"Phantom" traffic on WAN interface
I have been running pfSense v1.2.3 for a few months now. Its running in ESXi on an IBM x3650 with 6 pNICs. The pfSense firewall has WAN, LAN, Wireless and DMZ intrfaces, each assigned to its own vSwitch and each vSwitch is assigned to a pNIC, and each pNIC connected to a vLANed L2 switch. I also have a site to site IPSec VPN that is currnently connected to an IPCop box, which will be replaced with a pfSense box shortly.
I noticed recently I had some kind of "phantom" traffic on my WAN interface. It's inbound traffic, with a pretty steady rate of about 2Mbps (it fluctuates some, drops off to near nothing for half a second here and there, but none of the other interfaces (LAN, DMZ, Wireless, IPSec) show anywhere near 2Mbps in or out. It's like the pfSense firewall is pulling the 2Mbps stream of data to itsself. I have been going nuts trying to figure out what this traffic is, and suddenly i had a thought (actually, as I was typing this). I have AT&T UVerse, and the WAN is shared (the pfSense is a DMZplus host, so all traffic from the internet can get to it) with the Set top boxes and DVR, and one TV was watching a SD channel, so I fired up a second TV on a HD channel, and sure enough, the traffic shot up to 7ish Mbps. Fired up a second HD Stream and up again to 13ish Mbps. Turned them all off and traffic dropped to zero.
So the question is, why is the pfSense registering the IPTV traffic as inbound to it? I don't think the IPTV traffic is multicast or broadcast. I think it's unicast to the DVR and set top boxes, or to the DVR and then to the set top boxes from the DVR. It seems rather odd that it's registering this traffic as inbound on the WAN interface. It doesn't register traffic between my server and workstations as inbound on the LAN (as it shouldn't). Anyone have any ideas?
If you perform a network capture on the WAN port of pfSense, what is the protocol, source and destination address of the traffic which you are seeing hitting the WAN interface?