Page 1 of 2 12 LastLast
Results 1 to 10 of 14
  1. #1
    Newbie
    Join Date
    Apr 2020
    Posts
    13

    Default Internet traffic from Untangle host itself

    Can anyone tell me what/how much traffic does the Untangle host itself generate to the internet?

    I am seeing multiple connections to various AWS hosts (34.198.230.227, 3.225.107.227), all on port 443 (sometimes 80?).

    This is resulting in 100 MB of traffic down and 50 MB up (daily).

    Initially I thought it was Command Center, but I see traffic even after disabling Command Center.

    Thanks

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,202

    Default

    The traffic is from signature updates (IPS the major suspect along with Virus blockers) and report emails. If this is a concern, turn off IPS. Personally I want the latest signatures.
    f1assistance likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Newbie
    Join Date
    Apr 2020
    Posts
    13

    Default

    Interesting. By IPS, I'm assuming you mean Intrusion Prevention. I didn't have this installed until recently.

    The Apps I am using are: Web Filter, Bandwidth Control, Application Control, Captive Portal, Firewall, Reports, Policy Manager, Configuration Backup. I just installed Intrusion Prevention & Threat Prevention in the last 3 days. I didn't turn on IPS until yesterday.

    I have just disabled and removed Threat Prevention & Intrusion Prevention. Not running Virus Blocker. I get roughly 1-3 report emails per week.

    I continue to see a high amount of traffic in/out of my Untangle host.

  4. #4
    Newbie
    Join Date
    Apr 2020
    Posts
    13

    Default

    After disabling Intrusion Prevention and Threat Prevention, I continue to see a large amount of traffic to/from the Untangle host itself. According to DPI on my EdgeRouter X, the Untangle host is generating more traffic than all other hosts on the network!

    Consider that there are 4 of us at home sitting out the Corona Virus. It's more traffic than my speedtest.py that runs every 30 minutes!

    What is this traffic? Is this the correct forum for this question?

    Screen Shot 2020-04-08 at 10.11.57 AM.png

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    9,202

    Default

    I would have the traffic broken down by port. It might be just DNS traffic.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,798

    Default

    Quote Originally Posted by ajscam View Post
    The Apps I am using are: ... Configuration Backup
    There we go. How do you think configuration backup works?

    Also, the Reports App needs some bandwidth to send out it's daily messages.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 15.1.0 to protect 500Mbits for ~450 residential college students and associated staff and faculty

  7. #7
    Newbie
    Join Date
    Apr 2020
    Posts
    13

    Default

    Quote Originally Posted by jcoffin View Post
    I would have the traffic broken down by port. It might be just DNS traffic.
    I'm running 2 pi-hole servers, so most of the DNS traffic is internal, not to the Internet. That would be a LOT of DNS traffic...

    The majority of the traffic is port 443.

    Screen Shot 2020-04-08 at 12.21.01 PM.png

  8. #8
    Newbie
    Join Date
    Apr 2020
    Posts
    13

    Default

    Quote Originally Posted by jcoehoorn View Post
    There we go. How do you think configuration backup works?

    Also, the Reports App needs some bandwidth to send out it's daily messages.
    I have Backups configured for Daily, 23:45, but I hope it doesn't result in a constant stream of internet traffic resulting in over 300MB daily. Besides, the majority of the traffice is Down, not Up.

    I receive about 2-3 emails/week from reports. Not enough to justify this amount of traffic.

  9. #9
    Newbie
    Join Date
    Apr 2020
    Posts
    13

    Default

    Here just a small snippet of the "live" traffic:

    12:45:11.914693 IP 3.220.87.243.443 > 10.12.17.2.3528: Flags [P.], seq 4097:5312, ack 160, win 110, options [nop,nop,TS val 3873729087 ecr 183710913], length 1215
    12:45:11.915174 IP 10.12.17.2.3528 > 3.220.87.243.443: Flags [.], ack 5312, win 319, options [nop,nop,TS val 183710958 ecr 3873729087], length 0
    12:45:11.915951 IP 3.225.107.227.443 > 10.12.17.2.7070: Flags [P.], seq 5312:5363, ack 286, win 110, options [nop,nop,TS val 2931823072 ecr 183710924], length 51
    12:45:11.917844 IP 10.12.17.2.7070 > 3.225.107.227.443: Flags [P.], seq 286:413, ack 5363, win 319, options [nop,nop,TS val 183710960 ecr 2931823072], length 127
    12:45:11.918348 IP 10.12.17.2.7070 > 3.225.107.227.443: Flags [P.], seq 413:659, ack 5363, win 319, options [nop,nop,TS val 183710961 ecr 2931823072], length 246
    12:45:11.924226 IP 10.12.17.2.3528 > 3.220.87.243.443: Flags [P.], seq 160:286, ack 5312, win 319, options [nop,nop,TS val 183710967 ecr 3873729087], length 126
    12:45:11.929174 IP 3.220.87.243.443 > 10.12.17.2.3522: Flags [.], ack 659, win 114, options [nop,nop,TS val 3873729104 ecr 183710938], length 0
    12:45:11.941533 IP 34.195.182.5.443 > 10.12.17.2.7656: Flags [P.], seq 5312:5363, ack 286, win 110, options [nop,nop,TS val 1245590185 ecr 183710946], length 51

  10. #10
    Newbie
    Join Date
    Apr 2020
    Posts
    13

    Default

    Looks like most of the traffic is coming from the bctid process:

    tcp 0 126 10.12.17.2:7604 3.225.107.227:443 ESTABLISHED 88942/bctid
    tcp 0 126 10.12.17.2:8190 34.195.182.5:443 ESTABLISHED 88942/bctid
    tcp 0 159 10.12.17.2:7610 3.225.107.227:443 ESTABLISHED 88942/bctid
    tcp 0 159 10.12.17.2:4062 3.220.87.243:443 ESTABLISHED 88942/bctid
    tcp 0 1 10.12.17.2:8196 34.195.182.5:443 SYN_SENT -

    [root @ untangle] ~ # ps -ef | grep bctid
    daemon 88942 1 0 Apr07 ? 00:04:03 /usr/bin/bctid -c /etc/bctid/bcti.cfg 8484

    I believe this to be the Webroot BrightCloud, the successor to Zvelo.

    So, all this traffic is due to Web Filter.
    Last edited by ajscam; 04-08-2020 at 10:58 AM.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2