WAN traffic downloading at max rate w/ low traffic on LAN or DMZ

  • What could be going on?  I have snort and squid running on 2.0.1; it happens about 20mins or so after reboot and seems like it only started maybe 2 days ago.  I just killed the states and have been waiting for about 30 mins now and it just started again.  I have snort running on both wan and lan with blocking enabled, but nothing seems to have triggered an alert.

    Anyone have any ideas?

  • Is squid pre-loading its cache?

    The pfSense shell command pftop can be used to display active states: type h once its running to see single letter commands to display state data. Two commands that might be useful: B to sort on bytes transferred and r to switch sort order (ascending to descending, descending to ascending).

    The states might give some useful hints about what is happening.

  • Thanks for the reply wallabybob; I didn't set the cache to pre-load, so I don't think that would be the problem.  I'll check the states more; I've looked at them, but not sure that I'm seeing anything weird other than one my switches is connecing to a device for ntp.  That doesn't make sense to me.

  • Seems like it ended up being a squid/windows updates configuration problem; thanks jimp for the help!  So far things are calm.  I'll keep my eye on it tonight.

  • Please post the details of your Windows Update / squid settings. I followed a pfsense doc somewhere on caching Windows updates in squid and saw the same thing you're describing. I ended up scrapping squid for other reasons but I may try it again at some point.

