On FreePBX 220.127.116.11 with Asterisk 13.10.0 with about 90 chan sip extensions. Also, we’re using the build in FreePBX Firewall.
While troubeshooting some quality issues (on 5 or so similar servers as well), i noticed on the Dashboard, under the Hourly and Daily Network graphs, that bandwidth seems high.
For example, during the off hours, when no calls are being made, the Daily graph shows about 14MB Rx and Tx. What makes it more interesting is that during the last hour, the average is about 3 Rx and Tx, with a couple spikes in the 10 range (obviously lower than the off hours average). Perhaps the graph just isn’t a great representation of what’s going on network wise.
My questions are: 1. Is this normal? 2. If not, what might it be? 3. What bandwidth tools would you suggest I use to see what is using the extra bandwidth?
So I’m using the built in FreePBX firewall. Everything is set to internal only, or disabled all together, except for the required 10,000-20,000 UDP from any required by Anveo, and then an obscure TCP SIP port that we use. In the network exceptions list is some of our IP’s, so we can have unlimited access, and Anveo’s servers, basically so they can hit 5060 UDP.
That said, what should I look for when investigating? The attacker, if he exists, has really only the ability to ping the server, and send some traffic to the UDP port range above.
I can’t say it is not available to my deployments, if you have multinegabytes per sec off peak, you should definitely identify what it is , perhaps a backup script? Those tools will identify hosts and protocols involved.
I think I just figured out what the network activity is: It’s the Live Network Activity gadget itself!! if you open another tab on explorer, and then tab back, you will see the activity flatlined while you were not looking. I made a bug report.
Well it shows 14MB tx over all or 14Mbps of transfer at a single time? There is a difference between data transferred and data speeds.
If it is 14MB of transfer overnight, let us not forget kids that Asterisk is qualifying all of those 90 endpoints at a generally 60 second intervals. That’s data, it’s being transferred and received. So yeah even in off hours the system is transferring data over the network or even over the WAN if your trunks are qualifying or remote endpoints are qualifying. Then there are the DNS requests if there are any FQDNs or DDNS.
There is plenty of “idle” traffic to explain 14MB tx/rx over an overnight or even an hour period. Like I said you’re qualifying 90 endpoints every 60 seconds roughly.