Rhasspy gorging on bandwidth and has 2 external IP addresses - what's up with that?

So I run Rhasspy on a dedicated Pi3B+. It just chills there basically, doing rhasspy stuff.

Then for reasons I had to reconfigure my UniFi mesh, which is how I noticed that one of my APs had done A shitload of traffic in the last 24 hours. That’s unusual for me so I clicked in to see what was using it.

The Rhasspy box, it turns out. It’s literally the only thing on that AP that isn’t just pinging every so often, and it’s apparently eating bandwidth for breakfast: it has moved 9.5GB in 24 hours. Weird for a box that is basically listening for a wakeword.

This is where it gets weird.

I use a UniFi mesh with 5 APs, with the controller running on my Home Assistant OS Pi4. It works great, but because I don’t have a Ubiquiti gateway, traffic analysis isn’t available.

So instead, I logged into my pihole to see what the Rhasspy box had been doing, and discovered that the MAC address of the Rhasspy box has 3 IP addresses, two of which are external to my network.

Clicking into those IP addresses, I get absolutely zero traffic data. This doesn’t mean there’s no traffic, it means that none of the IP addresses on that box are respecting the default configured DNS, and are instead using their own hardcoded DNS.

So let’s recap. My UniFI Controller says that the MAC address of the Rhasspy box has generated 9.5GB of traffic in the last 24 hours. Said box has 3 IP addresses, 2 of which seem to be external. I have no logs of the traffic, because the extent of my logging is a pihole.

Is any of this normal? I know, for example, that Rhasspy runs in a container. Boxes with containers can have more than one IP address. But if Rhasspy is the only thing running on that box, why are there 2 external IPs?

We wonders, yes Precious, we wonders.

EDIT: I have configured my router to force all DNS traffic to the pihole, even if the device is clever and is try to use its own DNS. Let us see what happens over time.

If I saw that behaviour I would immediately assume the box had been hacked and blow it away and rebuild, but I’m a bit paranoid about computers suddenly behaving contrary to my expectations, particularly when they acquire unconfigured address and start spamming things across the network.

1 Like

find Docker-IPs:

docker inspect -f '{{range.NetworkSettings.Networks}}{{.IPAddress}}{{end}}' container_name_or_id

Greeting, Jens