High traffic WAN, locate source on LAN
-
Hi
I'm having this problem where I have huge traffic coming from two servers (Akamai content servers). With NTOP and traffic graph on WAN interface, I can see this traffic is eating all my resources. Problem is that on the LAN interface, I can't find a source where this traffic is going to. NTOP resolved the IP's into officecdn.microsoft.com so my first guess is that it has to do with MS Office 2013 streaming technology going nuts.
On the WAN interface I capture this traffic:
11:02:13.525112 IP xx.xx.xx.xx.13800 > 2.22.55.51.80: tcp 0
11:02:13.525195 IP 2.22.55.51.80 > xx.xx.xx.xx.13800: tcp 1448On the LAN interface, nothing exceptional stands out, also the traffic graph shows much lower throughput (120MBps vs 5-10MBps).
When I tried to block the traffic on the WAN interface, this traffic still went through.
Only when I blocked it as a floating rule, the traffic got blocked.This is a picture of the traffic happening before and after blocking:
My question:
- how to find out where this traffic is going to on the LAN side?
-
Well if I download something, the acks I have to send are going to be a very small percentage of the total traffic.. But you should see the outbound traffic (to the client) on the lan be as high as the inbound to the wan.
So if I look at both wan and lan I see matching traffic..
If i look at the actual graph I see the IP its sending too.
If your not seeing it on the lan, then it could be an attach, something blocked hitting wan.. What exactly did you block, look on your floating rule - turn on logging, what is hitting that rule.. Should also point to your box creating the traffic.
-
That's my problem.
The WAN traffic doesn't correspond with the LAN traffic.
I blocked it now again untill I get some more instructions on what I can do.
The rule now blocking the traffic is a floating rule on LAN and WAN blocking all TCP traffic from and to (2.22.55.83 and 2.22.55.51).
-
The rule now blocking the traffic is a floating rule on LAN and WAN blocking all TCP traffic from and to (2.22.55.83 and 2.22.55.51).
Will be extremely useless, those are Akamai CDN IPs, the traffic will just flow elsewhere soonish.
Are you using Office 365 or any similar junk?
-
Office 2013 on 10-15 computers.
The thread on Microsoft website you are reffering to is mine .
-
Office 2013 on 10-15 computers.
Might be just SP1 downloading if you are not using WSUS. Anyway, should take this to the proper place I guess.
-
If you have a bunch of machines generating traffic which would be cumulative on the wan, but smaller traffic to each on the lan side. Your easiest way to identify who is generating the traffic is via simple looking at the log of the rule you put in place to block it.
-
I'm seeing this too, WTF is going on?
Source Akamai IPs are different in my case, surely because the CDN has a different datacenter for Italy (where I'm at).
No unusual traffic on LAN, so same as you, I can't figure out the cause. During Windows Update downloads I ALWAYS see the corresponding traffic on LAN to the destination host (no WSUS server).
I also tried blocking it, on WAN or as floating, but traffic is still maxing out my WAN (PPPoE ADSL 7 Mbit, sadly).
When boss questioned about the slowness, I blamed the ISP, but this is definitely weird..This is no "attack"… Help ?!?!? :o :o :o
(
2.1.3-RELEASE (i386)
built on Thu May 01 15:52:17 EDT 2014
FreeBSD 8.3-RELEASE-p16
)
-
… this a wild guess so bear with me, I most definitely am not well versed in pfSense and networking...
IIRC the problem started after upgrading to 2.1.3. Could it be that 2.1.3 is ignoring [ System: Advanced: Networking : Allow IPv6 ] being unchecked and this is all IPv6 traffic?
-
"This is no "attack"… Help ?!?!?"
How do you know its not an attack? Or queries to a your IP because someone was running p2p? I would suggest you do a sniff of the traffic and see what it is..
I am not 100% sure, but even if the traffic was dropped - I would assume pfsense would record the traffic inbound, even if just dropped. If the interface is seeing the traffic, does not matter what is done with - be it allowed in and up the stack or just dropped or rejected?
See that level of inbound traffic - a sniff of a minute or so should give you a great idea on what the traffic is.
-
First of all thanks for replying.
How do you know its not an attack? Or queries to a your IP because someone was running p2p? I would suggest you do a sniff of the traffic and see what it is..
I'm fairly convinced it is not an attack, as the originating IPs of all the traffic are resolved as part of the Akamai CDN.
I doubt it anyone out there managed to spoof Akamai's DNS…It is not p2p traffic, as my LAN is under 20 hosts, all under my administrative control... Also, p2p traffic does not originate from Akamai hosts. If it were p2p traffic, I should be seeing some fairly random IPs, certainly not from the same subnet (I'm gettting traffic from 184.51.126.0/24).
The really weird part, as klazoid was saying, is that the WAN traffic has WAN_address as destination, but DOES NOT corellate with LAN traffic (see previously attached screenshot).
I setup the following fw rule:
- action PASS
- TCP/IP version IPv4+IPv6
- protocols TCP+UDP
- interface WAN
- source: Akamai originating IPs
- logging enabled
..but still there are NO messages in the firewall system logs....
I hope I'm not jumping to conclusions here, but could it be that all is not OK in 2.1.3 ? I'm faily lost...
-
Is the destination address your network or is it another IP? Could be the ISP incorrectly routing data at your computer. TCP or UDP? That would be a lot of TCP SYN packets, as your firewall is not going to ACK any of those.
-
Is the destination address your network or is it another IP? Could be the ISP incorrectly routing data at your computer. TCP or UDP? That would be a lot of TCP SYN packets, as your firewall is not going to ACK any of those.
The destination address is my WAN address, which is a static IP via PPPoE ADSL.
It's all TCP traffic.
As I said previously, firewall logs show nothing.. Tried both a floating rule and a WAN rule.
The originating IP of all that traffic changed, it's now 79.140.82.16
A RIPE query yields this:
inetnum: 79.140.82.0 - 79.140.82.255 netname: AKAMAI-OVER-SEABONE descr: Akamai Servers in Telecom Italia International Backbone country: IT admin-c: NARA1-RIPE tech-c: NARA1-RIPE remarks: rev-srv: dns.seabone.net remarks: rev-srv: trider-g7.seabone.net status: ASSIGNED PA remarks: *************************************************************** remarks: Akamai serves the images and streaming content for many of the remarks: most popular Internet web-sites. When you connect to a web-site remarks: your browser first contacts the content provider and downloads remarks: an html file. This file contains embedded URLs that tell your remarks: browser where to find all the objects necessary to finish remarks: displaying the page. In the case of an "Akamaized" site, these remarks: URLs point to the Akamai Network. Next, your browser makes remarks: connections to the URLs to obtain the images or streaming remarks: content. Again, for an "Akamaized" site, your browser will remarks: contact an Akamai server to obtain the requested items. remarks: Generally a TCP server listens on a well-known port < 1023 (for remarks: example port 80 for HTTP), and a TCP client connects from a remarks: port > 1023 assigned by the operating system. So a connection remarks: from port 80 of the Akamai server to a high numbered port on remarks: your machine, is a normal HTTP transaction. remarks: If you'd like to learn more visit the FAQ at remarks: http://www.akamai.com/en/html/misc/support_faq.html remarks: *************************************************************** remarks: >>> IP range assigned under AW <<< mnt-by: AS6762-MNT source: RIPE # Filtered remarks: rev-srv attribute deprecated by RIPE NCC on 02/09/2009
I ran a packet capture on if WAN, just to be sure it's all TCP ( my public IP redacted to MY_WAN_ADDRESS ):
02:25:30.555101 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36654, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x3bd9 (correct), seq 2408830694:2408832134, ack 515473788, win 7776, options [nop,nop,TS val 2747741566 ecr 6278452], length 1440 02:25:30.555155 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 4640, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xe3f8 (correct), seq 1, ack 1440, win 634, options [nop,nop,TS val 6278510 ecr 2747741566], length 0 02:25:30.557041 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36655, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xcd08 (correct), seq 1440:2880, ack 1, win 7776, options [nop,nop,TS val 2747741567 ecr 6278453], length 1440 02:25:30.557072 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 26753, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xde55 (correct), seq 1, ack 2880, win 634, options [nop,nop,TS val 6278512 ecr 2747741567], length 0 02:25:30.558562 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36656, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x57a2 (correct), seq 2880:4320, ack 1, win 7776, options [nop,nop,TS val 2747741568 ecr 6278454], length 1440 02:25:30.558593 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 5840, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xd8b3 (correct), seq 1, ack 4320, win 634, options [nop,nop,TS val 6278513 ecr 2747741568], length 0 02:25:30.560265 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36657, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x3bae (correct), seq 4320:5760, ack 1, win 7776, options [nop,nop,TS val 2747741569 ecr 6278456], length 1440 02:25:30.560296 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 15215, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xd310 (correct), seq 1, ack 5760, win 634, options [nop,nop,TS val 6278515 ecr 2747741569], length 0 02:25:30.561972 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36658, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x2f98 (correct), seq 5760:7200, ack 1, win 7776, options [nop,nop,TS val 2747741571 ecr 6278458], length 1440 02:25:30.562004 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 2883, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xcd6d (correct), seq 1, ack 7200, win 634, options [nop,nop,TS val 6278516 ecr 2747741571], length 0 02:25:30.563491 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36659, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x4502 (correct), seq 7200:8640, ack 1, win 7776, options [nop,nop,TS val 2747741573 ecr 6278459], length 1440 02:25:30.563522 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 40049, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xc7c9 (correct), seq 1, ack 8640, win 634, options [nop,nop,TS val 6278518 ecr 2747741573], length 0 02:25:30.565203 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36660, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x8b68 (correct), seq 8640:10080, ack 1, win 7776, options [nop,nop,TS val 2747741575 ecr 6278461], length 1440 02:25:30.565233 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 42543, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xc225 (correct), seq 1, ack 10080, win 634, options [nop,nop,TS val 6278520 ecr 2747741575], length 0 02:25:30.566906 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36661, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x140b (correct), seq 10080:11520, ack 1, win 7776, options [nop,nop,TS val 2747741576 ecr 6278463], length 1440 02:25:30.566935 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 10307, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xbc83 (correct), seq 1, ack 11520, win 634, options [nop,nop,TS val 6278521 ecr 2747741576], length 0 02:25:30.568423 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36662, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xef13 (correct), seq 11520:12960, ack 1, win 7776, options [nop,nop,TS val 2747741577 ecr 6278465], length 1440 02:25:30.568455 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 17380, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xb6e0 (correct), seq 1, ack 12960, win 634, options [nop,nop,TS val 6278523 ecr 2747741577], length 0 02:25:30.570181 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36663, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x3939 (correct), seq 12960:14400, ack 1, win 7776, options [nop,nop,TS val 2747741579 ecr 6278466], length 1440 02:25:30.570211 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 34457, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xb13c (correct), seq 1, ack 14400, win 634, options [nop,nop,TS val 6278525 ecr 2747741579], length 0 02:25:30.571838 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36664, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xfe6b (correct), seq 14400:15840, ack 1, win 7776, options [nop,nop,TS val 2747741581 ecr 6278468], length 1440 02:25:30.571868 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 42291, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xab99 (correct), seq 1, ack 15840, win 634, options [nop,nop,TS val 6278526 ecr 2747741581], length 0 02:25:30.573367 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36665, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x3af4 (correct), seq 15840:17280, ack 1, win 7776, options [nop,nop,TS val 2747741583 ecr 6278469], length 1440 02:25:30.573402 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 11074, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xa5f5 (correct), seq 1, ack 17280, win 634, options [nop,nop,TS val 6278528 ecr 2747741583], length 0 02:25:30.575315 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36666, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x4afc (correct), seq 17280:18720, ack 1, win 7776, options [nop,nop,TS val 2747741584 ecr 6278471], length 1440 02:25:30.575346 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 62220, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xa052 (correct), seq 1, ack 18720, win 634, options [nop,nop,TS val 6278530 ecr 2747741584], length 0 02:25:30.577027 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36667, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x969d (correct), seq 18720:20160, ack 1, win 7776, options [nop,nop,TS val 2747741586 ecr 6278473], length 1440 02:25:30.577059 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 64720, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x9aae (correct), seq 1, ack 20160, win 634, options [nop,nop,TS val 6278532 ecr 2747741586], length 0 02:25:30.578534 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36668, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xf37a (correct), seq 20160:21600, ack 1, win 7776, options [nop,nop,TS val 2747741587 ecr 6278475], length 1440 02:25:30.578565 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 14170, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x950c (correct), seq 1, ack 21600, win 634, options [nop,nop,TS val 6278533 ecr 2747741587], length 0 02:25:30.580238 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36669, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xcda4 (correct), seq 21600:23040, ack 1, win 7776, options [nop,nop,TS val 2747741590 ecr 6278476], length 1440 02:25:30.580268 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 56731, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x8f67 (correct), seq 1, ack 23040, win 634, options [nop,nop,TS val 6278535 ecr 2747741590], length 0 02:25:30.581944 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36670, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x4831 (correct), seq 23040:24480, ack 1, win 7776, options [nop,nop,TS val 2747741592 ecr 6278478], length 1440 02:25:30.581975 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 41982, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x89c4 (correct), seq 1, ack 24480, win 634, options [nop,nop,TS val 6278536 ecr 2747741592], length 0 02:25:30.583467 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36671, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x6a3e (correct), seq 24480:25920, ack 1, win 7776, options [nop,nop,TS val 2747741612 ecr 6278499], length 1440 02:25:30.583499 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 20720, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x840e (correct), seq 1, ack 25920, win 634, options [nop,nop,TS val 6278538 ecr 2747741612], length 0 02:25:30.585173 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36672, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x94bb (correct), seq 25920:27360, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.585203 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 33482, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x7e6b (correct), seq 1, ack 27360, win 634, options [nop,nop,TS val 6278540 ecr 2747741613], length 0 02:25:30.586875 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36673, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x5e9b (correct), seq 27360:28800, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.586906 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 63707, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x78ca (correct), seq 1, ack 28800, win 634, options [nop,nop,TS val 6278541 ecr 2747741613], length 0 02:25:30.588393 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36674, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x3bb6 (correct), seq 28800:30240, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.588425 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 63353, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x7328 (correct), seq 1, ack 30240, win 634, options [nop,nop,TS val 6278543 ecr 2747741613], length 0 02:25:30.590105 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36675, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xb5b2 (correct), seq 30240:31680, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.590145 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 15946, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x6d86 (correct), seq 1, ack 31680, win 634, options [nop,nop,TS val 6278545 ecr 2747741613], length 0 02:25:30.592046 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36676, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x8f6e (correct), seq 31680:33120, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.592079 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 55147, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x67e4 (correct), seq 1, ack 33120, win 634, options [nop,nop,TS val 6278547 ecr 2747741613], length 0 02:25:30.593561 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36677, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x3ec8 (correct), seq 33120:34560, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.593594 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 52758, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x6243 (correct), seq 1, ack 34560, win 634, options [nop,nop,TS val 6278548 ecr 2747741613], length 0 02:25:30.595272 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36678, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x122a (correct), seq 34560:36000, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.595303 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 51770, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x5ca1 (correct), seq 1, ack 36000, win 634, options [nop,nop,TS val 6278550 ecr 2747741613], length 0 02:25:30.596976 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36679, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x8e8c (correct), seq 36000:37440, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.597008 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 44725, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x5700 (correct), seq 1, ack 37440, win 634, options [nop,nop,TS val 6278551 ecr 2747741613], length 0 02:25:30.598681 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36680, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x8e72 (correct), seq 37440:38880, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.598712 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 49381, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x515e (correct), seq 1, ack 38880, win 634, options [nop,nop,TS val 6278553 ecr 2747741613], length 0 02:25:30.600199 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36681, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xb145 (correct), seq 38880:40320, ack 1, win 7776, options [nop,nop,TS val 2747741613 ecr 6278499], length 1440 02:25:30.600230 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 56767, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x4bbc (correct), seq 1, ack 40320, win 634, options [nop,nop,TS val 6278555 ecr 2747741613], length 0 02:25:30.601906 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36682, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xcb89 (correct), seq 40320:41760, ack 1, win 7776, options [nop,nop,TS val 2747741614 ecr 6278500], length 1440 02:25:30.601937 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 37004, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x461a (correct), seq 1, ack 41760, win 634, options [nop,nop,TS val 6278556 ecr 2747741614], length 0 02:25:30.603613 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36683, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x8933 (correct), seq 41760:43200, ack 1, win 7776, options [nop,nop,TS val 2747741618 ecr 6278503], length 1440 02:25:30.603645 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 23098, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x4074 (correct), seq 1, ack 43200, win 634, options [nop,nop,TS val 6278558 ecr 2747741618], length 0 02:25:30.605135 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36684, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xdc63 (correct), seq 43200:44640, ack 1, win 7776, options [nop,nop,TS val 2747741618 ecr 6278505], length 1440 02:25:30.605166 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 55973, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x3ad2 (correct), seq 1, ack 44640, win 634, options [nop,nop,TS val 6278560 ecr 2747741618], length 0 02:25:30.606839 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36685, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xcfcb (correct), seq 44640:46080, ack 1, win 7776, options [nop,nop,TS val 2747741620 ecr 6278506], length 1440 02:25:30.606870 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 41950, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x352f (correct), seq 1, ack 46080, win 634, options [nop,nop,TS val 6278561 ecr 2747741620], length 0 02:25:30.608788 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36686, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xaf55 (correct), seq 46080:47520, ack 1, win 7776, options [nop,nop,TS val 2747741622 ecr 6278508], length 1440 02:25:30.608818 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 5758, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x2f8b (correct), seq 1, ack 47520, win 634, options [nop,nop,TS val 6278563 ecr 2747741622], length 0 02:25:30.610304 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36687, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x317c (correct), seq 47520:48960, ack 1, win 7776, options [nop,nop,TS val 2747741623 ecr 6278510], length 1440 02:25:30.610334 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 30516, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x29e8 (correct), seq 1, ack 48960, win 634, options [nop,nop,TS val 6278565 ecr 2747741623], length 0 02:25:30.612013 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36688, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x17eb (correct), seq 48960:50400, ack 1, win 7776, options [nop,nop,TS val 2747741625 ecr 6278512], length 1440 02:25:30.612049 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 35301, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x2444 (correct), seq 1, ack 50400, win 634, options [nop,nop,TS val 6278567 ecr 2747741625], length 0 02:25:30.613713 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36689, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x903a (correct), seq 50400:51840, ack 1, win 7776, options [nop,nop,TS val 2747741626 ecr 6278513], length 1440 02:25:30.613743 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 20596, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x1ea2 (correct), seq 1, ack 51840, win 634, options [nop,nop,TS val 6278568 ecr 2747741626], length 0 02:25:30.615322 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36690, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x7000 (correct), seq 51840:53280, ack 1, win 7776, options [nop,nop,TS val 2747741628 ecr 6278515], length 1440 02:25:30.615353 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 9728, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x18fe (correct), seq 1, ack 53280, win 634, options [nop,nop,TS val 6278570 ecr 2747741628], length 0 02:25:30.616947 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36691, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xe171 (correct), seq 53280:54720, ack 1, win 7776, options [nop,nop,TS val 2747741628 ecr 6278515], length 1440 02:25:30.616978 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 54373, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x135d (correct), seq 1, ack 54720, win 634, options [nop,nop,TS val 6278571 ecr 2747741628], length 0 02:25:30.618664 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36692, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xc31d (correct), seq 54720:56160, ack 1, win 7776, options [nop,nop,TS val 2747741630 ecr 6278516], length 1440 02:25:30.618693 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 45491, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x0db9 (correct), seq 1, ack 56160, win 634, options [nop,nop,TS val 6278573 ecr 2747741630], length 0 02:25:30.620171 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36693, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x7655 (correct), seq 56160:57600, ack 1, win 7776, options [nop,nop,TS val 2747741630 ecr 6278518], length 1440 02:25:30.620202 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 49302, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x0817 (correct), seq 1, ack 57600, win 634, options [nop,nop,TS val 6278575 ecr 2747741630], length 0 02:25:30.621883 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36694, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x22ae (correct), seq 57600:59040, ack 1, win 7776, options [nop,nop,TS val 2747741633 ecr 6278520], length 1440 02:25:30.621914 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 4760, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0x0273 (correct), seq 1, ack 59040, win 634, options [nop,nop,TS val 6278576 ecr 2747741633], length 0 02:25:30.623585 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36695, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xa5f4 (correct), seq 59040:60480, ack 1, win 7776, options [nop,nop,TS val 2747741635 ecr 6278521], length 1440 02:25:30.623620 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 50413, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xfcce (correct), seq 1, ack 60480, win 634, options [nop,nop,TS val 6278578 ecr 2747741635], length 0 02:25:30.625352 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36696, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xf89b (correct), seq 60480:61920, ack 1, win 7776, options [nop,nop,TS val 2747741636 ecr 6278523], length 1440 02:25:30.625383 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 23735, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xf72b (correct), seq 1, ack 61920, win 634, options [nop,nop,TS val 6278580 ecr 2747741636], length 0 02:25:30.627056 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36697, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x328f (correct), seq 61920:63360, ack 1, win 7776, options [nop,nop,TS val 2747741638 ecr 6278525], length 1440 02:25:30.627088 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 20443, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xf187 (correct), seq 1, ack 63360, win 634, options [nop,nop,TS val 6278582 ecr 2747741638], length 0 02:25:30.628764 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36698, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xf6a1 (correct), seq 63360:64800, ack 1, win 7776, options [nop,nop,TS val 2747741641 ecr 6278528], length 1440 02:25:30.628794 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 54468, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xebe3 (correct), seq 1, ack 64800, win 634, options [nop,nop,TS val 6278583 ecr 2747741641], length 0 02:25:30.630470 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36699, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xe488 (correct), seq 64800:66240, ack 1, win 7776, options [nop,nop,TS val 2747741643 ecr 6278530], length 1440 02:25:30.630501 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 27242, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xe63f (correct), seq 1, ack 66240, win 634, options [nop,nop,TS val 6278585 ecr 2747741643], length 0 02:25:30.631990 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36700, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0x2b29 (correct), seq 66240:67680, ack 1, win 7776, options [nop,nop,TS val 2747741645 ecr 6278532], length 1440 02:25:30.632026 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 40462, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xe09c (correct), seq 1, ack 67680, win 634, options [nop,nop,TS val 6278586 ecr 2747741645], length 0 02:25:30.633690 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36701, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xec09 (correct), seq 67680:69120, ack 1, win 7776, options [nop,nop,TS val 2747741647 ecr 6278533], length 1440 02:25:30.633724 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 4513, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xdaf8 (correct), seq 1, ack 69120, win 634, options [nop,nop,TS val 6278588 ecr 2747741647], length 0 02:25:30.635402 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36702, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xeb4d (correct), seq 69120:70560, ack 1, win 7776, options [nop,nop,TS val 2747741648 ecr 6278535], length 1440 02:25:30.635436 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 6185, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xd555 (correct), seq 1, ack 70560, win 634, options [nop,nop,TS val 6278590 ecr 2747741648], length 0 02:25:30.636916 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 36703, offset 0, flags [DF], proto TCP (6), length 1492) 79.140.82.16.http > MY_WAN_ADDRESS.49841: Flags [.], cksum 0xa622 (correct), seq 70560:72000, ack 1, win 7776, options [nop,nop,TS val 2747741651 ecr 6278538], length 1440 02:25:30.636946 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 30743, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_ADDRESS.49841 > 79.140.82.16.http: Flags [.], cksum 0xcfb1 (correct), seq 1, ack 72000, win 634, options [nop,nop,TS val 6278591 ecr 2747741651], length 0
If all this was streamed content, Windows Update stuff, or ANYTHING initiated from behind pfSense, I should be seeing correlated LAN traffic, but there is none (it's now 02:40 AM, I'm alone in the office, all LAN hosts offline, including servers).
If this is an ISP problem, I'm all good.. Insert support ticket ASAP and I'm done…
What I don't understand is why a fw rule set to either pass or block, floating or directly on WAN, does not log any messages? -
Sorry for the bump, this is still an issue for me…
Could someone please help me at least better diagnose this?
Maybe I'm not defining the fw blocking rule as I should? -
its traffic coming from 80.. Open the traffic up in wireshark - what is it?? Is it a website?
-
The one thing that really blows my mind is this:
here's my fw rule setup as block, first rule on WAN
here is the traffic graph on WAN, with the above rule active:
The rule has logging enabled, but System Logs > Firewall STILL SHOWS UP AS EMPTY…
AM I GOING MAD, or is there some problem..?
.. all of this started happening since switching to 2.1.3 RELEASE..
All of the originating IP's (which randomly change to some other subnet) of the traffic that hogs my WAN pipe resolve as part of Akamai CDN.
I have MANUALLY checked ALL of my hosts, virtual and physical, for running WU session, or strange traffic, found none.How can I block all that traffic? It seems to ignore rules on WAN..
I tried setting up packet capture on WAN for one of the source IP's, promiscuous mode, 10 packets, full details.
Here are the contents (source IP changed while writing this post):15:39:33.404897 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 60877, offset 0, flags [DF], proto TCP (6), length 1492) 93.186.135.67.http > MY_WAN_IP.62175: Flags [.], cksum 0x53cd (correct), seq 2280624651:2280626091, ack 2637429275, win 8312, options [nop,nop,TS val 3403809280 ecr 313059907], length 1440 15:39:37.243545 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 26417, offset 0, flags [DF], proto TCP (6), length 1492) 93.186.135.67.http > MY_WAN_IP.64988: Flags [.], cksum 0xd3ab (correct), seq 571079934:571081374, ack 271564911, win 7776, options [nop,nop,TS val 3403813120 ecr 312943553], length 1440 15:40:32.282698 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 53873, offset 0, flags [DF], proto TCP (6), length 1492) 93.186.135.67.http > MY_WAN_IP.35999: Flags [.], cksum 0xcca9 (correct), seq 58513007:58514447, ack 399691569, win 7776, options [nop,nop,TS val 3403868160 ecr 312940868], length 1440 15:40:42.710002 AF IPv4 (2), length 64: (tos 0x0, ttl 64, id 6192, offset 0, flags [DF], proto TCP (6), length 60) MY_WAN_IP.64458 > 93.186.135.67.http: Flags [s], cksum 0x3f8d (correct), seq 4082480794, win 65228, options [mss 1452,nop,wscale 7,sackOK,TS val 313193393 ecr 0], length 0 15:40:42.739815 AF IPv4 (2), length 64: (tos 0x20, ttl 58, id 0, offset 0, flags [DF], proto TCP (6), length 60) 93.186.135.67.http > MY_WAN_IP.64458: Flags [S.], cksum 0x32bb (correct), seq 3973581394, ack 4082480795, win 14480, options [mss 1452,sackOK,TS val 3403878645 ecr 313193393,nop,wscale 1], length 0 15:40:42.739874 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 4328, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_IP.64458 > 93.186.135.67.http: Flags [.], cksum 0x97e6 (correct), seq 1, ack 1, win 517, options [nop,nop,TS val 313193423 ecr 3403878645], length 0 15:40:42.740980 AF IPv4 (2), length 466: (tos 0x0, ttl 64, id 38914, offset 0, flags [DF], proto TCP (6), length 462) MY_WAN_IP.64458 > 93.186.135.67.http: Flags [P.], cksum 0x810e (correct), seq 1:411, ack 1, win 517, options [nop,nop,TS val 313193424 ecr 3403878645], length 410 15:40:42.775509 AF IPv4 (2), length 56: (tos 0x20, ttl 58, id 6977, offset 0, flags [DF], proto TCP (6), length 52) 93.186.135.67.http > MY_WAN_IP.64458: Flags [.], cksum 0x79cc (correct), seq 1, ack 411, win 7776, options [nop,nop,TS val 3403878681 ecr 313193424], length 0 15:40:42.781819 AF IPv4 (2), length 1496: (tos 0x0, ttl 58, id 6978, offset 0, flags [DF], proto TCP (6), length 1492) 93.186.135.67.http > MY_WAN_IP.64458: Flags [.], cksum 0x9b62 (correct), seq 1:1441, ack 411, win 7776, options [nop,nop,TS val 3403878685 ecr 313193424], length 1440 15:40:42.781856 AF IPv4 (2), length 56: (tos 0x0, ttl 64, id 3486, offset 0, flags [DF], proto TCP (6), length 52) MY_WAN_IP.64458 > 93.186.135.67.http: Flags [.], cksum 0x9065 (correct), seq 411, ack 1441, win 506, options [nop,nop,TS val 313193465 ecr 3403878685], length 0 [font][/font] [/s]
-
You can block traffic all day long - doesn't stop traffic from coming down your pipe if requested or sent.
blocking at wan doesn't do much for using up bandwidth. Even if pfsense drops it or sends it on, its still using your pipe. You need to stop the traffic from being sent, ie requested I would assume if your saying its not some form of attack.
Capture the traffic and then load it up in wireshark so you can take a look to what it actually is. It looks to be just http so not encrypted (ie https) so it should all be in the clear and you can see what is being requested to send to your IP.
also look in your state tables for these IPs - you should see the IP on your side that created the state.
Do you have this agent installed on any of your machines
http://www.akamai.com/html/solutions/client_faq.html -
also look in your state tables for these IPs - you should see the IP on your side that created the state.
I basically love you… Being a pfSense newbie, I never thought of filtering the states...
I got to the bottom of this and as usual, Windows Update is the culprit...
Geniuses at Microsoft decided that WU traffic does not show up in Task Manager > Performance tab > Network, so one can have a host hogging all bandwidth via WU, but still show up as 0Kbps on the client...
I knew the Akamai NetSession client works in p2p mode so I never allowed it to be installed on anything.
... so to anyone not knowing where traffic comes from, LOOK AT YOUR STATES...
Sadly I still do no understand why the fw rule (whatever action) doesn't log traffic originating from Akamai's CDN.. Could they be using some weird protocol? I dunno...
Also, Traffic Graph on the LAN interface shows nothing hinting at the client that's downloading WU stuff; perhaps you're right about the acks being negligible so not really visible on the graph.
Thank you johnpoz.
-
.. someone may mark this as SOLVED as far as I'm concerned…
-
Well that wan rule doesn't seem like it would be firing because traffic is return traffic to a state.. if it was syn traffic from that source to your wan IP than that rule would fire and be logged per your setting.
If your clients are requesting something. Its better log the allow or block rule on the lan interface to see what client is generating traffic to where, etc. Can not really think of too many examples when you would need specific deny rules on your wan because of the default deny. You would normally only allow stuff like icmp, or rules to allow your port forwards to work. Now I allow ping but use the pfblocker as a source filter, so you can ping my wan unless your listed in the spammers, bad countries list, etc.
So if your try and ping my wan IP, and your listed in the pfblocker top spammers alias list then you would not trigger that rule that allows and fall through to the default deny.