Massive Usage in Insights by "Other"

Started by lichen, April 02, 2025, 03:25:39 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
April 02, 2025, 03:25:39 AM
Hey there! I recently setup OPNsense and have been largely enjoying using it (besides the growing pains of learning more advanced networking).

I really wanted to use it partially due to its traffic monitoring capabilities. Something I noticed after having it run for about a week and a half is that a large portion of my traffic (46%) is coming / going to "other". I looked this up and couldn't find anything on it. But I did notice that even in the official documentation of insights and netflow, that there is 20% of the traffic on there from other. So I know it's not just me. Could y'all please explain what's going on here? I looked at the details, and the "other" line item doesn't have any data associated with it other than the usage. I did download a days worth of the data and looked at it, and noticed that there is a decent amount of traffic in there coming and going to IPV6 addresses. But there are no IPV6 addresses listed in the graphs, or on the details tab. Furthermore, strangely, I don't have IPV6 enabled on any of my internal physical or VLAN interfaces, and yet I see IPV6 in both the source and destination addresses. Which I don't understand.

So questions:
  • Is Insights just not handling the IPV6 data, and does that represent the "other" category?
  • Why are there any IPV6 addresses on my side of the network if I don't have IPV6 enabled at all (only on the wan interface)?
  • Can anyone explain what's going on here?

I partially got this setup so I could monitor our internet traffic as the last two months we've used about 8x the traffic we normally do (as reported by Xfinity) and have had to move to an unlimited plan so as to not encounter fees, despite not changing our internet usage.

Thanks so much in advance!
Any help would be greatly appreciated!
April 02, 2025, 05:12:04 PM #1
Quote from: lichen on April 02, 2025, 03:25:39 AMSo questions:
  • Is Insights just not handling the IPV6 data, and does that represent the "other" category?
  • Why are there any IPV6 addresses on my side of the network if I don't have IPV6 enabled at all (only on the wan interface)?
  • Can anyone explain what's going on here?

1,2: Lacking specific information, I'd assume auto_linklocal assignments.

3: The netflow analyzer has limits to the specific samples it will enumerate. On my service, for instance, the usual port scans, probes, etc. involved way too many protocols+ports to specify individually after the most common dozen or two. You can get some insight (too convenient a term) into the "other" elements through filter logs, assuming you keep such. I don't have a preferred automated method for that (I just watch the Live Log and search the Plain View); other folks here may. (I ended up disabling netflow, as it simply didn't give me the insights I wanted.)
Print
Go Up Pages1
User actions