Continuous data traffic to WAN



  • Dear users,

    Since this is the first time I'm using pfsense, I'm testing it.

    Today I noticed that with hardware on, there is continuous data traffic to WAN interface, how I can show you in this video:
    https://cdn.dampc.ga/ctv/pfsense-traffic.mp4
    When I recorded the video, all LAN interfaces are disconnected.

    And I noticed that the internet speed is lower using pfsense, compared to a normal router.

    Why does my hardware continuously transmit data to the internet?

    Thanks


  • LAYER 8 Netgate

    There is always traffic on your WAN. Always.


  • Netgate Administrator

    Apart from whatever data is arriving on that link, which could be anything, there are also the gateway monitoring pings that are sent out at .5s intervals by default.

    https://docs.netgate.com/pfsense/en/latest/routing/gateway-settings.html#id1

    Steve



  • @dam034 If you are concerned about how much traffic there REALLY is, check the Status -> Traffic Graph page and filter by Remote. It will show you EXACTLY which IP addresses the traffic is going to/from.

    As mentioned above, your ISPs gateway should pop up regularly at the very least as its used to check the connection is working.

    You may also see other traffic from bots on the Internet checking if you have any exploitable servers on your connection. This is perfectly normal and pfSense will block that traffic at the firewall.



  • The fact is that this test machine is behind a NAT router, and I didn't forward any port, so the traffic is all outgoing, from the pfsense machine to the internet.

    The interval isn't 5 seconds, but it is continous.

    Is it possible to disable this?

    Thanks


  • LAYER 8 Global Moderator

    @dam034 said in Continuous data traffic to WAN:

    The fact is that this test machine is behind a NAT router, and I didn't forward any port

    Says who... Where is the sniff? Who says your nat router wasn't sending out traffic? Who says other devices on the same L2 as your pfsense wan not sending out broadcasts, multicast, arps, dchp, ssdp, wsd, stp, lldp, cdp, etc. etc..

    If you actually want to KNOW what the traffic is - then sniff on pfsense wan.. Post up the capture and we can discuss what we see.


  • Netgate Administrator

    The gateway monitoring ping is .5s inteval not 5s. You disable it by editing the gateway in System > Routing > Gateways and checking 'Disable gateway monitoring.

    But you will still traffic on that interface. Any broadcast traffic on that subnet will hit it for example.

    Steve


  • LAYER 8 Netgate

    We can not give you any advice based on a video of a blinking LED. Run a packet capture and see what's really out there. (Probably broadcasts, ARP, gateway monitoring, etc.)



  • @derelict said in Continuous data traffic to WAN:

    We can not give you any advice based on a video of a blinking LED.

    ๐Ÿ˜† ๐Ÿ˜† ๐Ÿ˜†



  • @dam034 said in Continuous data traffic to WAN:

    The fact is that this test machine is behind a NAT router, and I didn't forward any port, so the traffic is all outgoing, from the pfsense machine to the internet.

    The interval isn't 5 seconds, but it is continous.

    Is it possible to disable this?

    Thanks

    Then you just answered your own question, as others have said it will be broadcast traffic from the LAN.

    All network ports on my LAN blink like crazy because of things like my DLNA servers, routers uPNP, arp, discovery protocols from my TV, surround receiver, ShieldTV, etc.

    There is lots of background traffic on any LAN because everything has to be "smart" and auto-discover each other.



  • Thanks for your replies, but I fix the issue thanks to the solution of @stephenw10

    This is the gateway page:
    0_1550765855542_pfgateway.png
    I temporarily disabled the monitoring and the traffic has been reduced to zero.
    I didn't know the monitoring was going to 192.168.1.1, but I thought the traffic was outgoing to the internet. Now I re-enabled the monitoring, because I know where the traffic is directed.

    I solved the issue, but now I discovered another different issue, should I have to open another topic or I can continue here?

    Thanks



  • Start a new topic if it isn't directly related to this problem.



  • Today I found another problem, this is the hardware configuration:
    0_1552749106194_pfc.png
    The tv box has a problem: sends continously data traffic (only when it is on).
    With old router I saw all the led in switch blinking, and in the router only the port connected to the switch was blinking.
    Now, with pfsense, I can see in the switch only tv box and pfsense led blinking, and in the modem also the led to the internet connection is blinking.
    I think the tv box sends continuous broadcast (and/or multicast) frames.
    Since I can't block this in the tv box, I want to block broadcast (and/or multicast) frames exiting the LAN in the pfsense machine.
    I know I have to add a rule in the firewall, but I don't know what I have to set.

    What can I do?

    Thanks


  • LAYER 8 Global Moderator

    Your TV box is going to be noisy little SOB for sure..

    Yup prob lots of multicast traffic, etc. One of the big reasons to segment your network into vlans, ie L2 broadcast domains is to keep such traffic away from other networks.

    Put your TV Box on its own segment if you don't want your other devices to see this broadcast/multicast traffic.

    If your switch or AP doesn't block this traffic such traffic can for sure kill a wifi network.. So for sure you would want to make sure that multicast traffic doesn't go out your wifi unless "needed" multicast traffic over wireless is almost always sent at the lowest datarate.. So even if not "lots" of traffic its going to slow down the wifi overall since its a shared medium.



  • I don't know if the traffic is multicast or broadcast, and if possible I'd like to see in the pfSense webGUI which type of traffic is. Have I to see the states?

    I use the tv box to see on the TV some contents stored in the server, so all the devices have to stay in the same LAN, so no vlan.

    About wifi, the AC point blocks all multicast and broadcast frames in both interfaces (ethernet and wifi).

    So I want to prevent that these frames exit the LAN, to avoid congestion in WAN connection, because in LAN I have 1000mbps, in WAN only 30mbps.

    Which rule have I to add to the firewall?

    Thanks



  • @dam034 If your switch is smart (managed) and your "Wifi AC point" supports VLANs and multiple SSIDs, you can easily separate all this traffic. You have to read up on how VLANs work, obviously...

    Jeff


  • LAYER 8 Global Moderator

    Multicast and broadcast don't pass a router in the first place... So you don't have to worry about it flooding your wan..

    As to your server and tvbox having to be in the same L2... Nonsense - you might not be able to use whatever broadcast/multicast discovery method your using now... But I stream stuff from my "server" to my TV every day all day and they are in different networks.

    If you want to see what kind of traffic your tvbox is spewing - just do a sniff (packet capture) on pfsense lan interface under the diag menu.



  • I still don't understand why you consider any of this a "problem".

    You will ALWAYS see traffic on the WAN, either from people probing your IP from the Internet, the PPPoE session to your ISP, or your IP address being refreshed over DHCP.

    As for the LAN, my LEDs flash day and night, the amount of bandwidth its actually doing is microscopic. It will have zero impact on your Internet speed and be immeasurably small on your LAN speed.

    Unless you have identified an actual issue with it causing problems on your LAN, blocking that traffic will only make using your devices more complicated as its there to make detecting devices on your LAN completely automatic.

    Even my main smart managed switch and pfSense itself broadcasts its own traffic as I have uPNP enabled (for specific IP addresses only). Its how these devices are designed to work.


  • LAYER 8 Netgate

    It's 2AM. Everyone's asleep but me. I am not chasing blinking LEDs.

    0_1552813809848_Untitled.mov.gif



  • @Derelict said in Continuous data traffic to WAN:

    It's 2AM. Everyone's asleep but me. I am not chasing blinking LEDs.

    0_1552813809848_Untitled.mov.gif

    It's morning here;,so I've been looking for an hour or so at your video : no red lights, all looks good to me ^^


  • LAYER 8 Moderator

    @Gertjan said in Continuous data traffic to WAN:

    @Derelict said in Continuous data traffic to WAN:

    It's 2AM. Everyone's asleep but me. I am not chasing blinking LEDs.

    It's morning here;,so I've been looking for an hour or so at your video : no red lights, all looks good to me ^^

    Damn wanted to write the exact same thing :D



  • @JeGr I'm sat here trying to guess what each box is for. ;)


  • LAYER 8 Netgate

    I'm sat here trying to guess what each box is for. ;)

    Top down, left-to-right:

    SG-4860 (Edge), Cable modem, MoCA bridge, VDSL modem
    SG-5100 (tnsr), SG-4860 (Trex)
    Brocade ICX6450-48 Layer 3 switch



  • Hey @Derelict , can you please plug your OPT1 back in? I'm having trouble getting to your Plex server box...

    Thanks!

    ๐Ÿ˜‹

    *** just kidding ***

    Jeff



  • Thanks for your replies.

    Seeing the states I understood the problem, if we want to consider this.

    With old router, the LAN had this addresses: 192.168.100.0/24, so the broadcast address was 192.168.100.255
    Now with pfsense, I changed the LAN addresses to 10.78.32.0/26, so the broadcast address is 10.78.32.63
    I went to see the states and I noticed this particular:
    pftab.png
    The tv box has ip 10.78.32.34
    I'm thinking the tv box continues to believe that the broadcast address ends with 255, as in old router, and not 64.
    This explains that with old router, all LEDs were blinking (broadcast), and now with pfsense it isn't so because 10.78.32.255 is out of LAN, and then routed to the modem, which in turn routes to the Internet.

    So I need to block the outgoing traffic to 10.78.32.255? Or I need more?

    Thanks


  • LAYER 8 Netgate

    No, you should set a consistent IP network, including netmask, on your network.


  • LAYER 8 Global Moderator

    What? You don't run your router with a /26 mask, and clients on this network with a /24 mask?? Is that what you did?



  • I configured the new network with /26 mask, but the tv box continues to send broadcast frames to 10.78.32.255, and I don't know why. It is a bit old (android 4.4.2).

    I thought to add a new firewall rule, and indeed it works.
    This is the LAN firewall:
    pflan.png
    In less than one minute, the firewall blocked 160KiB of noisy traffic.

    Now the LEDs behaviour hasn't changed in the switch, but the noisy frames are no longer routed to the modem and to the Internet.

    This is what I can do, and for now it works.

    Thanks for the help!


  • LAYER 8 Netgate

    If you are running /26 on pfSense everything on that segment should be in the same /26.

    That is how you configure an IP network.

    There is no second option.


  • LAYER 8 Global Moderator

    You need to fix the mask on the device, or have it update its dhcp lease so it gets the new mask



  • @dam034 said in Continuous data traffic to WAN:

    Now the LEDs behaviour hasn't changed in the switch, but the noisy frames are no longer routed to the modem and to the Internet.

    I thought we had already come to the conclusion that the "noisy" frames already WEREN'T routed to the Internet, as its broadcast traffic!


  • LAYER 8 Global Moderator

    Its not going to route anywhere when the router thinks the IP is in its own network... But sure it could shove down its default gateway when its not an IP on is own interface... Ie is issue with a mismatched mask.

    But your correct if a true broadcast it shouldn't be routed.

    But odd things can happen when you run a network with clients having mismatched masks.


  • LAYER 8 Netgate

    if pfSense has an interface subnet of 10.78.32.0/26 there is absolutely no way for it to know that 10.78.32.255 is a broadcast. The solution is to fix your network.

    If you have broken devices that assume /24, then use /24.


  • Netgate Administrator

    Yeah, a device with something hardcoded to /24 is horrible but believable. Unfortunately.

    Steve


  • LAYER 8 Global Moderator

    What device is that that has a hard coded mask of 24... That is just freaking HORRIBLE!!! And it won't accept new mask with dhcp even if its interface has no place to set the mask..

    Here is what you do with such hardware - RETURN IT!!!! Or throw it a freak away! And never buy hardware from the company again, and spread the news on how shit the stuff is..



  • @johnpoz Would it not be simpler to just have a firewall rule block traffic from the offending device, if you CAN'T adjust the network to compensate I mean?

    Its not graceful I know, but it at least prevents it going out the WAN.

    For example I have pf enabled on bridge and block traffic from LAN to LAN on certain IP addresses as a simple way to stop my neighbours phones/consoles from seeing my TV, surround system (the PtP link to them is on the bridge), etc, while still having full access myself if I roam onto their WiFi.

    This is obviously not from a security perspective where putting them on their own VLAN would make more sense, its just to prevent accidental casting to my devices. Sometimes the hackery option is "good enough", especially when my router is seriously overpowered so not going to take any performance hit.



  • @dam034 said in Continuous data traffic to WAN:

    I configured the new network with /26 mask, but the tv box continues to send broadcast frames to 10.78.32.255, and I don't know why. It is a bit old (android 4.4.2).

    If that box can only use a /24, then you have to set everything else to /24. It should work fine then. Years ago, back when classfull addresses were used, some things would set the mask according to the address class. However, that sort of behavior should have disappeared with the shift to CIDR and variable length subnet masks several years ago. Even then, you'd never get a class C mask, with a class A address. Seems to me that TV box is NFG.


  • LAYER 8 Global Moderator

    Dude just use a FREAKING /24 if your device will not let you change... What do you think using a /24 out of rfc1918 space cost you??? Let me think - nothing!

    I have pf enabled on bridge and block traffic from LAN to LAN on certain IP

    Yeah the blinking lights are making more and more sense the deeper this thread freaking goes..


  • Netgate Administrator

    Mmm. What exactly is that 'TV Box'? What does it think it's subnet is?



  • @Alex-Atkin-UK said in Continuous data traffic to WAN:

    Would it not be simpler to just have a firewall rule block traffic from the offending device, if you CAN'T adjust the network to compensate I mean?
    Its not graceful I know, but it at least prevents it going out the WAN.

    What's going out? For it to go anywhere, it needs a destination address. Where's it going? If it's the broadcast address, then it's not going out anywhere. What does Packet Capture, running on the WAN interface, show?


Log in to reply