High traffic WAN, locate source on LAN
-
Well that wan rule doesn't seem like it would be firing because traffic is return traffic to a state.. if it was syn traffic from that source to your wan IP than that rule would fire and be logged per your setting.
If your clients are requesting something. Its better log the allow or block rule on the lan interface to see what client is generating traffic to where, etc. Can not really think of too many examples when you would need specific deny rules on your wan because of the default deny. You would normally only allow stuff like icmp, or rules to allow your port forwards to work. Now I allow ping but use the pfblocker as a source filter, so you can ping my wan unless your listed in the spammers, bad countries list, etc.
So if your try and ping my wan IP, and your listed in the pfblocker top spammers alias list then you would not trigger that rule that allows and fall through to the default deny.
I always thought fw rules would also apply to incoming traffic even if tcp session is initiated internally.. You live and learn!
Golden advice, will cherish..
Thank you again.
-
Someone knows why the statistics are not corresponding? This is driving me crazy!!
In my case, I also heavy all the traffic comming from Akamai and I'm sure that this is not an attack…
Look to my interface statistics:
All the traffic is originated from Akamai.
-
what is not matching up? Looks like your not showing some of your interfaces..
Are you talking about the 145GB into wan, but only 14GB out lan? Just because you see traffic to wan, doesn't mean pfsense is going to send that traffic out the lan, etc.. While 145 to 14 seems high.. Do you have that traffic going out a different interface other than lan?
-
My second WAN interface is used only for failover.
However, now I discovered that this issue is related, in some way, to SQUID. After I disabled SQUID, the traffic graphs are immediately working appropriately.
Sorry for my bad english :-[
-
Well sure squid could grab all kinds of stuff, and not send it to something on the lan..
-
To locate source on LAN, you need to look at Squid logs…