Suddenly almost all traffic goes away.

stephenw10

Need to see that without the pass data graphed to compare. You're saying the in block traffic increases just at that point?
Do you see legit traffic blocked in the firewall log?

Steve

NullLouting

I'm Korean and I'm not good at English

Status - System Logs - System, Firewall

There was nothing to see in this part.
You may not have verified it properly.
Where should I check?
What should I do if there are no logs left in this area?

stephenw10

If you see an increase in the graphs but nothing logged it could be you do not have logging enabled for default blocked traffic. It might be being blocked by a custom rule you have added that doesn't have logging enabled. Or it might be some type of bad traffic that isn't logged as IP at all.
You might need to catch some traffic in a packet capture when it starts happening to see what it is.

Steve

NullLouting

@stephenw10

The traffic is not suddenly increasing.
I was using 6Mbps on average. When the problem occurred, it was down to 1Mbps and inblock was recorded on the monitoring graph.

The problem seems to be really hard to solve because there is no cause identified and no logs left.

stephenw10

The blocked traffic is spiking though? And that seems to coincide with existing connections being blocked?

Is it actually killing existing connections or just preventing new connections?

What sort of traffic is that in the 6Mbps average?

Steve

NullLouting

@stephenw10

I don't know what has to do with inblock.

When there's a problem, most of the existing connections are broken (More than 90% of the total).

If you check the logs and system at that time when there is a problem with the service, only the 'Inblock' value in the graph is strange.

6Mbps is mostly a TCP service game user.

biggsy

@NullLouting

Sorry if I missed something here but are you really using these IP addresses on your pfSense and servers?

                                         ISP
                                          │
                              PfSense [(ip)1.1.1.1]
                                          │
                                     L2 Switch   
                         ┏                                  ┓
                  Server 1 [(ip)1.1.1.1]       Server 2   [(ip)1.1.1.2]

NullLouting

@biggsy

1.1.1.1 Are you talking? This is an example

Pfsense and Sever1 are the same ip

stephenw10

What do you do to restore the full speed?

Is it using a dynamic IP?

How is the server and pfSense internal interface using the same IP?

Steve

NullLouting

@stephenw10

Are you asking what you can do to disconnect and reconnect?
If you don't do anything, it will reconnect automatically and the time will be about 3 seconds.

no. Server 1 is using private IP.

                                          ISP
                                           │
                           Pfsense (xxx.xxx.xx4.214)                 
                                           │
                                      L2 Switch
                             ┌                           ┐
             Server 1 (192.168.1.100)           Server 2 (192.168.1.200)


                  External IP

                  Pfsense, Server 1 = xxx.xxx.xx4.214 

                  Server 2 = xxx.xxx.xx4.220