Quick Warning: On accounting of traffic going in / out.

Pinned

Comments

18 comments

  • Avatar
    Michael Bierman

    Is this true of Gold in router mode?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Glad you brought this up.  Gold accounting works the same as the blue/red, so the issue of accuracy and how data is accounted will still vary. 

    For example, I have Comcast Xfinity (Cable), and last month, my total internet usage according to Xfinity is around 1T.  While firewalla is around 930GB.    Likely the Xfinity counters include a MAC/IP layer counters.

    We are going to use the interface counter more in the future for data usage, hopefully, this will be a bit more accurate. 

    What I do with my system is, I also set the Firewalla Monthly Data Plan feature to 1T, which is 200GB less than my actual allocated 1.2T...  This does help a lot.  The large bandwidth usage alarms are also useful if you have kids like to leave things streaming all night. 

    1
    Comment actions Permalink
  • Avatar
    Michael K

    in light of Comcast taking advantage of the pandemic to profiteer and add their mad up caps on the east coast-

    any update about the current state of the Gold vs Comcast's numbers? Should we assume still around a 10% difference?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    So far it is a variation of 10% +/- 5% difference.   We did a measurement with Comcast in the bay area, and the results are at the end of 

    https://help.firewalla.com/hc/en-us/articles/360043859234-Bandwidth-Usage-Monitoring

    For my own uses, I always set the target less than 20% less than my actual limit.  

    1
    Comment actions Permalink
  • Avatar
    Aaron

    So in my case Firewalla (Blue) is telling me that I've used 1.1TB of bandwidth in the month of April. My Comcast account is telling me it's only 730GB. So somehow Firewalla is reporting 50% higher. I'm also getting bandwidth alerts from Firewalla regarding my Synology NAS, which has Netdata installed and shows very detailed metrics on network activity. Often the Firewalla alerts seem to be "ghosts", meaning, I can't correlate it with Netdata reports or any other observable activity on the NAS. Unfortunately my router (Orbi) doesn't provide any of this data so it can't help me get to the bottom of it. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Do you have any nest devices? or anything that may record large amount of data to the cloud?

    0
    Comment actions Permalink
  • Avatar
    Aaron

    In fact, I do! I have a Nest Hello doorbell camera, which does send quite a bit of data to the cloud (hundreds of gigs per month I believe). Does Firewalla struggle with measuring those devices? 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Nest devices usually use a long-lasting TCP connection to transfer your data to their cloud.  And releases before 1.972 will account the flows in the end, so it is likely this long-lasting flow crossed from last month and ended early the current month. 

    1.972 should fix this a bit. 

    0
    Comment actions Permalink
  • Avatar
    Aaron

    Ahh, that makes total sense. Thank you for the quick and very helpful reply! I'll report back after some time with 1.972. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @firewalla does this apply to legacy nest accounts, just those migrated to google, or both? 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Our understanding is both, they all use a long-lasting TCP connection to stream data.  The TCP connection can be very long.  1.972 can break this down and measure incrementally, but not 1.971 or earlier. 

    0
    Comment actions Permalink
  • Avatar
    Aaron

    How does Firewalla do with measuring BitTorrent traffic? I just received another bandwidth alert, indicating that my NAS used 15 GB in the last 2 hours. I looked at my Netdata dashboard for the NAS (which hosts the torrent client) and the timeframe corresponds to a window during which one torrent was temporarily uploading at an average of about 300kbps for about 90 minutes. I can see this pretty clearly in the eth0 network interface activity report and also in the docker image network activity (for the torrent client). But in total I think it actually uploaded under 1 GB as shown in both Netdata and in the torrent client UI. So I can't seem to explain why Firewalla is telling me that the NAS uploaded over 15 GB in this timeframe. I seem to be getting these alerts once or twice a day for this NAS server, but I can never seem to match it up with evidence of major network activity on the server itself. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Firewalla is flow-based, so it will pick the flows and then add their usage up.  The bandwidth usage I think is also a sum of download and upload.  

    0
    Comment actions Permalink
  • Avatar
    Aaron

    Thanks. I feel that there's a bug in here with respect to torrent traffic that results in Firewalla significantly inflating the bandwidth usage (perhaps by 10x or more) and firing false alerts. I may swap Orbi's router functions to an OpenWRT based device which would help to confirm the real internet data usage. If I can prove it with more examples and data on top of what I provided above then I'll post back. 

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    @Aaron, please let us know if you find anything.  Also, if you are using the blue in simple mode, you can also try DHCP mode, the DHCP mode may be a bit more accurate. 

    0
    Comment actions Permalink
  • Avatar
    Aaron

    I reconfigured my home network, adding a wired FreshTomato based router doing all routing services and keeping Orbi in AP mode only (for wireless). Tomato has pretty good bandwidth monitoring, and combined with Netdata on my NAS I think I have some decent data to share. After a few days running in this new configuration, following is an example of the (greatly) overstated bandwidth reporting and alerting from Firewalla. Note that Firewalla is still in Simple mode, and I haven't yet tried reconfiguring it to DHCP mode. 

    There was an alert reported at 1:20am last night by Firewalla, stating that my NAS had used 61.54 Gigs of data in the previous 2 hours (yikes!), which would correspond to about 11:20pm last night (April 27)  and 1:20am (April 28):

    However, this is what my FreshTomato router states for WAN activity over the previous 12 hours (the 2-hour alert window is highlighted loosely). Note that over the whole 12 hours of this report, FreshTomato reports that my entire network only used about 17GB, and certainly only a fraction of that during the highlighted timeframe:

    And, concerning the device alerted by Firewalla (Synology NAS), here's the IP Traffic report from FreshTomato in this timeframe (about 5GB over the whole 12 hours, much less in the highlighted two hours):

    On that NAS device itself, there is one ethernet interface (eth0), monitored by Netdata. Here's that view, which never exceeds 5mb/s. Even if that peak rate were a sustained over 2 hours, I believe this would still only result in under 5GB total. 

    So unless I've completely misunderstood something here, I believe Firewalla is exaggerating the bandwidth usage by more than 10x in this example. Note that in my limited experience with these alerts, I've noticed that the exaggerated ones tend to be associated with small amounts of torrent upload traffic. They seem more reliable with other devices and traffic types on my network.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

     Note that in my limited experience with these alerts, I've noticed that the exaggerated ones tend to be associated with small amounts of torrent upload traffic. They seem more reliable with other devices and traffic types on my network.

    I think this may be the clue.  If I remember correctly when torrenting, there may be cases where the microflows may be cut in the middle by something (network, human, transit...), when that happens, the system will try to guess the flow information from the last packet.   I don't remember what the guess was based on, likely the sequence numbers.

    Now if you are willing to play with this, I think the DHCP mode may solve this issue. (the extra NAT will likely make the guessing more accurate). 

    Or, you can reduce the number of torrent peers, this may also fix something. 

     

    0
    Comment actions Permalink
  • Avatar
    Aaron

    Thanks! I will find an opportunity to try out DHCP mode. While reconfiguring my network a few days ago, the unexpected down time was not appreciated by my family ;)

    0
    Comment actions Permalink

Please sign in to leave a comment.