Assimetric Bandwidth usage WAN - LAN

ploquets

Hi!

I'm dealing with a kind of problem that is new to me.

We order a 20Mbps link with our local ISP and WAN traffic graph does show that they are delivering.

As you can see here:

But, when I go to LAN graph, is not symmetric  with WAN, which leads me to a problem to not know who are using our bandwidth.

Then I even went to SSH and I tried to see via iftop with this command:

iftop -m 20m -p -i re1

re1 is our LAN interface

But not a sign of this kind of traffic…
Any other options to find out ?

Thanks

jimp

That would indicate it's the firewall itself using the bandwidth in some way. I'd look at packages you have installed. If you have squid, that is likely the culprit.

Aburger

Will NAT also cause this? I have the same issue that happens when I turn on NAT

jimp

No.

ploquets

@Aburger:

Will NAT also cause this? I have the same issue that happens when I turn on NAT

YES, we do use Squid…. how to monitor traffic by IP ? inside Squid ?

m4kin

@jimp:

No.

My Squid is doing the same thing, he uses 90mb/s and the lan is using 20 mb/s.
If I turn squid off… the consume goes down... and normalizes... if I turn it on... goes up again.

Any tips of what to do?

ploquets

@jimp:

That would indicate it's the firewall itself using the bandwidth in some way. I'd look at packages you have installed. If you have squid, that is likely the culprit.

But…. even using Squid, it should show traffic, from firewall (where squid is installed, going out thru the LAN interface) to the cliente.

Squid is caching content, but, traffic will also be send to the client host? no ?

This is really weird, unless the firewall itself is using, to make an update or something like that, it should show on traffic LAN interface graph.

jimp

Squid can sometimes pull data back into its cache to revalidate and such without delivering that to clients. The specifics have fallen out of my brain but it's not unusual. Especially if you have squid caching things like windows updates or other large files.

m4kin

Even if I turn off the squid cache?

jimp

That would be a question for the proxy board.

m4kin

With my squid turned off, just the traffic graph, continue showing this strange thing.;

cmb

You'll need to packet capture on WAN and see what that traffic is. Squid is a good guess where you're running it, but it could be any number of things, including traffic you're not soliciting (like a DoS of some sort).