Pfsense interface stats (data in-out) is completely off
-
Hi,
my IPS recently changed their packages and as a result I decided to look at my internet consumption from pfsense's webinterface to see how much data I use off of my monthly cap.
My ISP reports that I used 34GB from January 1 to today (Jan 15). I called them and they said that in average I use 70-100GB per month which correlates with the report for the first two weeks of january (35GB for 15 days = 70GB for a month…)
Now pfsense reports that in the last 2 days (since last reboot) the WAN interface transferred 198GB (in+out)!!! Also, I had installed vnstat a while back, and I just used it to see my monthly/daily/hourly usage, and its all off my a factor of at least 10!
vnstat reports in the last 24 hours that I used 4.75GB per hour for an average of 90GB per day!!!! It also reports that during the month of November I used 2TB of bandwidth, and December 2.5TB!
My monthly cap is 300GB and I was never charged for overuse. Calling my IPS they reported that during these months I used an avarage of 87GB per month (Nov= 73GB, Dec=100GB).
So why is pfsense so screwed up with data measurement?
Does it have something to do with the LAN interface's bandwidth (in other words the traffic between my LAN clients?)
-
Which numbers are you comparing? Depending on the type of service you have, there could be a slew of traffic that's not yours coming in, though that seems far more than you'd see under those circumstances. vnstat and Status>Interfaces pull from the same source, the NIC counters. The RRD traffic graphs pull from pf counters. They should match.
-
Which numbers are you comparing?
I am looking at the numbers from the main web page (under interface statistics) and the numbers from vnstat.
My service is very simple: Cable internet coming to my house, model connected to the pfsense WAN iface, 10 port switch connected to LAN..'
ISP -> Cable modem -> pfsense WAN -> pfsense LAN -> Gigabit switch -> LAN computers
Status>Interfaces is showing the same numbers as the main page. These are still off.
something's really fishy.
If that matters, pfsense is virtualized in a Proxmox KVM node and pfsense is
2.1.5-RELEASE (amd64) built on Mon Aug 25 07:44:45 EDT 2014 FreeBSD 8.3-RELEASE-p16Maybe when virtualized the bandwidth calculation is off?
-
OK I just did an interface traffic measurement on what I assume to be the most "consuming" client of my LAN and got interesting results:
I used "nload" during exactly an hour and according to nload 2.77GB were downloaded during that hour, which almost fits to what pfsense and vnstat are reporting.
So my only conclusion is that somehow the way my ISP monitors usage is WAYYYY different than the way I do?
Doesnt make sense at all… I'm gonna be quite honest: I've never came across this before.
Anybody!?
-
I can't recall any circumstance where the interface and RRD stats on a stable release were inaccurate, those counters are pretty straight forward. Two completely diff means of calculating bandwidth, so if they match, you can pretty much be guaranteed that's reality.
ISPs can measure bandwidth in a variety of ways. They may not count data to certain destinations (like things on their own network, especially if they have a IPTV/streaming video service or similar).
You can run a packet capture on WAN, packet length 64 to minimize capture size over a longer period, count 0, all else at defaults. Start the capture, leave it running for a few hours, then go back and stop it. Download the resulting pcap, open in Wireshark, go to Statistics>Conversations and you'll see what you're actually passing on the wire (and what your ISP's passing you).