Documentation
pfSense Documentation - Configuration and Administration Guides
pfSense Monitoring and Diagnostics - Graphs and Logs
pfSense Monitoring Graphs - Traffic and Resources

pfSense Monitoring Graphs - Traffic and Resources

pfSense includes a built-in performance monitoring system based on RRD (Round-Robin Database). The system automatically collects metrics from the moment of installation - no additional configuration is required. Data is stored in fixed-size RRD files, preventing uncontrolled disk space consumption. Older records are gradually aggregated and replaced by newer ones while preserving the overall picture over extended periods.

Graphs are accessible via Status > Monitoring and display data across multiple categories - from interface throughput to CPU load and firewall state table utilization.

Dashboard Widgets

The pfSense main page (Dashboard) provides widgets for real-time monitoring without navigating to the graphs section. Widget management is accessible through the + icon in the Dashboard header.

System Information

This widget displays real-time system information:

  • Hostname and version - system name, pfSense version, and underlying FreeBSD version
  • CPU - model, frequency, core count, and current utilization percentage
  • Memory - total RAM and current consumption
  • Disk - disk space usage by partition
  • Uptime - system uptime since last reboot
  • Temperature - CPU temperature (when sensor support is available)

Traffic Graphs

This widget visualizes real-time traffic on a selected interface. Inbound and outbound flows are displayed with current speed in bit/s or Byte/s. The refresh interval and graph scale are configurable through widget settings.

Interface Statistics

This widget provides numerical metrics for each network interface:

MetricDescription
Bytes In/OutVolume of transmitted and received data
Packets In/OutNumber of transmitted and received packets
Errors In/OutNumber of interface errors
CollisionsNumber of collisions (Ethernet)

Gateways

This widget displays the status of each configured gateway: IP address, round-trip time (RTT), packet loss percentage, and current state (Online, Warning, Down).

Monitoring Graphs (Status > Monitoring)

The primary graph interface is accessible via Status > Monitoring. By default, the CPU usage graph is displayed. Graph settings allow switching categories, time periods, and combining data on two axes.

Graph Categories

pfSense provides graphs across the following categories:

System

System resource graphs include:

  • CPU Usage - processor load by type: user, system, interrupt, nice, idle. Helps identify processes creating excessive load. Sustained utilization above 80% indicates a need for firewall rule optimization or resource scaling
  • Memory Usage - RAM utilization: active, inactive, wired, cached, free. pfSense on FreeBSD makes extensive use of caching, so a low free value does not necessarily indicate a problem
  • States - number of entries in the firewall state table. A sudden spike may indicate port scanning, DDoS activity, or a malfunctioning application
  • MBUF Clusters - kernel memory buffer usage for network operations. MBUF exhaustion leads to packet loss

Traffic

Throughput graphs for each interface:

  • Traffic - inbound and outbound traffic rate (bit/s). Available for each interface individually - WAN, LAN, OPTx, VPN tunnels
  • Packets - packets per second (pps) per interface. Useful for detecting small-packet attacks that generate high load with minimal bit/s throughput

Quality

Link quality graphs for each gateway:

  • Quality - latency and packet loss to the gateway monitoring target host. Values are determined by monitoring parameters configured in System > Routing > Gateways
  • Quality graphs are essential for Multi-WAN configurations - they enable tracking link degradation before failover to a backup gateway occurs

Captive Portal

Captive Portal activity graphs: concurrent connection count, throughput, and authentication statistics.

NTP

Time synchronization accuracy graphs: offset and delay relative to NTP servers.

Queue / Queuedrops

Traffic Shaper graphs:

  • Queue - traffic volume processed through each queue
  • Queuedrops - number of dropped packets per queue. A high drop count indicates insufficient bandwidth allocation for that queue

DHCP

DHCP server activity graphs: lease count, requests, and denials.

Cellular

Cellular interface graphs (when applicable): signal strength, connection type (3G/4G/LTE).

Wireless

Wireless interface graphs (when applicable): client count, signal strength, noise level.

VPN Users

Active VPN connection count graphs by type (OpenVPN, IPsec, WireGuard).

Time Periods

The system supports the following preset display periods:

PeriodResolutionUse Case
1 hourMaximum (seconds)Diagnosing current issues
8 hoursHighWorkday analysis
1 dayMediumDaily patterns
1 weekMediumWeekly trends
1 monthLowMonthly trends
1 yearMinimumLong-term planning

Graph resolution decreases automatically as the time period increases - this is inherent to the RRD aggregation mechanism. Data for the last hour is presented at maximum granularity, while yearly graphs display averaged values.

The hostname, selected period, and data resolution are printed at the bottom of each graph.

Display Configuration

Graphs support combining categories on two axes:

  • Left axis - primary metric (e.g., WAN Traffic)
  • Right axis - secondary metric for comparison (e.g., CPU Usage)

The graph legend is positioned in the upper right corner. Clicking a data source in the legend hides it from the graph - this is useful when peak values of one metric compress the scale and obscure other data.

A statistics table is displayed below the graph showing minimum, average, maximum, current value, and 95th percentile (for traffic).

Warning:

Totals are not displayed because the RRD storage format does not allow accurate total calculations. To calculate cumulative traffic volumes, install the Status Traffic Totals package via System > Package Manager.

Per-Interface Traffic Monitoring

Each pfSense network interface has its own set of traffic graphs. This enables monitoring of:

  • WAN - total internet traffic volume, detection of anomalous spikes
  • LAN - internal network traffic, identification of bandwidth-intensive hosts
  • OPTx - traffic on additional interfaces (DMZ, guest networks, server VLANs)
  • VPN - traffic through OpenVPN, IPsec, and WireGuard tunnels

To compare traffic across multiple interfaces, use the dual-axis feature or open graphs in separate browser tabs.

Exporting RRD Data

Monitoring data is stored in RRD files in the /var/db/rrd/ directory. Data can be exported through several methods:

GUI Backup

RRD files are included in configuration backups when creating a backup via Diagnostics > Backup & Restore with the RRD data option enabled.

Command-Line Export

To export data in XML format, use the rrdtool utility:

rrdtool dump /var/db/rrd/wan-traffic.rrd > wan-traffic.xml

NetFlow

For detailed traffic analysis broken down by IP address, port, and protocol, use the softflowd package, which exports NetFlow data to an external collector (ntopng, Elastiflow, ManageEngine NetFlow Analyzer).

External Monitoring via SNMP

pfSense supports the SNMP protocol for integration with external monitoring systems. Configuration is performed via Services > SNMP.

SNMP Configuration

Key parameters:

  • Enable SNMP Daemon - activate the SNMP service
  • System Location / Contact - informational fields for device identification
  • Read Community String - read access string (default is public - must be changed)
  • SNMP Modules - module selection: MibII, Netgraph, PF, Host Resources, UCD
  • Bind Interface - interface accepting SNMP queries (should be restricted to LAN or management interface)

Warning:

The default community string (public) must be changed to a unique value. An open SNMP service with the public community string is a common attack vector for network reconnaissance.

Integration with Monitoring Platforms

pfSense integrates with the following platforms via SNMP:

PlatformProtocolFeatures
ZabbixSNMP v2c/v3Ready-made pfSense templates, interface and CPU monitoring
LibreNMSSNMP v2c/v3Auto-discovery, traffic graphs, alerting
PRTGSNMP v2c/v3Sensors for bandwidth and system load
Nagios/IcingaSNMP v2c/v3Checks via check_snmp, PNP4Nagios integration

Prometheus and Grafana

For Prometheus integration and Grafana visualization, use the Telegraf package (installed via System > Package Manager). Telegraf collects system metrics and exports them in a Prometheus-compatible format.

An alternative approach is using the SNMP Exporter for Prometheus, which extracts pfSense metrics via SNMP and exposes them in Prometheus metrics format.

Typical monitoring stack:

pfSense (SNMP/Telegraf) --> Prometheus --> Grafana

Troubleshooting Graphs

Empty Graphs or Zero Values

Possible causes:

  1. Insufficient data - after a reboot or fresh installation, graphs need time to accumulate data. One-hour graphs populate within minutes; yearly graphs take up to a day
  2. Corrupted RRD files - a reboot during a write operation can corrupt a file. Resolution: delete the corrupted file from /var/db/rrd/ - the system will create a new one automatically
  3. RAM disk for /var - when using a RAM disk, RRD data is lost after reboot. pfSense periodically saves RRD data to persistent storage, but data between the last save and reboot will be lost

RRD Data Loss After Reboot

When using a RAM disk for /var (typical for CF card or SSD installations with minimized writes):

  • pfSense automatically saves RRD data to persistent storage at a configurable interval
  • An unclean shutdown (power loss) results in data loss from the last save point
  • Using a UPS and performing clean shutdowns via Diagnostics > Halt System is recommended

Graph Data Does Not Match Actual Traffic

RRD graphs display averaged values. Short-duration traffic spikes may not appear on low-resolution graphs (week, month, year). For accurate analysis, use graphs with the shortest time period (1 hour, 8 hours).

Related Sections

Last updated on
pfSense Diagnostics Tools - Network AnalysispfSense System Logs - Journals and Remote Syslog