Traffic out of the WAN interface
the graph below shows traffic out of the "WAN4" interface. It repeat constantly throughout the uptime of pfsense firewall. Is it good or bad?
Help me please.
Thank in advance!
packet capture for that interface would tell you exactly what it is. It could be anything; a periodic ping, keep alives, anything.
You do understand unless that inbound traffic is UDP that acks have to be sent as well.. So yeah inbound traffic creates outbound traffic…
Thanks Jonhpoz and mer,
This is the traffic graph of server, it's role is a behind router connect to pfsense firewall. The traffic graph of server is very smooth, not same the traffic graph of pfsense.
Link of the traffic graph of server: http://i1044.photobucket.com/albums/b449/quang_long6/server_zpsa79nv5sl.png
A packet capture for WAN4 is the only way to tell exactly what the traffic is. You can't tell if it's good/bad/normal until then.
If the server is on Windows, well, there a lot of Windows traffic related to NETBIOS and other protocols. Get a packet capture then you can understand better.
The output of Server's network traffic is the input of Pfsense firewall's LAN traffic.
But LAN's traffic Graph or WAN's traffic Graph of pfsense have a point which traffic run out .
Is there something wrong with pfsense firewall ?
Link Network traffic of server: http://i1044.photobucket.com/albums/b449/quang_long6/server_zpsa79nv5sl.png
Link LAN traffic of pfsense firewall: http://i1044.photobucket.com/albums/b449/quang_long6/LAN_zpsbk4poz92.png
Link WAN traffice of pfsense firewall: http://i1044.photobucket.com/albums/b449/quang_long6/traffic%20run%20out_zps4gj9emms.png
I understand the output of the server being the input of the pfSense box. You are asking about the outputs on WAN4. Without seeing firewall rules, nat rules, redirect rules, packet captures, it is hard to even try and help.
It would take all of 30 seconds to sniff on pfsense wan to see what the outbound traffic is. I could just be acks or it could be anything - without the sniff there is no way to know what the traffic actually is.
Thanks johnpoz, mer,
This is Link packetcapture:
Help me please!
Thank you very much!
According to the packet capture, it's all HTTP and related traffic. Some packet reassembly, some duplicate acks. If you grab the program Wireshark you can look at the data you've captured and see if the addresses are legitimate. The differences in the graphs between the server and the WAN output can be due to anything, I can't help debug that.
Yeah quick look - and ACKS as I stated..
You do understand that how tcp works when I download something from a website for example and I get that packet I send an ack saying hey I got that, etc.. Its a two way communication. While acks are small, if you are downloading lots of info, then lots of acks add up to some amount of upload bandwidth..
See your small packets, which are prob all acks to what you were downloading actually make up higher percentage of the sniff then large download packets (what the server was sending you)..
there are about 300 users behide the server, which role is a router. so all of main traffic is the sum of 300 users, not server.
Yeah what is your point?? Your sniff did not show 300 different sessions that is for sure.. What part do you not understand about acks?? Your graph is showing 50mbps down, what do you think the up requirement is for the acks in that sort of download??
Here see I am downloading a file, nothing really before that was going on.. As you can see while I am downloading the upload is there as too.. ACKS!! Can not talk to tcp/ip without ACKS… Downloading going to require a % of the speed your downloading at in upload bandwidth.