pfSense using unreasonable amount of bandwidth while idle



  • Hello,
    I am using an sg-1100, to protect a small number of devices from an untrused LAN. The pfSense (v2.4.5-RELEASE-p1) on this device is running the basic services, plus DNS resolver, pfBlocker and SNORT. I've been having a few strange problems, (like config changes almost always being lost after I apply them) but another I am now noticing is that the sg-1100 is using a significant amount of bandwidth while it should be idle.

    While running with one idle PC (LAN port), one idle Raspberry Pi (LAN port), and one idle WiFi router with no connections (OPT port) on this box, I see both the LAN port:
    LAN normal.jpg
    And the OPT port:OPT normal.jpg

    Consuming a reasonable amount of traffic. However, the entire time, the WAN port is moving a lot of data, non-stop:
    WAN stable.jpg

    As I watched it for about an hour, I noticed two brief disruptions to this norm:
    WAN brief break.jpg WAN brief break then spike.jpg

    But other than that, it remained constant. I first began investigating this because the LAN and OPT link lights have been staying mostly solid, but the WAN port's link light is always flashing rapidly.

    Does anyone have suggestions what is going on? Is there some justification for this? Or has it been compromised? It's more ingress than egress traffic, which is slightly less concerning that the opposite ratio, but it still doesn't seem right.

    To be clear, no one other than me uses this device, or connects into it from the LAN/OPT sides for any reason whatsoever.

    Thanks!



  • @CyberMinion Change graph to remote and see...


  • Netgate Administrator

    What is that host: 192.168.1.232? The WAN IP?

    Check the state tables for what's open there.

    Run a packet capture, see what that traffic actually is.

    Steve



  • @netblues

    Change graph to remote and see...

    That is showing "All" but remote does not change the readout much in this case. This is behind a NAT, so 192.168.1.x is in this case the WAN subnet.

    @stephenw10

    What is that host: 192.168.1.232? The WAN IP?

    Yes, that is the WAN IP of this pfSense firewall.

    Check the state tables for what's open there.

    Right now, a whole lot, but that is to be expected. That's a good suggestion, and I will check on that next time this issues arises.

    Run a packet capture, see what that traffic actually is.

    Also an excellent idea, but I'm not set up for that. I'll need to investigate whether I can do this right from pfSense, or need to hook up a tap. EDIT: Just found diag_packet_capture.php and will try to use that next time this happens.

    Now that I've started poking at it, the issue has vanished, but I'm sure it will return. It did this to me once before as well. When I notice the issue and first start poking at it a little bit, it keeps going, but if I do much or start a bandwidth-intensive process on the LAN, this unexplained load suddenly vanishes. Not sure if this is on the up-and-up (just prioritizing user activity over whatever this is), or an IOC.

    Probably unrelated, but I think this most recent occurrence may have started around 3am (my time), which is when I think I set pfBlocker to run. There's no good reason for pfBlocker to be both downloading and uploading many GB of data for the next 12 hours after triggering, though. I checked on it shortly after 3am today, but nothing strange was going on. All is quiet for now.r


  • Netgate Administrator

    Indeed pfBlocker updates are much smaller and much faster.

    More likely you have something open on WAN that is being sent traffic and probably shouldn't be, DNS or NTP maybe?

    You have a VPN on there at all? Could be something remote connecting to it and downloading. You might expect the traffic to be more symmetric if it was though.

    Steve



  • Maybe you have a Skynet node in your LAN and it is plotting a world-wide takeover with other IoT devices across the planet by scheming to exterminate all the carbon units infesting Earth ... 😁.

    Just kidding with the Terminator movie reference. Also saw the 1979 Star Trek original movie again during the COVID lockdown, so the "carbon units" reference was fresh in my mind.

    Exactly what types of devices are on this "untrusted" LAN? Are they IoT type devices? Lots of those chit-chat with the mothership for various reasons. Some innocuous, and some -- "who knows?". That's not a ton of traffic. The resolution is bits/second in those graph screen grabs. So while not silent, the interfaces are not exactly maxed out either.

    As has already been suggested, doing a WAN packet capture using the tools under the DIAGNOSTICS menu might be helpful.



  • This post is deleted!


  • Bloody heck...it is so hard to post messages on this forum. It's always being blocked by one rule or another.
    @stephenw10

    More likely you have something open on WAN that is being sent traffic and probably shouldn't be, DNS or NTP maybe

    I have two internal DNS resolvers, one on the pfSense, and one on its LAN (don't ask...). The one on the LAN uses the pfSense as its upstream DNS server, and that uses CloudFlare (DoH). Neither one is (or should be) publicly exposed. There shouldn't be any NTP stuff going on.

    You have a VPN on there at all? Could be something remote connecting to it and downloading. You might expect the traffic to be more symmetric if it was though.

    No, VPN service on the pfSense is disabled, and unless something on the "trusted" LAN is compromised, there shouldn't typically be anything inside making or receiving VPN connections.

    @bmeeks

    Maybe you have a Skynet node in your LAN

    Haha! You never know, these days! 😁

    Exactly what types of devices are on this "untrusted" LAN? Are they IoT type devices?

    No, there are no IoT devices on the "WAN", but a few old, creaky devices I have no control over. That's why the pfSense is between that stuff and me. There are a few PCs and an antique smartphone that I know of over there. However, that traffic should never be hitting my WAN port, much less flowing through it. If it does get sent my way for some reason, the firewall should block that.

    The resolution is bits/second in those graph screen grabs. So while not silent, the interfaces are not exactly maxed out either.

    Correct, but 300Kb/s is still a lot of data for the pfSense to be downloading non-stop, while the other two ports are idle. Where is that data going? And where is the uploaded data coming from?

    doing a WAN packet capture using the tools under the DIAGNOSTICS menu might be helpful.

    Agreed, I wasn't aware that feature was baked in, but I certainly hope to get a capture next time. Oddly enough, all is still quiet in this regard. Maybe I poked at it too much.


  • Netgate Administrator

    I agree, there's nothing in pfSense itself I would expect to behave like that. A pcap would tell all.



  • @stephenw10 I was preoccupied for a bit there, but I just noticed this going on again, and got a couple pcaps.

    Here's the weird thing...virtually all of this traffic is between my DoH providers and the pfSense. It is mostly my backup DNS provider in this case (IBM) but I see a little bit of my primary provider (Cloudflare) in there. I'm not sure If I should go publishing the pcaps on here publicly, but do you want me to DM them to you?



  • @CyberMinion Are you still getting almost constant rates from public dns??? Have you run the pcaps through wireshark?


  • Netgate Administrator

    I assume it's all outbound connections? It should be....

    Hard to imagine what it could possibly be sending legitimately for that long.

    Steve


  • LAYER 8 Global Moderator

    Well you got something trying to find some fqdn, that doesnt' resolve and the client keeps asking, or has a ttl of 30 seconds, etc. etc.

    Problem with doh, is its hard to see exactly is being queried for.. But you know not being able to troubleshoot what is going on is well worth you know my isp knowing I went to www.google.com for gosh sake ;)

    setup unbound to log all queries, and maybe you can see what is being queried, even pfsense if you have it pointing to loopback..

    In the unbound option box

    server:
    log-queries: yes
    log-replies: yes
    


  • @netblues

    Are you still getting almost constant rates from public dns???

    Sorry, can you clarify?

    Have you run the pcaps through wireshark?

    Yes, I looked at them in Wireshark.

    @stephenw10

    I assume it's all outbound connections? It should be....

    No, I see see bi-directional traffic
    cd200067-a323-4870-8822-9afb02719af3-image.png

    @johnpoz

    In the unbound option box...

    Sorry, being clueless here...where do I find this "unbound option box"? I have "Custom options" in my DNS resolver management page, but that's about all I'm seeing.


  • LAYER 8 Global Moderator

    Yes that is the options box.



  • @johnpoz
    Okay, I've appended that to my options. All is quiet for now since I am active on this network right now; I'll keep an eye on it for the next incident.


  • LAYER 8 Global Moderator

    Yeah your going to have to watch your log.. Keeping in mind that every time a query is done if it has to open a new tls connection that is going to be quite a bit of overhead, and if doing it to multiple servers and for multiple queries that can add up.

    So just took a look at my top "talkers" for dns - and noticed I had left a unbuntu vm running.. Guess what it likes do do a lot!! check for connectivity-check.ubuntu.com, not only for A but also for AAAA, and then guess what it does it also checks for connectivity-check.ubuntu.com.local.lan - because local.lan is my local suffix.

    Its making these every few minutes if not seconds - just incase you know there is a captive portal it needs to auth too.. While a couple of packets for dns normally not a big, deal if your using doh or tls that data is amplified X.. Now do that for how many devices, how many queries.. So yeah you could for sure raise the grass level of your traffic going back and forth even when your thinking your network is idle..

    In the last 24 hours there have been over 1000 queries for these fqdn.

    last24hours.png

    What else is being looked for? That is why log of your queries will help, or if you were not encrypted you could just sniff the wan traffic and see what was being asked for since your dns query would be in the clear.

    Now in my case that .local.lan won't be sent upstream, since I set unbound to not do that by changing the type of zone... But out of the box transparent mode when asked for stuff that is not in your zone, it will ask upstream for that..

    So you have figured out that there seems to be a lot of what you would consider idle traffic to your doh servers.. So you need to figure out what is being asked, so you can just live with it, or make some changes to reduce that traffic or eliminate it completely.. My example, I turned off that check in ubuntu - since have zero need of it.. I don't run capture portal, etc.



  • @johnpoz Good points--such things can certainly do a seemingly excessive number of lookups. However, that assumes the traffic is originating from inside the LAN. In this case, I can tell just based on traffic volume that this traffic is originating from the pfSense itself. While it is sending/receiving a massive number of requests, the LAN and OPT ports are seeing almost no traffic at all.


  • LAYER 8 Global Moderator

    Your local traffic would be small udp dns queries of a couple of bits.. You get an amplification when your using doh..

    Maybe its some package on pfsense doing queries for say IPs hitting its wan, do you have say IPS running

    This is why you need to log the queries.. You will see be it pfsense or something else doing the queries..

    look at the size of your exchanges in your few packets you sniffed.. Over a time frame of like what .2 seconds.. Now multipy that by hundreds of queries or 1000's even..

    To be honest using doh your doing a dns amplification attack against yourself - to hide that your going to google.com from your ISP.. I don't get it... So you make your dns slower, you now hand over every thing you ever ask for to google and quad nine, etc. on a silver platter.. Because your trying to hide that you ask for xyz.com from your ISP?? Its crazy.. But because company xyz says hey you can trust us - hand all your dns to us we won't do anything bad with that info "we promise" ;)

    It's nuts!! I will just resolve myself thank you very much..



  • @johnpoz

    You get an amplification when your using doh..

    That makes some sense, but how would a few b/s become 70 Kb/s upload and 400 Kb/s download? Overhead? Sure, there's some, but that's ridiculous. Meanwhile, in the middle of the day while the pfSense has devices behind it actually in use, this bandwidth consumption decreases considerably. It's only while everything is idle that my problem occurs. Just for laughs, I could shut off DoH for a bit and see, but this doesn't seem to explain the issue. If it were DoH at fault, I would be seeing this "overhead" increase, or at least remain constant while devices behind it are in use. Instead this "overhead" vanishes entirely while its devices are in use.

    do you have say IPS running

    I have an IDS (SNORT) running on the pfSense. It is passive.

    So you make your dns slower, you now hand over every thing you ever ask for to google and quad nine, etc. on a silver platter.. Because your trying to hide that you ask for xyz.com from your ISP?? Its crazy..

    Fair point, but that's why the DNS provider needs to be chosen carefully (I hope to switch to OpenDNS soon, but they do not have standardized DoH support yet). I would never use Google, for example, because their business model is based on selling private data. However, local ISPs are also selling private browsing data, so if can make it just a little bit harder for them to farm my internet traffic by sending it to someone I trust, I'll do it (unless, of course, it is causing a malfunction). From a user experience perspective, you can't even see the difference in speed with DoH running.

    Tell you what, I will watch it as is for now, but next time I see this problem, I will check my query log, then try disabling DoH. It can't hurt to try (other than the cost of private data).


  • LAYER 8 Global Moderator

    @CyberMinion said in pfSense using unreasonable amount of bandwidth while idle:

    so if can make it just a little bit harder for them to farm my internet traffic

    Why? I mean really - the genie is already out of the bottle.. Do you really think your hiding from anyone.. You are worried that your isp knows you like to visit xyz domain. You understand they know you are going there anyway by the traffic your sending from IP to IP, if they really want to look.

    Do you only use cash, do you only use burner phones. Do you not drive a car because they can track your license plate. What about your cell phone, you know they know exactly where your at all times, be it gps or just what cell tower your talking to. And your text message - do you encrypt them all? Do you not use reward cards.. The amount of info given away by your typical day to day usage.. And people are worried about your isp knowing you did a query for xyz.com is just freaking ridiculous.. Your just making your experience suck more is all your doing ;)

    For some reason you think sending all your dns to company X is better than just forcing your isp to actually sniff your traffic for your dns queries because your sending them all over the planet via resolving. It makes no sense. And hey its worth hiding it from my isp so much that I want my dns to suck by slowing it down and forcing more traffic to be used..

    I just don't get it..

    I have an IDS (SNORT) running on the pfSense. It is passive

    Does not mean its not trying to resolve every IP it sees.. It sees ip 1.2.3.4 hit your wan on port X, so it tries to look up via ptr that IP.. So it sends query to 9.9.9.9 via doh.. So via that 2 bits hit your wan on port X, now you have amplified the traffic trying to find out the ptr for 1.2.3.4

    Here is the thing - the data that is you has already be monetized.. You sending to company X, because you "trust" them more is just giving another company more info about you, in an attempt to hide it from company Y - that you actually pay to connect you ;) And if they could somehow make your internet better ok sure, but really all it does is slow down your internet, and make troubleshooting issues more difficult..



  • DoH in a localy administered lan, when YOU are the admin is absurd.
    DoH is good for journalists behind the Great China Wall, visitors to North Korea and the like.
    There who do you trust is often a life or death decision.
    When you have a local resolver like unbound I see zero value using anything else.
    One can argue that by doing that we put too much strain into root servers. But with todays traffic engineering capabilities and available load balancing methods this is rather trivial.
    And the money payed for top level domains fees has sky rocketed too, so a decent root dns infrastructure is expected.

    As for the traffic pattern, I still find it hard to be like this at an almost constant rate just by resolving. I mean, there should be some caching somewhere (and negative too).
    Gut feeling, this is some kind of bug inside the rather new DoH, or some other kind of bug, upstream.

    I would disable all kinds of upstream queries by port forwarding everything to pf unbound. (and blocking outbound access to port 53 and 853 for ipv6 queries too)
    Put unbound to resolve without any forwarder.
    The only manual thing that needs to be done on clients is disabling DoH.


  • LAYER 8 Global Moderator

    @netblues said in pfSense using unreasonable amount of bandwidth while idle:

    DoH in a localy administered lan, when YOU are the admin is absurd.

    QFT!!!

    The only manual thing that needs to be done on clients is disabling DoH

    Agreed, and that is a serious problem! It should never be opt out, it should be opt in.. Its BS plain and simple that make a choice of sending my dns to them without explicit permission from the user. My browser had a local dns working just fine, until you thought it was better to send my dns to you, etc..

    I shouldn't have to setup canary domains or make or click don't in the browser.. I should have to on purpose choose to send my dns via doh.



  • Ok, so the issue is back. I'm see the same two queries over an over again:
    DNS log 2020-08-04.jpg
    (I masked the LAN's name...pardon that)

    It seems to be alternating between bursts of 066.136.238.176 queries, and 066.136.237.192 queries.

    I tried disabling DoH, and applying this update to the DNS resolver...no change. These are requests for AAAA records; I previously disabled IPv6 on the pfSense, but due to the aforementioned issue of config changes being lost 12-48 hours after being applied, IPv6 is enabled again. I might try disabling it, to see what that does.

    @johnpoz

    Why? I mean really - the genie is already out of the bottle

    I didn't mean to drag us into the "Privacy is a right" vs "Privacy is gone, give up, there's no hope so just let them have it all. You have nothing to hide, right?" argument. You might be surprised the lengths I go to which some would consider unreasonable. Some degree of privacy is still attainable, if you are willing to work for it.

    Does not mean its not trying to resolve every IP it sees.. It sees ip 1.2.3.4 hit your wan on port X, so it tries to look up via ptr that IP

    I don't think SNORT is resolving IPs. I looked through it's config, and found nothing in that regard. It certainly isn't showing resolved info to me in the event log either. I could be missing something though.


  • Netgate Administrator

    You have those in a alias? Somthing with a rogue . or digit causing the firewall to try to resolve an IP as an FQDN?


  • LAYER 8 Global Moderator

    Yeah what exactly is trying to be resolved there.. Its not a PTR, and doesn't even look like a valid IP? 066? But what hidden there in the tld?

    is ti adding your local domain as the tld?


  • Netgate Administrator

    It's appending the local domain after failing without it.

    Check the Resolver logs in pfSense for filterdns entries. That looks exactly like it's a bad alias entry.

    Steve


  • LAYER 8 Global Moderator

    So those IPs via ptr are in the dsl.ltrkar.swbell.net domain... I take it thats your isp?



  • @CyberMinion said in pfSense using unreasonable amount of bandwidth while idle:

    I don't think SNORT is resolving IPs. I looked through it's config, and found nothing in that regard. It certainly isn't showing resolved info to me in the event log either. I could be missing something though.

    Correct, neither Snort nor Suricata do anything with automatic DNS lookups. There is not even the required client code within either package (not in the binary portion and not in the GUI portion).

    The IDS/IPS packages only cause a DNS lookup via two methods. The user manually clicks the little "i" icon next to an alert on the ALERTS tab to perform a reverse lookup on the IP. That lookup is actually handed off to the firewall for the DNS task. The other time the packages would use DNS is when the periodic rules update cron task executes and calls curl with a URL to download the rules files. That happens at most twice per day.



  • @stephenw10

    rogue . or digit causing the firewall to try to resolve an IP as an FQDN?

    Maybe. I was wondering what kind of a lookup that is.

    @johnpoz said in pfSense using unreasonable amount of bandwidth while idle:

    Yeah what exactly is trying to be resolved there.. Its not a PTR, and doesn't even look like a valid IP? 066? But what hidden there in the tld?

    I think maybe it is an IP with its octets inverted. So in this case, 176.238.136.066. (That doesn't have a DNS record)

    is ti adding your local domain as the tld?

    Yes, the local domain is showing as the TLD...that is what I masked. I've seen this a few times before on my network, and wondered why.
    I have an internal DNS resolver (Pi-Hole) which uses pfSense as my upstream resolver. PiHole has not seen any queries for these IPs in the past 30 days, so they are coming from the pfSense itself.

    @stephen10

    Check the Resolver logs in pfSense for filterdns entries. That looks exactly like it's a bad alias entry.

    What exactly should I be looking for? All I'm really seeing is that I published above, repeating over and over.

    @johnpoz

    So those IPs via ptr are in the dsl.ltrkar.swbell.net domain... I take it thats your isp?

    No, that is not my ISP.

    @bmeeks

    Correct, neither Snort nor Suricata do anything with automatic DNS lookups

    Good to know.

    The IDS/IPS packages only cause a DNS lookup via two methods. The user manually clicks the little "i" icon next to an alert on the ALERTS tab to perform a reverse lookup on the IP

    I haven't done that any time recently

    The other time the packages would use DNS is when the periodic rules update cron task executes and calls curl with a URL to download the rules files. That happens at most twice per day.

    That occurred to me as a possibility. It currently performs this a 2am, and if I notice my problem, it will be in the morning. Sometime throughout the late morning or early afternoon, it stops.


  • Netgate Administrator

    Something like this:

    Aug 4 22:04:38 	filterdns 		Adding Action: pf table: test_alias host: 78.89.1000.25
    Aug 4 22:04:38 	filterdns 		Adding host 78.89.1000.25
    Aug 4 22:04:38 	filterdns 		failed to resolve host 78.89.1000.25 will retry later again. 
    


  • I had this question come up from a customer.. Turns out he was VPN'd into the site to watch WAN traffic graphs. Is there the possibility that someone is looking at the WAN remotely?


  • Netgate Administrator

    He says not. I thought it could easily be a VPN thought the traffic would be more symmetric if it was an external user pulling external files hairpinned.

    Steve



  • @stephenw10

    Something like this:

    I'm not seeing any logs that look like that...would this be under Status/System Logs/System/DNS Resolver?

    @chpalmer

    Is there the possibility that someone is looking at the WAN remotely?

    Shouldn't be, unless something is compromised. The exterior NAT router, and the pfsense behind it both have VPN services turned off. All ports are closed on the exterior SOHO NAT router, and UPnP is disabled there. On the pfSense behind it, UPnP is actually enabled (oops!) but in past experiments, I found that the UPnP requests sent upstream by one of my devices only reached the pfSense, where they were honored (at present, no UPnP ports are opened on pfSense). On the edge router, no ports were opened while it had UPnP enabled. Anyway, the point is, pfSense currently has UPnP enabled, but unless there is a way to get the edge router to open ports while its UPnP is disabled, there should be no option to open an unsolicited connection from the outside, even if internal malware was trying to open ports. I will disable UPnP on pfSense soon, but I don't want to change too many things at once while troubleshooting.

    P.S. Thanks for sticking with me on this issue! Much appreciated!


  • Netgate Administrator

    Yes, if you were hitting that it would be in the resolver log.



  • @stephenw10

    Yes, if you were hitting that it would be in the resolver log.

    Okay, well I don't see that going on right now, but next time I notice the issue, I will check.



  • @stephenw10 said in pfSense using unreasonable amount of bandwidth while idle:

    failed to resolve host

    I'm still not seeing any of the lines you mentioned in the log, just a whole lot this going on:

    a7e7b7b6-264f-44a0-94a0-125bd35ab58d-image.png
    (network hostname removed to protect the guilty)

    I see several pages of this for each second that passes.



  • @CyberMinion said in pfSense using unreasonable amount of bandwidth while idle:

    I see several pages of this for each second that passes.

    Hello!

    Are you running any python modules in unbound?

    John


  • LAYER 8 Global Moderator

    Be it that is causing that much bandwidth or not.. You got something doing A queries for what is suppose to be an IP it looks like..

    Figure out what is doing asking for that.. Pfsense out of the box is not going to query for that..

    And doing a suffix search, which is just local? If so why are you hiding it?



  • @serbus

    Are you running any python modules in unbound?

    None that I am aware of...unless maybe SNORT is running unbound. I can't find any mention of that in the config, but I think it might use Python. EDIT: Oh duh, pfBlocker uses Unbound.

    @johnpoz

    All I know is that it is originating from the pfSense. Here are the packages I have installed. There's always the possibility of a misconfiguration on one or more of them.

    af11866a-a7ea-45a4-b73e-8ad67459a7fe-image.png

    And doing a suffix search, which is just local? If so why are you hiding it?

    I'm not sure what kind of a lookup it is doing, but I'm hiding that part of it just because it is the internal hostname. Names are hidden to protect the guilty. 🤕 Just suppose what I covered is "MyLAN" or "MyNetworkName"

    I don't need SNORT, so maybe I will try shutting that off for a bit. It shouldn't be doing any lookups of its own, but it's worth a try. If that doesn't work, maybe I'll try shutting down pfBlocker. I don't want to do that, but I can if needed. These are the two main packages I have running here.

    Is there a way to get details on resource utilization of each process? That way, I might be able to correlate the network traffic with a specific pid.


Log in to reply