WAN constantly receiving ~8 - ~40Mbit



  • Hi,

    I've stumbled upon something rather strange. Lately I've noticed the pfSense traffic graphs show that I receive ~8 - ~40Mbit of constant traffic towards the WAN port. It never passes to the LAN so I am wondering what traffic this is.
    This is the WAN side, as you can see it's raised from 8 to around 40Mbit of constant traffic, this happened when the pfSense was upgraded to the latest version:

    and the lan side:

    Does anyone have any idea why this is happening, I can't explain the 8Mbit either, so any help on troubleshooting on this would be greatly appreciated.

    Info about the box:
    2.1-BETA0 (amd64) - built on Wed Nov 7 13:10:53 EST 2012
    CPU - Intel® Core i3-2120T
    Motherboard - ASUS P8H77-I
    Memory - Kingston DDR3 HyperX blu 1600MHz 8GB
    Hard Drive - Western Digital Scorpio Blue 120GB
    NIC - Fujitsu D2735-2 Dual gigabit – based on the Intel® chip 82576NS
    Connection/ISP - 1000/1000 Mbit Fiber

    Edit 1:
    The traffic graph from pfSense itself:


  • LAYER 8 Global Moderator

    why don't you sniff and see what that traffic is made up of.  How would upgrading pfsense cause INBOUND traffic to your wan??

    Are you saying it misreported?  Again sniffing would show you want is being seen on the interface.



  • @johnpoz:

    why don't you sniff and see what that traffic is made up of.   How would upgrading pfsense cause INBOUND traffic to your wan??

    Are you saying it misreported?  Again sniffing would show you want is being seen on the interface.

    It looks strange and it caught my attention, I don't care if it's only 8 or 40 Mbit it doesn't really matter, what matters is to understand why.
    Here is a report, I don't know what to tell from it to be honest - I've attached it.

    package_capture.txt


  • LAYER 8 Global Moderator

    So most of that is multicast UDP

    non-234-179.ipredate.net.50023 > 239.100.5.1.1234

    And a bunch of other .2, .7, in this same multicast range

    I would guess IPTV based stream???  But without seeing the actual packet details its hard to say for sure.

    ipredate.net – I show that as

    NetRange:      208.87.32.0 - 208.87.39.255
    CIDR:          208.87.32.0/21
    OriginAS:
    NetName:        SECUREHOST

    Could be someone trying to request some sort of video stream?

    Clearly ODD, you might be able to gleen some better info from the details of the packets.  Do a capture on pfsense diag, and then open it up in your fav analyzer -- wireshark for example


Log in to reply