Faulty traffic reporting (25.1.7, existing install upgraded)

[ThuTex]

Versions:
OPNsense 25.1.7-amd64
FreeBSD 14.2-RELEASE-p3
OpenSSL 3.0.16

Setup:
2 WAN connections, 1 physical connection to switch, several VLANs, crowdsec & ips (from the "regular" intrusion detection) active on both WAN interfaces, maltrail active on all VLANs, and network configured as router-on-a-stick.

Issue:

I am running ip cams on vlan 1006, which are being streamed to my nas on vlan 1002

The traffic graph correctly shows the traffic of both interfaces, BUT:

it is also showing that exact same traffic going over the default, untagged vlan ("lan_default") where there is no real traffic.
the "top hosts" dots are also showing correctly that there's pretty much no traffic on that default vlan, but the graphs itself do not (see attached screenshot, showing only that default lan)

this same inconsistency also shows on insights, and is not fixed by a reboot, reset of netflow/rrd data, or repair of netflow data.

i've been using opnsense for years, and admittedly i changed too much at once (updating to 25.1.7, rebuilding fw rules back mostly to interface instead of floating because of the number of rules, ....) but have never had an issue like this (that wasn't fixed by resetting the graphs or just rebooting the machine)

so, does anyone have any idea where to go look for this issue ?

[ThuTex]

alas, nobody having any similar experiences ?

i don't want to open a bug report because i'm not sure if it's "just my installation", something i have overlooked, or an actual bug...

so if anyone here is doing router-on-a-stick and has a few vlans, i would appreciate some input if you're seeing similar results (i.e. the default lan on the interface showing the same traffic (both in & out) that's actually passing between 2 vlans)

[Patrick M. Hausen]

The traffic of a parent interface will always be the sum of all VLANs configured on that same parent interface. Plus any untagged traffic, but you should not use a VLAN parent for untagged traffic, anyway, for exactly this reason among others.

[ThuTex]

i am fairly certain that previously (24.x was the last time i checked the graph - i think) i did not have the lan_default showing the traffic like this,
though i can follow your logic as to the physical parent interface counting all traffic (but it should still be able to be sorted out in the graphs i think?)

same goes for some other things btw (a very long time ago, setting up new interfaces allowed some more free naming, such as using igc1_vlan1006 instead of the much more normal vlan0.1006 that should've been used)

anyway:
the physical interface is igc1
the lan_default is the default network that's auto-created on the interface (identifier lan on parent igc1)
the vlans, obviously, are igc1_vlan1002 and igc1_vlan1006
they have interface 1002_servers (opt2) and 1006_security (opt6)
(as stated; under vlan interfaces, they are still known by their old interface names, which were accepted back then - such as igc1_vlan1006 - something no longer possible for new ones as it -quite correctly- needs to be vlan0.1006 )


just for my information, i'm assuming when you say that you shouldn't use the parent interface, you mean that it should've had vlan0.1 as a default vlan interface, right (and then have the switch handle it)?

(again though, history reasons: there was a lan_default, that was i believe not even removable long ago, plus untagged access needed to be possible, and the original setup dates back from when it was on esxi, so there is def. some improvement to be made)

in short: yes, i agree with you that the setup isn't ideal (working on it to get it to where it needs to be, step by step when i have time),
but i don't remember the graphs behaving like this before, which is why i created the post (as opposed to a bug report, because in itself, it's not going to be a bug - likely just some change somewhere to the behaviour)