What is my bandwidth being used by?



  • Hi, folks.

    I've recently replaced our ageing Watchguard with a pfSense firewall, and I'm seeing 100% utilisation on our main (only) WAN link - see attached 'interfaces.png'.

    I'm trying to get my head around the directionality of the various network segments. Am I correct in assuming that "WAN in" is traffic coming from the internet into the WAN interface, and that LAN "out" is traffic leaving the LAN segment?

    I have a basic Traffic Shaper policy in place, mostly just what the wizard created plus one extra queue for Office365 traffic, but everything looks like it's in the "qLink" queue.

    Basically, how can I find out what all this traffic is, so I can either report that we need more bandwidth, or block the offending traffic?

    I have bandwidthd, ntop and darkstat installed, but am not sure where to look for the information I need.



  • What version of PfSense are you using? If you go to traffic graphs and select the LAN interface it should tell you which IP address(es) are transmitting and then you should be able to investigate further. The latest Pfsense 2.1 Release has this functionality. If you have a older version you may have to go to your switch and just see which light is blinking the fastest and that is probably the computer that is using the bandwidth unless it's coming from a wireless device.



  • Ah, thanks. That is helpful - I'm on 2.1.

    Of course now I'm looking, it's gone down.



  • Am I correct in assuming that "WAN in" is traffic coming from the internet into the WAN interface, and that LAN "out" is traffic leaving the LAN segment?

    All "In/Out" on the Traffic Graph and table of bandwidth In/Out by IP are relative to the interface or client being reported.
    A download from the internet comes In to WAN, Out of LAN and In to the end client system on LAN.
    An upload comes Out of the end client system, In to LAN and Out of WAN.