Large amount of data usage
-
There is no IPv6 address that shows up in the list.
Also the IP issue isn't caused by the routers being switched because I only switched after weeks of the dual IPs and then after two days pass it shows only the one IP. I only switched to try to narrow down the cause of the issue after the fact.
Also I don't have to worry about rebooting a modem because I don't have one.
Right now since I just connected it I will have to wait another two days to see if this problem still persists. I also have bandwidthd, Status_Traffic_Totals, and darkstat running now to try to see what I see compared to the ISP.
-
Well it could very well be your IP is just changing.. I would write down what your IP is currently on pfsense, and check it now and then to see if it is changing.. It could be that they are just handing you a different IP… Your wan on pfsense is set to dhcp right.
-
So I switched routers back to only pfsense on the 1st and waited until the 3rd to check the usage to be sure that it wasn't just two IPs from both routers being on in one day and it showed two IPs again.
I called customer support and of course they told me my router is in "bridge mode" again but that's how great outsourced tech support is..
They also gave me the two IPs I was pulling and one of them is the one that is assigned to my WAN interface in pfsense and the other one does not show up in the interfaces section. Is there any way to track down where this is coming from since I have that IP now?
-
So they told you your routers in bridge mode - so pfsense has a public IP on its wan..
And it didn't change? You checked on it now and then and made sure it didn't change like on day 2, etc.. This 2nd IP they say your using is also public..
You have nothing else plugged into your modem that is in bridge mode, and it has no WIFI on? Just the 1 wire from modem to pfsense wan?
You do not have pfsense setup in bridge mode do you? You can view all the ips pfsense would have on the diag, routes.. This would show you any vips you might of setup even.. See attached I created a vip 1.2.3.4 just to show as example…
-
Yes the IP has been the same since I plugged it in and it's still the same.
It's fiber so no modem but yes pfsense is the first thing the network touches coming into my room.
I have not setup any bridges or anything in pfsense. Straight out of the box install plus adding the monitoring packages.
I looked in the routes section and the second IP does not show up.
It does show up in bandwidthd as the second highest traffic amount right under the router itself. I attached a picture of its entry.
-
What is the IP - look to its mac in your arp table tell you what device it is.
-
Well, I found my issue. The IPMI interface on my board binds itself to the first ethernet port so the ipmi interface was pulling the second IP and causing that extra traffic on my network…
-
how did you track that down?
-
So once I got the IP from my ISP I found it showing up in the ARP table with the MAC address matching with my board's manufacturer. I decided to just type in the IP, which admittedly should have been something I did before, and it popped up with my IPMI web console. I did some research and figured out that by default the IMPI bonds to the dedicated port as well as the first ethernet port so I went in and disabled it.
Definitely not something I thought about at all honestly.
-
Good catch… For sure - you sure wouldn't want your ipmi open to the public internet..
Such an option should really be disabled in the bios out of the box..
-
You'd think but I guess since it's not really a board meant to be a router they just assume it's only going to be inside the network.
-
@mikecala Man, wish I'd seen this thread a few days ago. I've had exactly the same problem, new pfSense install - using 30GB+ extra a day more than normal. What board are you using?
-
Wow, that's concerning. What on IPMI there is using 30GB a day? Was it exposed with default credentials?
Steve
-
@stephenw10 I'm not sure if it was IPMI, or some other misconfiguration on my behalf.
It's a APU.2C4 board.
I've taken it offline for now, as it used up the 1TB allowance last month.
-
It seems like many business branded comps (Dell, Lenovo, etc) have security issues on onboard ethernet (exposing either IPMI or AMT). On my router machine, I'm only using the onboard ethernet for a 'management lan' that gets no internet access at all. IPMI and switch management interfaces shouldn't need to access the internet anyway. WAN and LANs served by an intel 4-port card. I just don't trust those manufacturers to patch management bugs fast enough.
For all those who ran into this data usage issue, I'd urge you to reset your IPMI or AMT interface to factory defaults before locking it down. It's an annoyingly nontrivial task in some cases. If it's got gigs of data usage, I'd be concerned that a bad actor somewhere has pwned your management interface.
