Large amount of data usage
-
What is the IP - look to its mac in your arp table tell you what device it is.
-
Well, I found my issue. The IPMI interface on my board binds itself to the first ethernet port so the ipmi interface was pulling the second IP and causing that extra traffic on my network…
-
how did you track that down?
-
So once I got the IP from my ISP I found it showing up in the ARP table with the MAC address matching with my board's manufacturer. I decided to just type in the IP, which admittedly should have been something I did before, and it popped up with my IPMI web console. I did some research and figured out that by default the IMPI bonds to the dedicated port as well as the first ethernet port so I went in and disabled it.
Definitely not something I thought about at all honestly.
-
Good catch… For sure - you sure wouldn't want your ipmi open to the public internet..
Such an option should really be disabled in the bios out of the box..
-
You'd think but I guess since it's not really a board meant to be a router they just assume it's only going to be inside the network.
-
@mikecala Man, wish I'd seen this thread a few days ago. I've had exactly the same problem, new pfSense install - using 30GB+ extra a day more than normal. What board are you using?
-
Wow, that's concerning. What on IPMI there is using 30GB a day? Was it exposed with default credentials?
Steve
-
@stephenw10 I'm not sure if it was IPMI, or some other misconfiguration on my behalf.
It's a APU.2C4 board.
I've taken it offline for now, as it used up the 1TB allowance last month.
-
It seems like many business branded comps (Dell, Lenovo, etc) have security issues on onboard ethernet (exposing either IPMI or AMT). On my router machine, I'm only using the onboard ethernet for a 'management lan' that gets no internet access at all. IPMI and switch management interfaces shouldn't need to access the internet anyway. WAN and LANs served by an intel 4-port card. I just don't trust those manufacturers to patch management bugs fast enough.
For all those who ran into this data usage issue, I'd urge you to reset your IPMI or AMT interface to factory defaults before locking it down. It's an annoyingly nontrivial task in some cases. If it's got gigs of data usage, I'd be concerned that a bad actor somewhere has pwned your management interface.
