Very High WAN Traffic When No LAN Activity
-
New to PFSense+ and using SG-1100. I'm seeing the traffic LED on my Modem and on the WAN port blinking very fast. I dont see any of this passing to the LAN when looking at the traffic graphs on the status page. This happens even if I have no devices connected to the LAN port. I suspect that its traffic from the Internet hammering on my router for open ports, etc.
I'm using the default WAN firewall rules settings (no rules). How can I see what is going on on the WAN side? Like what traffic is coming to the WAN from the Internet side and being dropped by the firewall?
Thanks,
-
@pV5 you can set up a rule that blocks the traffic but logs it. Though there is a setting in the logs settings for whether to log or not log packets blocked by the default block rules. (I usually turn that off to reduce noise, and logging)
-
@pV5 the default is to log the default deny, so stuff being blocked on the wan would be logged.
Keep in mind the light could be something that is not logged like arp for example.. Do a sniff (packet capture under diagnostics) on your wan if your curious what is going on..
Here captured 100 arp packets.. Look at time of first packet, and then time of 100th packet.. Less then 1 second, so yeah your light be going blinky blinky ;)
-
@johnpoz
Thank you for your help. Where in PFSense can I find the log of the default WAN deny ?I used the packet capture under diagnostics as you suggested and I can see a few ping requests from my ISP default gateway, some port scanning requests from unknown locations, but mostly a lot of ARP packets. Some contain my ISP IP and my IP, but most of them donāt. It looks like they are destined from another IP. What are all of these ARP packets and should I be concerned that they are showing up at my WAN? Are they sucking CPU from my router when they are being processed?
Example from the capture. None of these are my IP or my ISP IP:
15:10:41.994775 ARP, Request who-has xx.27.98.218 tell xx.27.98.1, length 46
15:10:42.002767 ARP, Request who-has xx.27.99.196 tell xx.27.99.1, length 46
15:10:42.004765 ARP, Request who-has xx.149.10.87 tell xx.149.10.1, length 46
15:10:42.008748 ARP, Request who-has xx.27.99.204 tell xx.27.99.1, length 46
15:10:42.029776 ARP, Request who-has xx.28.232.172 tell xx.28.232.1, length 46
15:10:42.042781 ARP, Request who-has xx.14.55.128 tell xx.14.48.1, length 46
15:10:42.055786 ARP, Request who-has xxx.59.65.174 tell xxx.59.65.169, length 46
15:10:42.058787 ARP, Request who-has xx.233.199.221 tell xx.233.199.217, length 46
15:10:42.070768 ARP, Request who-has xx.149.116.184 tell xx.149.116.1, length 46
15:10:42.072769 ARP, Request who-has xx.27.99.241 tell xx.27.99.1, length 46
15:10:42.073769 ARP, Request who-has xx.27.99.178 tell xx.27.99.1, length 46
15:10:42.076777 ARP, Request who-has xx.27.99.198 tell xx.27.99.1, length 46
15:10:42.085799 ARP, Request who-has xx.192.105.108 tell xx.192.105.105, length 46
15:10:42.093802 ARP, Request who-has xx.27.99.141 tell xx.27.99.1, length 46
15:10:42.103806 ARP, Request who-has xxx.59.214.171 tell xxx.59.214.161, length 46
15:10:42.110809 ARP, Request who-has xx.149.23.124 tell xx.149.23.121, length 46@SteveITS
Thank you for your help. Is this WAN firewall rule what you mean by adding a rule to drop and log traffic?
-
@pV5 said in Very High WAN Traffic When No LAN Activity:
Where in PFSense can I find the log of the default WAN deny ?
In the normal firewall log.. Unless you disabled logging default deny? Then all traffic blocked by the default deny on any interface would be just in the firewall log.
I have it turned off - because I have specific rules to just log what I want to log, ie only syn packets for tcp and only common UDP ports. Seeing all of the noise would be kind of pointless. But I am interested in specific traffic.
yeah mine shows IP ranges that are not in my /21 I get from my ISP for arp as well. It seems many an ISP like to run multiple layer 3 on the same L2..
But all of those arps would account for your blinky blinky lights.
