• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

[SOLVED more or less] pfSense closing IIS HTTP connection on Response.Flush?

Scheduled Pinned Locked Moved Firewalling
3 Posts 2 Posters 2.7k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • J
    joppybt
    last edited by Aug 7, 2016, 1:51 PM Aug 4, 2016, 10:42 AM

    On my internal network I have a Windows 2012R2/IIS 8.5 webserver running a Classic ASP website.

    Until yesterday I was using an old WRT54G router that forwarded my external IP address to this webserver. This has been running for years.

    Yesterday I switched to pfSense (the latest v2.3.2) and setup a NAT rule to the server. At first everything seemed to be ok until I found out a few (but always the same) pages never finished loading (my browser kept saying 'Loading').

    After some detective work I found out that (only) the failing pages had a 'Response.Flush()' statement. With that knowledge I could reproduce the problem with the following test.asp file:

    
<%@language = "javascript" %>
<%
  Response.Write("Hello ");
  Response.Flush();
  Response.Write(" World");
  Response.End();
%>

    When this page is accessed from the outside world through pfSense it never finishes loading. When accessed internally directly to the server it works fine.
    When I remove the Response.Flush(); line it works fine with pfSense as well.

    This may be relevant: the Fiddler statistics for a failing page suggest a ServerDoneResponse was never passed through pfSense:

    ServerConnected:	12:39:38.938
FiddlerBeginRequest:	12:40:00.801
ServerGotRequest:	12:40:00.801
ServerBeginResponse:	12:40:00.806
GotResponseHeaders:	12:40:00.806
ServerDoneResponse:	00:00:00.000
ClientBeginResponse:	00:00:00.000
ClientDoneResponse:	00:00:00.000

    This may very well be an IIS quirk but as there is only a problem with pfSense and not without it I was hoping someone might understand what is going on.

    1 Reply Last reply Reply Quote 0
    • J
      joppybt
      last edited by Aug 7, 2016, 1:50 PM

      After some more investigating I think I found the 'cause'. Under System/Advanced I had 'NAT + Proxy' configured for NAT reflection.

      After I replaced it with split DNS (forwarded internal traffic directly to the webserver) all problems where gone.

      I still think it is strange (and perhaps a bug) that with NAT+Proxy a Response.Flush by a webserver can cause failure but if I understand correctly NAT reflection is always a bit of a hack.

      1 Reply Last reply Reply Quote 0
      • J
        jimp Rebel Alliance Developer Netgate
        last edited by Aug 8, 2016, 1:18 PM

        NAT Reflection is definitely a kludge but, sadly, it still has a place in some setups

        Order of preference is:

        1. No reflection / Split DNS (Best)
        2. Pure NAT reflection (OK)
        3. NAT+Proxy (Bleh)

        Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received