Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    High traffic WAN, locate source on LAN

    Scheduled Pinned Locked Moved Cache/Proxy
    26 Posts 6 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      namtab
      last edited by

      @johnpoz:

      Well that wan rule doesn't seem like it would be firing because traffic is return traffic to a state..  if it was syn traffic from that source to your wan IP than that rule would fire and be logged per your setting.

      If your clients are requesting something.  Its better log the allow or block rule on the lan interface to see what client is generating traffic to where, etc.  Can not really think of too many examples when you would need specific deny rules on your wan because of the default deny.  You would normally only allow stuff like icmp, or rules to allow your port forwards to work.  Now I allow ping but use the pfblocker as a source filter, so you can ping my wan unless your listed in the spammers, bad countries list, etc.

      So if your try and ping my wan IP, and your listed in the pfblocker top spammers alias list then you would not trigger that rule that allows and fall through to the default deny.

      I always thought fw rules would also apply to incoming traffic even if tcp session is initiated internally.. You live and learn!

      Golden advice, will cherish..

      Thank you again.

      1 Reply Last reply Reply Quote 0
      • F
        fdalton
        last edited by

        Someone knows why the statistics are not corresponding? This is driving me crazy!!

        In my case, I also heavy all the traffic comming from Akamai and I'm sure that this is not an attack…

        Look to my interface statistics:

        All the traffic is originated from Akamai.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          what is not matching up?  Looks like your not showing some of your interfaces..

          Are you talking about the 145GB into wan, but only 14GB out lan?  Just because you see traffic to wan, doesn't mean pfsense is going to send that traffic out the lan, etc..  While 145 to 14 seems high.. Do you have that traffic going out a different interface other than lan?

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • F
            fdalton
            last edited by

            My second WAN interface is used only for failover.

            However, now I discovered that this issue is related, in some way, to SQUID. After I disabled SQUID, the traffic graphs are immediately working appropriately.

            Sorry for my bad english  :-[

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              Well sure squid could grab all kinds of stuff, and not send it to something on the lan..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • D
                doktornotor Banned
                last edited by

                To locate source on LAN, you need to look at Squid logs…

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.