SOLVED Traffic on WAN interface only
-
Something new for me. The traffic graph shows a lot of traffic in and out on WAN interface only. This traffic does not show up on any of the internal interfaces. The firewall logs are silent on the remote addresses that the traffic graph reports.
Please suggest how to diagnose this.
Meanwhile, I am getting the Wireshark out…
-
- Looks like a DNS attack, lots of UDP packets, IP probably spoofed.
-
If it's outbound traffic as well do you have your DNS forwarder accidentally exposed? Are you being used as part of a DNS amplification attack?
Steve
-
There is authoritative DNS server behind the firewall. It issuses packets (Server Failure) in response, though these packets are about the same size at the requests, so should make the server useless for DNS amplification attacks.
My packet capture shows that I have about equal amount of inbound and outbound traffic, while the pfSense traffic graph shows that I pipe out twice as much as I take in. What the..?
-
Are you running Squid? I've seen cases where the caching by Squid shows a LOT of traffic, like Windows Updates, going to WAN that doesn't go anywhere else for some reason.
-
Ok, I am stupid, LOL. I was just too quickly changing between the interfaces on the Traffic Graph. It takes a while for it to start showing the data.
However I still cannot account for about half of the outgoing traffic on one of the internal interfaces. No Squid on this install.
-
Another strange thing. Despite creating A WAN rule blocking by IP address. A very small percentage of UDP packets still come through. The packets are incoming from the Internet, and the IP is most likely spoofed.
-
State not cleared from the firewall?
Steve
-
UDP - no state. Most of the packets get blocked, just a few single ones get through…
I am going to restart the box for good measure, and test again, though.
-
Ha! good point. ::)
-
I rebooted the pfSense and the packet leak has stopped. Hmmm…
-
I'd be looking for malware on my network. I doubt seriously its a pfsense problem.
-
It is smells like a reflected attack, not amplified though, since the packets in and out are the same size. I stopped the attack at the firewall level.
I think there is an issue with pfSense traffic graph, the traffic does not add up. I think it shows exactly double outgoing the traffic for local interfaces. I am still investigating, this will take more time to accumulate the data from different network segments and add it all up.
-
Found this: https://forum.pfsense.org/index.php?topic=67295.0
-
Check the forum. There are a number of threads about double counting on the traffic graphs. I've never seen it though, it seems to happen only under specific conditions.
Ah, typed too slow! Yep that's one of them.
Steve
-
Yep - Sometimes pfsense reports traffic bandwidthh incorrectly, which is much less troubling than having a bunch of phantom traffic.
-
Thanks for your help everybody. This was a compound issue, and it looks like everything has been explained now. I appreciate the help.
