pfSense Support Subscription

Author Topic: Unexpected traffic from PFSENSE to WAN  (Read 1512 times)

0 Members and 1 Guest are viewing this topic.

Offline lespagnol

  • Newbie
  • *
  • Posts: 7
    • View Profile
Unexpected traffic from PFSENSE to WAN
« on: July 07, 2012, 07:28:09 pm »
Dear all,

I have a strange issue with pfsense (latest version 2.0.1).
I see unexpected traffic between pfsense and WAN1.



This is well between pfsense and the WAN, because this traffic is not present on my LAN.
This traffic use the maximum available bandwidth on WAN1.
I don't understand what cause this traffic generation.

- pfsense rebooted > same issue
- interface shutted down > same issue: the unexpected traffic is generated on WAN2 (still using the maximum available bandwidth) after a while
- interface unplugged from pfsense > unexpected traffic stop on the WAN hoster monitoring

Any idea to let me able to resolve this ?
Many thanks in advance !
« Last Edit: July 07, 2012, 07:36:15 pm by lespagnol »

Offline lespagnol

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #1 on: July 07, 2012, 08:06:33 pm »
If think I found what cause this issue, but still not why  :-\
When I activate additionals DNS for my both WANs, I can access to internet webpage (like google.com) from my LAN, but the unexpected traffic is present and overload my bandwidth:





But at contrary, when I disactivate additionals DNS, I cannot have access to internet webpage (like google.com) from my LAN, but my bandwidth is not overloaded  :D





Any idea ?  ???

Online stephenw10

  • Hero Member
  • *****
  • Posts: 8105
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #2 on: July 08, 2012, 10:52:28 am »
Do you have any packages installed? Which ones?

Steve

Offline lespagnol

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #3 on: July 08, 2012, 04:43:35 pm »
Hello!
Only vnstat2, but it has been installed after the first time I seen this issue.
Except this one, I have no additional script/module/pluggin/package :)

Online stephenw10

  • Hero Member
  • *****
  • Posts: 8105
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #4 on: July 08, 2012, 05:10:19 pm »
Well that's very odd then.  :-\
I can think of no good reason for that traffic.
What connections is it making when it happens? Where is the traffic going to/coming from?

Steve

Offline lespagnol

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #5 on: July 08, 2012, 05:14:03 pm »
I don't know...
What can I do to know exaclty ?

The only thing I know is that it is from my WAN to Internet...  :-\

Online cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6300
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Unexpected traffic from PFSENSE to WAN
« Reply #6 on: July 08, 2012, 05:32:52 pm »
Packet capture on WAN and see what the traffic is.

Offline lespagnol

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #7 on: July 08, 2012, 05:35:03 pm »
I will test right now and let you know :)

Offline lespagnol

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #8 on: July 08, 2012, 05:41:32 pm »
10 secondes capturing packages exchanged between Internet on my impacted WAN interface:

Quote
00:45:50.427527 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.428153 IP 109.190.0.52.61861 > 91.121.164.184.53: UDP, length 38
00:45:50.428165 IP 109.190.0.52.61861 > 91.121.164.227.53: UDP, length 38
00:45:50.428257 IP 109.190.0.52.19191 > 91.121.164.184.53: UDP, length 38
00:45:50.428280 IP 109.190.0.52.19191 > 91.121.164.227.53: UDP, length 38
00:45:50.430328 IP 109.190.0.52.62649 > 91.121.164.184.53: UDP, length 38
00:45:50.430339 IP 109.190.0.52.62649 > 91.121.164.227.53: UDP, length 38
00:45:50.441892 IP 109.190.0.52.13861 > 91.121.164.184.53: UDP, length 38
00:45:50.441911 IP 109.190.0.52.13861 > 91.121.164.227.53: UDP, length 38
00:45:50.444127 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.444137 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.446833 IP 109.190.0.52.51254 > 91.121.164.184.53: UDP, length 38
00:45:50.446850 IP 109.190.0.52.51254 > 91.121.164.227.53: UDP, length 38
00:45:50.447549 IP 109.190.0.52.55356 > 91.121.164.184.53: UDP, length 38
00:45:50.447559 IP 109.190.0.52.55356 > 91.121.164.227.53: UDP, length 38
00:45:50.453027 IP 109.190.0.52.61861 > 91.121.164.184.53: UDP, length 38
00:45:50.453037 IP 109.190.0.52.61861 > 91.121.164.227.53: UDP, length 38
00:45:50.459365 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.459374 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.461363 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.461373 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.462566 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.462574 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.467022 IP 109.190.0.52.62649 > 91.121.164.184.53: UDP, length 38
00:45:50.467032 IP 109.190.0.52.62649 > 91.121.164.227.53: UDP, length 38
00:45:50.469234 IP 91.121.164.227.53 > 109.190.0.52.62649: UDP, length 2768
00:45:50.469241 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.470326 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.471419 IP 91.121.164.227.53 > 109.190.0.52.61861: UDP, length 2768
00:45:50.471425 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.472513 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.474385 IP 91.121.164.227.53 > 109.190.0.52.45649: UDP, length 3961
00:45:50.474391 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.475378 IP 109.190.0.52.55736 > 91.121.164.184.53: UDP, length 38
00:45:50.475390 IP 109.190.0.52.55736 > 91.121.164.227.53: UDP, length 38
00:45:50.475875 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.475881 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.476499 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.477748 IP 91.121.164.227.53 > 109.190.0.52.24007: UDP, length 2768
00:45:50.477756 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.478841 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.479779 IP 91.121.164.227.53 > 109.190.0.52.25612: UDP, length 2768
00:45:50.479785 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.481027 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.482277 IP 91.121.164.227.53 > 109.190.0.52.55356: UDP, length 2768
00:45:50.482283 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.482606 IP 109.190.0.52.60126 > 91.121.164.184.53: UDP, length 38
00:45:50.482624 IP 109.190.0.52.60126 > 91.121.164.227.53: UDP, length 38
00:45:50.482780 IP 109.190.0.52.19191 > 91.121.164.184.53: UDP, length 38
00:45:50.482792 IP 109.190.0.52.19191 > 91.121.164.227.53: UDP, length 38
00:45:50.483023 IP 109.190.0.52.24513 > 91.121.164.184.53: UDP, length 38
00:45:50.483033 IP 109.190.0.52.24513 > 91.121.164.227.53: UDP, length 38
00:45:50.483206 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.485234 IP 91.121.164.227.53 > 109.190.0.52.49853: UDP, length 2768
00:45:50.485241 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.486171 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.486267 IP 109.190.0.52.49203 > 91.121.164.184.53: UDP, length 38
00:45:50.486284 IP 109.190.0.52.49203 > 91.121.164.227.53: UDP, length 38
00:45:50.487237 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.487244 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.488330 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.489584 IP 91.121.164.227.53 > 109.190.0.52.55736: UDP, length 2768
00:45:50.489736 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.490829 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.492391 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.492399 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.493639 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.495357 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.495363 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.496449 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.497854 IP 91.121.164.227.53 > 109.190.0.52.61861: UDP, length 2768
00:45:50.497861 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.498947 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.499366 IP 109.190.0.52.42928 > 91.121.164.184.53: UDP, length 38
00:45:50.499384 IP 109.190.0.52.42928 > 91.121.164.227.53: UDP, length 38
00:45:50.500181 IP 91.121.164.227.53 > 109.190.0.52.19191: UDP, length 2768
00:45:50.500187 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.501117 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.502530 IP 109.190.0.52.50147 > 91.121.164.184.53: UDP, length 38
00:45:50.502547 IP 109.190.0.52.50147 > 91.121.164.227.53: UDP, length 38
00:45:50.502877 IP 91.121.164.227.53 > 109.190.0.52.62649: UDP, length 2768
00:45:50.502999 IP 109.190.0.52.42928 > 91.121.164.184.53: UDP, length 38
00:45:50.503009 IP 109.190.0.52.42928 > 91.121.164.227.53: UDP, length 38
00:45:50.503035 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.503094 IP 109.190.0.52.42928 > 91.121.164.184.53: UDP, length 38
00:45:50.503104 IP 109.190.0.52.42928 > 91.121.164.227.53: UDP, length 38
00:45:50.503900 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.505617 IP 91.121.164.227.53 > 109.190.0.52.13861: UDP, length 2768
00:45:50.505774 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.506867 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.507960 IP 91.121.164.227.53 > 109.190.0.52.24513: UDP, length 2768
00:45:50.507972 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.508834 IP 109.190.0.52.29227 > 91.121.164.184.53: UDP, length 38
00:45:50.508851 IP 109.190.0.52.29227 > 91.121.164.227.53: UDP, length 38
00:45:50.508936 IP 109.190.0.52.21616 > 91.121.164.184.53: UDP, length 38
00:45:50.508958 IP 109.190.0.52.21616 > 91.121.164.227.53: UDP, length 38
00:45:50.509054 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.510302 IP 91.121.164.227.53 > 109.190.0.52.51254: UDP, length 2768
00:45:50.510459 IP 91.121.164.227 > 109.190.0.52: udp
00:45:50.511551 IP 91.121.164.227 > 109.190.0.52: udp

Online cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6300
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Unexpected traffic from PFSENSE to WAN
« Reply #9 on: July 08, 2012, 05:46:13 pm »
Mostly DNS, open in Wireshark and see what the queries/responses actually are.

Offline lespagnol

  • Newbie
  • *
  • Posts: 7
    • View Profile
Re: Unexpected traffic from PFSENSE to WAN
« Reply #10 on: July 14, 2012, 08:42:17 pm »
Dear cmb,
Something like that ? => http://img15.hostingpics.net/pics/901020Wireshark.jpg



Does it make sense for you ?
Many thanks for your help.

Online cmb

  • Administrator
  • Hero Member
  • *****
  • Posts: 6300
    • LinkedIn
    • Twitter
    • View Profile
    • Chris Buechler
Re: Unexpected traffic from PFSENSE to WAN
« Reply #11 on: July 14, 2012, 09:26:01 pm »
Guessing the 109.190.0.52 is your IP from that example, at least judging by the fact the bandwidth is downstream. Something is doing ANY lookups on ripe.net and isc.org, which generate very large responses, at an absurd pace. Nothing on a stock pfSense install will generate any queries even remotely like that. Switch the capture to LAN and see if you see the requests there. In a default configuration, the only way any queries like that could possibly be initiated would be by something on an internal network.