Suddenly almost all traffic goes away.



  • At some point the traffic you are using suddenly dies in an unspecified pattern.

    No DDoS, no server computer hardware issues, no switches, no server configuration, no firewall issues.

    When it is over 3000 b / s, it dies

    Where is the problem?

    There is nothing left in the system log on the server event log or in Pfsense, so the only thing you can check is the inblock that shows outliers in the monitoring graph.

    It uses 6Mbps on average, but the whole traffic dies at the point where the inblock rises.

    Does anyone know?

                                        Server configuration.
    
                                                 ISP
                                                  │
                                      PfSense [(ip)1.1.1.1]
                                                  │
                                             L2 Switch   
                                 ┏                                  ┓
                          Server 1 [(ip)1.1.1.1]       Server 2   [(ip)1.1.1.2]          
    

    1576269096244-1캡처 (1).png
    1576269096244-1캡처.png


  • Netgate Administrator

    Need to see that without the pass data graphed to compare. You're saying the in block traffic increases just at that point?
    Do you see legit traffic blocked in the firewall log?

    Steve



  • I'm Korean and I'm not good at English

    Status - System Logs - System, Firewall

    There was nothing to see in this part.
    You may not have verified it properly.
    Where should I check?
    What should I do if there are no logs left in this area?


  • Netgate Administrator

    If you see an increase in the graphs but nothing logged it could be you do not have logging enabled for default blocked traffic. It might be being blocked by a custom rule you have added that doesn't have logging enabled. Or it might be some type of bad traffic that isn't logged as IP at all.
    You might need to catch some traffic in a packet capture when it starts happening to see what it is.

    Steve



  • @stephenw10

    The traffic is not suddenly increasing.
    I was using 6Mbps on average. When the problem occurred, it was down to 1Mbps and inblock was recorded on the monitoring graph.

    The problem seems to be really hard to solve because there is no cause identified and no logs left.

    1576269096163-1.png


  • Netgate Administrator

    The blocked traffic is spiking though? And that seems to coincide with existing connections being blocked?

    Is it actually killing existing connections or just preventing new connections?

    What sort of traffic is that in the 6Mbps average?

    Steve



  • @stephenw10

    I don't know what has to do with inblock.

    When there's a problem, most of the existing connections are broken (More than 90% of the total).

    If you check the logs and system at that time when there is a problem with the service, only the 'Inblock' value in the graph is strange.

    6Mbps is mostly a TCP service game user.



  • @NullLouting

    Sorry if I missed something here but are you really using these IP addresses on your pfSense and servers?

                                             ISP
                                              │
                                  PfSense [(ip)1.1.1.1]
                                              │
                                         L2 Switch   
                             ┏                                  ┓
                      Server 1 [(ip)1.1.1.1]       Server 2   [(ip)1.1.1.2]


  • @biggsy

    1.1.1.1 Are you talking? This is an example

    Pfsense and Sever1 are the same ip


  • Netgate Administrator

    What do you do to restore the full speed?

    Is it using a dynamic IP?

    How is the server and pfSense internal interface using the same IP?

    Steve



  • @stephenw10

    Are you asking what you can do to disconnect and reconnect?
    If you don't do anything, it will reconnect automatically and the time will be about 3 seconds.

    no. Server 1 is using private IP.

                                              ISP
                                               │
                               Pfsense (xxx.xxx.xx4.214)                 
                                               │
                                          L2 Switch
                                 ┌                           ┐
                 Server 1 (192.168.1.100)           Server 2 (192.168.1.200)
    
    
                      External IP
    
                      Pfsense, Server 1 = xxx.xxx.xx4.214 
    
                      Server 2 = xxx.xxx.xx4.220
    

    1.PNG
    2.PNG


Log in to reply