Traffic graph - constant sawtooth

heper

@denver status->traffic graph should show which IP/Host is generating that trafic

JKnott

What you may be seeing is TCP flow control in action. The way it works is it starts up slow and gradually ramps up until packets are lost and assumes the loss is due to congestion. It then drops down and ramps up again. Repeat and rinse. I haven't observed that myself, so I'm not quite sure what it looks like.

johnpoz

run a speedtest or something - do you see same grass type traffic?

example

Are you looking to track down what is doing the low level traffic? For example here is my dmz vlan - I have a pihole doing dns, ntp server serving to the internet.. So while none of those generate a lot of traffic - it is not a constant sort of flow..

If your not actually doing anything - that seems to be some high amount of grass..

You might want to take a sniff, diagnostic - packet capture on that interface and see what sort of traffic your seeing. Could be something generating a bunch of noise.. Unwanted multicast, broadcasts, etc. etc..

heper

@johnpoz said in Traffic graph - constant sawtooth:

You might want to take a sniff, diagnostic - packet capture on that interface and see what sort of traffic your seeing. Could be something generating a bunch of noise.. Unwanted multicast, broadcasts, etc. etc..

a megabit worth of broadcasts on a home iot network ? there must be some messed up shit being sold these days

johnpoz

@heper said in Traffic graph - constant sawtooth:

there must be some messed up shit being sold these days

Yeah ;) That could be a bunch of devices all sending out ssdp every couple of seconds.. Or freaking clients banging away at dns every freaking second because something doesn't resolve..

Their are alot of noisy shit out there, and while 1 or 2 devices might not matter.. What if you have 20 of them.. Say some shitty smart lightbulb or something, and he has his whole house with them.

That is why I would suggest doing a simple sniff - to see what is causing the traffic..

example... I have a few lightbulbs.. And they seem to only do it ever 5 seconds - but they send out this broadcast.

What if I had 30 of them, and they did that every second vs ever 5.. That low level traffic starts to add up ;)

I have a thermostat - for some stupid reason it likes to query for this like every minute (little less than).. It has no local cache - so every time it wants to do "something" it has to do a dns query.. Good thing that isn't every second, and good thing I only have 1 of those devices.. You start adding up a bunch of iot devices, that are all doing stupid shit that doesn't matter a few packets here a few packets there.. Well if you have 50 of them, and they are all doing stupid shit.. Next thing you know you have 1mbps of grass traffic always running..

denver

Thank you all for your advice, Ive traced it to a ip camera on the 20 VLAN communicating with a NVR software(Motion Eye) on the LAN. Would it be wise to have both the camera and NVR software on a separate VLAN altogether or doesn't it make any difference.

johnpoz

Putting the devices that are talking to each other on the same network would take the load of having to "route" it.. Pfsense would never see that traffic.

It is a common practice yes to keep devices that do a lot of chatter/traffic between them on the same network so that traffic doesn't not hit your firewall/router.. Unless for some reason you want to filter that traffic in some way... Maybe you want to allow device A to talk to B only on port X - in that case you would want them on different networks so you could filter specific traffic.

I would think camera's would tend to send a lot of traffic to the NVR ;) - so yeah normally those are devices you would put on the same network. Since its unlikely as well that you would want/need to filter any traffic between your camera and your NVR..

JKnott

@johnpoz

The DVRs I've worked with have separate interfaces for the cameras and main network.

denver

yeah good points, Ill work out how to create a separate network on pfsense for cameras (only 2) and NVR software and go from there.

JKnott

@denver

The cameras shouldn't even connect to pfsense. They have their own network, connected to the camera side of the DVR. If you want to view a camera, you do that through the DVR, which can be connected to pfsense.

denver

I will need to connect one camera via PFSense I believe as I would like to use person detection software to integrate with Home Assistant for triggering when someones on the property.