfaces. I am still investigating, this will take more time to accumulate the data from different network segments and add it all up.
-
Found this: https://forum.pfsense.org/index.php?topic=67295.0
-
Check the forum. There are a number of threads about double counting on the traffic graphs. I've never seen it though, it seems to happen only under specific conditions.
Ah, typed too slow! Yep that's one of them.
Steve
-
Yep - Sometimes pfsense reports traffic bandwidthh incorrectly, which is much less troubling than having a bunch of phantom traffic.
-
Thanks for your help everybody. This was a compound issue, and it looks like everything has been explained now. I appreciate the help.
