Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Noticing traffic spikes on VLANs with no clients?

    Scheduled Pinned Locked Moved General pfSense Questions
    11 Posts 5 Posters 516 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TechNetwork1
      last edited by

      I created 4 VLANs on my pfSense (Private, Office, IoT and Guest) and currently have no clients at all connected to either the Office or Guest VLAN. I've noticed on the traffic graphs on my dashboard occasional spikes in activity so I ran a packet capture to reveal what it was. I'm not entirely experienced enough in networking to understand the significance of what the packet capture revealed (ARP request?) and if this is completely normal activity? Any additional knowledge about this is appreciated.

      Packet Capture

      Traffic Activity

      1 Reply Last reply Reply Quote 0
      • JonathanLeeJ
        JonathanLee
        last edited by JonathanLee

        Set your ACL to log traffic to see what’s connecting. That is a ton of arp requests maybe set that MAC address to static if it’s a NAS or something

        Make sure to upvote

        1 Reply Last reply Reply Quote 0
        • stephenw10S
          stephenw10 Netgate Administrator
          last edited by

          What is 10.18.40.1? Looks like that is running a scan for any other clients in the subnet.

          T 1 Reply Last reply Reply Quote 1
          • T
            TechNetwork1 @stephenw10
            last edited by TechNetwork1

            @stephenw10 My Office VLAN ID is 40 so 10.18.40.1 is my default gateway for that subnet as I created a DHCP pool address of 10.18.40.100 to 10.18.40.200. Is this normally expected to have that gateway address routinely scan?

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @TechNetwork1
              last edited by johnpoz

              @TechNetwork1 said in Noticing traffic spikes on VLANs with no clients?:

              My Office VLAN ID is 40 so 10.18.40.1 is my default gateway

              You mean that is pfsense IP on vlan 40? I would guess you have ntop package installed, and its doing a network discovery - that is a arp scan to see what IPs are there so it can do a discovery of services on the ones that answer.

              https://www.ntop.org/ntopng/network-device-discovery-part-1-active-discovery/

              You can either turn it off, or change its time to how often you want it to do it.

              ntop.jpg

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              dennypageD T 2 Replies Last reply Reply Quote 1
              • stephenw10S
                stephenw10 Netgate Administrator
                last edited by

                That ^ 😉

                1 Reply Last reply Reply Quote 0
                • dennypageD
                  dennypage @johnpoz
                  last edited by

                  @johnpoz said in Noticing traffic spikes on VLANs with no clients?:

                  I would guess you have ntop package installed, and its doing a network discovery - that is a arp scan to see what IPs are there so it can do a discovery of services on the ones that answer.

                  ntopng Active Discovery does a lot more than just arp scans. It does a lot of "evil" things, including ssh fingerprinting. I cannot recommend strongly enough that it be disabled.

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @dennypage
                    last edited by johnpoz

                    @dennypage just for clarity - I don't even have ntop enabled. I had to enable it to get the screen shot ;) The only time I would have use of it would be if looking into something specific.. And yeah not really a fan of auto discovery of any sort. Unless it was manually triggered and knew exactly what is was going to do..

                    It can be a very useful tool, but its also going to be a performance hit.. To me it makes more sense as a troubleshooting tool vs hey let this thing run 24/7/365

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    dennypageD 1 Reply Last reply Reply Quote 0
                    • dennypageD
                      dennypage @johnpoz
                      last edited by

                      @johnpoz said in Noticing traffic spikes on VLANs with no clients?:

                      And yeah not really a fan of auto discovery of any sort. Unless it was manually triggered and knew exactly what is was going to do.

                      Same page.

                      What really sets me off is the documentation for ntopng makes it sound like some benign thing. You have to read the code to see what it actually does.

                      I had a buddy who tested the new ntopng package for me. He pinged me saying "Do you know any reason that pfSense should be making ssh connections to all the hosts in my network?" He was fully ready to wipe the firewall and re-install.

                      Turned out that he had enabled Active Discovery because he was curious about it, promptly got busy with other things and forgot about it.

                      1 Reply Last reply Reply Quote 0
                      • JonathanLeeJ
                        JonathanLee
                        last edited by

                        It is enumerating your network..

                        Make sure to upvote

                        1 Reply Last reply Reply Quote 0
                        • T
                          TechNetwork1 @johnpoz
                          last edited by

                          @johnpoz Thank you so much! This helped me to understand and pinpoint the actual configuration responsible for the ARP scan.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.