High traffic WAN, locate source on LAN
-
You can block traffic all day long - doesn't stop traffic from coming down your pipe if requested or sent.
blocking at wan doesn't do much for using up bandwidth. Even if pfsense drops it or sends it on, its still using your pipe. You need to stop the traffic from being sent, ie requested I would assume if your saying its not some form of attack.
Capture the traffic and then load it up in wireshark so you can take a look to what it actually is. It looks to be just http so not encrypted (ie https) so it should all be in the clear and you can see what is being requested to send to your IP.
also look in your state tables for these IPs - you should see the IP on your side that created the state.
Do you have this agent installed on any of your machines
http://www.akamai.com/html/solutions/client_faq.html -
also look in your state tables for these IPs - you should see the IP on your side that created the state.
I basically love you… Being a pfSense newbie, I never thought of filtering the states...
I got to the bottom of this and as usual, Windows Update is the culprit...
Geniuses at Microsoft decided that WU traffic does not show up in Task Manager > Performance tab > Network, so one can have a host hogging all bandwidth via WU, but still show up as 0Kbps on the client...
I knew the Akamai NetSession client works in p2p mode so I never allowed it to be installed on anything.
... so to anyone not knowing where traffic comes from, LOOK AT YOUR STATES...
Sadly I still do no understand why the fw rule (whatever action) doesn't log traffic originating from Akamai's CDN.. Could they be using some weird protocol? I dunno...
Also, Traffic Graph on the LAN interface shows nothing hinting at the client that's downloading WU stuff; perhaps you're right about the acks being negligible so not really visible on the graph.
Thank you johnpoz.
-
.. someone may mark this as SOLVED as far as I'm concerned…
-
Well that wan rule doesn't seem like it would be firing because traffic is return traffic to a state.. if it was syn traffic from that source to your wan IP than that rule would fire and be logged per your setting.
If your clients are requesting something. Its better log the allow or block rule on the lan interface to see what client is generating traffic to where, etc. Can not really think of too many examples when you would need specific deny rules on your wan because of the default deny. You would normally only allow stuff like icmp, or rules to allow your port forwards to work. Now I allow ping but use the pfblocker as a source filter, so you can ping my wan unless your listed in the spammers, bad countries list, etc.
So if your try and ping my wan IP, and your listed in the pfblocker top spammers alias list then you would not trigger that rule that allows and fall through to the default deny.
-
Well that wan rule doesn't seem like it would be firing because traffic is return traffic to a state.. if it was syn traffic from that source to your wan IP than that rule would fire and be logged per your setting.
If your clients are requesting something. Its better log the allow or block rule on the lan interface to see what client is generating traffic to where, etc. Can not really think of too many examples when you would need specific deny rules on your wan because of the default deny. You would normally only allow stuff like icmp, or rules to allow your port forwards to work. Now I allow ping but use the pfblocker as a source filter, so you can ping my wan unless your listed in the spammers, bad countries list, etc.
So if your try and ping my wan IP, and your listed in the pfblocker top spammers alias list then you would not trigger that rule that allows and fall through to the default deny.
I always thought fw rules would also apply to incoming traffic even if tcp session is initiated internally.. You live and learn!
Golden advice, will cherish..
Thank you again.
-
Someone knows why the statistics are not corresponding? This is driving me crazy!!
In my case, I also heavy all the traffic comming from Akamai and I'm sure that this is not an attack…
Look to my interface statistics:
All the traffic is originated from Akamai.
-
what is not matching up? Looks like your not showing some of your interfaces..
Are you talking about the 145GB into wan, but only 14GB out lan? Just because you see traffic to wan, doesn't mean pfsense is going to send that traffic out the lan, etc.. While 145 to 14 seems high.. Do you have that traffic going out a different interface other than lan?
-
My second WAN interface is used only for failover.
However, now I discovered that this issue is related, in some way, to SQUID. After I disabled SQUID, the traffic graphs are immediately working appropriately.
Sorry for my bad english :-[
-
Well sure squid could grab all kinds of stuff, and not send it to something on the lan..
-
To locate source on LAN, you need to look at Squid logs…
