Anyone experience high Download usage on WAN even if there is no users?

tjsas1

Anyone experience high Download usage on WAN even if there is no users?

Tried the following still high Download usage,

1. Exclude the said WAN on any RULE
2. Block all on WAN

Tried removing the WAN cable itself that is the only time there is no Usage.

Gertjan

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

Exclude the said WAN on any RULE

Don't know what you mean.

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

Block all on WAN

No rules on the WAN interface (this is the default situation) will block traffic initiated from the outside.

You missed / didn't mention an important step : disconnect the LAN interface.
And before you say : 'but how can I see the traffic then ?"
Answer : by using the most important access "interface" on pfSense : the VGA console or serial connection.

A firewall rule, doesn't matter the content of the rule, does not generate traffic.
That is, if you block packets that contain a special flags like (example) 'TCP ACK', a TCP connection can not be established, and the source IP device will keep on hammering up until it fails.

Why do you think it's downloading something ?
Why not telling us who is "loading" from where ??
Multiple methods to get the info :Status > Traffic Graph and select the 'Interface' setting : use LAN and also WAN, get the source and destination IP.

Example :

Knowing the IPs == knowing what's going on.

Or : Diagnostics > Packet Capture
By default WAN is selected.
Hit Start - wait a bit, stop, and have a look at what was captured.

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

Tried removing the WAN cable itself that is the only time there is no Usage.

The contrary would have been a miracle.

You might as well power down the device ;)

tjsas1

@gertjan said in Anyone experience high Download usage on WAN even if there is no users?:

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

Exclude the said WAN on any RULE

Don't know what you mean.

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

Block all on WAN

No rules on the WAN interface (this is the default situation) will block traffic initiated from the outside.

You missed / didn't mention an important step : disconnect the LAN interface.
And before you say : 'but how can I see the traffic then ?"
Answer : by using the most important access "interface" on pfSense : the VGA console or serial connection.

A firewall rule, doesn't matter the content of the rule, does not generate traffic.
That is, if you block packets that contain a special flags like (example) 'TCP ACK', a TCP connection can not be established, and the source IP device will keep on hammering up until it fails.

Why do you think it's downloading something ?
Why not telling us who is "loading" from where ??
Multiple methods to get the info :Status > Traffic Graph and select the 'Interface' setting : use LAN and also WAN, get the source and destination IP.

Example :

Knowing the IPs == knowing what's going on.

Or : Diagnostics > Packet Capture
By default WAN is selected.
Hit Start - wait a bit, stop, and have a look at what was captured.

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

Tried removing the WAN cable itself that is the only time there is no Usage.

The contrary would have been a miracle.

You might as well power down the device ;)

Thanks on this Tip.

Yep I forgot mentioning that I tried removing the LAN cable and the WAN still show high Download usage.

Currently trying the packet capture to analyze.

johnpoz

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

high Download usage on WAN even if there is no users?

What are you considering "high" ?

Traffic being sent to your wan even if blocked would be seen as traffic on the wan. There is always noise on the internet. Bots, scripts looking for open ports, misdirected or old p2p traffic, arps from your fellow isp users quite often that not filtered by isp, etc. etc.

Someone trying to dos you from a game, etc. What exactly are you seeing in your firewall log? As mentioned do a sniff on your wan.. What do you see for this traffic.

Example just example of low level noise that could be seen. Here are all the arps, while arps are very small.. It will register as traffic, so curios to what you think is high?

Like a 2 second sniff, and over 100 packets.. None of which are my ip.. This is just different isp clients on my same isp network. None of those IPs are even in my actual IP network, isp tend to run multiple layer 3 over the same L2, etc..

tjsas1

@johnpoz Hi Johnpoz, its from from 50-100% of total bandwidth of Download Speed. I tried blocking the protocol and the IPs but its still downloading.

Tried restarting and all but its still there after it sense that there is internet

johnpoz

@tjsas1 what is the traffic. Again blocking has nothing to do with it, the interface still "sees" the traffic even if the firewall blocks it.

Do a quick sniff, if its that much traffic should be very easy to see what it is from only a short sniff.

What does the firewall say it is from the block - what source IP(s) what port what protocol? tcp/udp?

It is not unheard of for some gamer to try and dos a fellow player..

tjsas1

@johnpoz

Hi, appreciate the response.

Its a UDP from an external IP to my public IP.

johnpoz

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

Its a UDP from an external IP to my public IP.

What UDP port? Is it all the same external IP is it always the same port? Could be you had 53 (dns) open at one time? Could be your part of a p2p cloud?

Here is the the thing, there is nothing pfsense can do to prevent inbound traffic to it.. You either need to fix the whatever on the outside that might be pointing to your IP in the first place.. Or you need to change your IP.. (this can normally be done via changing the mac of your device - pfsense can set a different mac address via the clone feature).. And then get another IP from your isp.

Or you need to contact your isp if its excessive inbound traffic that you do not want, and have no idea why, etc.

tjsas1

@johnpoz from multiple same ip with port 11211 to my port 80.
Its dedicated IP that I dont use for any hosting.

johnpoz

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

11211

The source port would be random, unless the same session from that device. UDP to port 80, so quic? In your sniff, I would download and open in say wireshark so you can see exactly what the traffic is asking for, what is the payload of it, etc.

You sure you have the direction correct on the ports, you sure its not something answering you from their port 80 to your IP on that port?

Could you post up what exactly your seeing. Sure hide part of your public IP. What would be great is the sniff of this traffic.. You can remove your IP from the sniff, etc. Here is a good tool for sanitizing sniffs before posting to make sure your public IP is not listed, etc.

https://www.tracewrangler.com/

tjsas1

@johnpoz I see it now the following are causing the issue.

I am just not sure why blocking the IP won't work

johnpoz

@tjsas1 said in Anyone experience high Download usage on WAN even if there is no users?:

I am just not sure why blocking the IP won't work

Because the traffic has already gone down your connection too you.. Its blocked by default anyway.. All unsolicited traffic inbound to the wan is dropped by default. There is nothing you can do about the amount of traffic sent to your IP. It has already gone down your connection and used up your bandwidth, be it your device (firewall) processes it or not, its already used up your bandwidth. The only way to stop a volumetric attack is at your isp before it is sent down your connection using up your pipe.

So you wrangled your public IP to 192.168.1.5? Would be nicer to clearly make that made up, like 1.2.3.4 or something ;)

Did you also wrangle the source IP? Coming from India owned IP. That ip is listed as static.vnpt.vn

inetnum:        223.185.28.0 - 223.185.31.255
netname:        MOHALI-UN
descr:          Bharti Airtel Limited, Plot Number 21 Rajiv Gandhi Technology Park In Bharti Airtel Campus, I T Park, Chandigarh - 160001
country:        IN

;; QUESTION SECTION:
;223.185.30.123.in-addr.arpa.   IN      PTR

;; ANSWER SECTION:
223.185.30.123.in-addr.arpa. 7047 IN    PTR     static.vnpt.vn.

There is a known dos attack using memcache. That 11211 port

https://www.cloudflare.com/learning/ddos/memcached-ddos-attack/

If you can not easy change your IP, I would get with your ISP about that traffic.

Gertjan

If you really experience some kind of "dos attack" : Look at the first 10 video's here.

Now you know what can be done.

Change your WAN IP. Keep your new IP hidden by using a VPN client for all your outgoing traffic. No one will find your WAN IP, as it is a VPN IP, and you can change that with a click of your mouse. You will not receive - or very few random - unwanted traffic. Just the usual 'Internet noise'.

Don't make enemies on the Internet. There will always be people that will find you, and try to saturate your access the net.

You can even try this : Go visit your ISP, and ask them the access to their routers / firewall. Now you will be able to select what traffic goes to you.

tjsas1

@gertjan @johnpoz

thanks everyone. This is really a learning time. I really appreciate your responses.

johnpoz

@tjsas1 problem is isp most likely will do nothing about it, unless this was a business line and you have ddos protection with them (normally not free)..

Your best bet is prob get your IP changed, if you can not do it locally by altering your pfsense mac address on its public interface. Then get with your ISP and asking them change your IP, because your seeing inbound dos traffic - send them the sniffs you did showing the traffic, etc. And any info you can gather about amount. I wouldn't hide your public IP in those sniffs ;)

Problem is with such traffic is nothing you can do at your end, other then changing your IP..

internet -- isp --- 10mbps connection --- you

If the internet is sending you 10mbps of traffic, and filling up your pipe.. There is really nothing you can do at your end.. The traffic be it you drop it on your end or not, is still using up your connection. Its a common misconception to what a firewall can do.. Now if there was say 1mbps of traffic and it was being sent to your server behind your router/firewall and this 1mbps of traffic was hurting your servers performance - then you could filter that from being sent on to your server. But as long as the traffic is sent, your connection would still see the 1mbps of traffic.. You need to stop the traffic from being sent to you down your limited connection. This is either done at the isp end, or you need to change your IP so that traffic to 1.2.3.4 doesn't go down your connection.

Other option ;) Get a fatter connection heheh.. If you had 1gig, and they were only sending 10mbps - then it wouldn't be a problem.. But if sending 1gig, you have the same problem.