Firewall states time out during backup?

furom

Hi,

I have a small network with a separate vlan for storage where I keep my NAS. I use NFS4 to backup to the NAS on the storage network. I often find these backups in a non-finished state, and the initiating application just hanging. I have tried to isolate this by installing a fresh Ubuntu based NFS server which I connected to the same vlan as the application backing up to it. This seems to work perfectly, no issues for a substantial amount of backups (run every 15 minutes for testing). But as soon as I switched over to the storage vlan, it hung after just a few runs. This seems to rule out the NAS itself, and possibly(?) also the application starting the backups.

I would appreciate some help debugging this further. It is almost as if the state "ESTABLISHED:ESTABLISHED" that is initiated when backup starts is reset for some reason? Is that even possible? Ports for NFS is open (NFS v3 & 4), checked and re-checked several times...

Edit:
Looking in 'Diagnostics / States / States' I see all states I'd expect... What do I miss?

Thanks

NogBadTheBad

@furom Move the NAS to the normal LAN would be the best thing to do.

What's your hardware, still a Netgate 2100 ?

Doing backups over different subnets is never a wise thing to do, most larger companies will even go as far as having every server connecting to the production LAN and a backup LAN.

furom

@nogbadthebad Yeah, agreed, moving it would be the easiest no doubt. Perhaps this is something that simply should not be done over vlans? I still think it should be possible to segment the network a bit... I will have this as a last resort, but would really like to find out what is causing it to fail

@nogbadthebad said in Firewall states time out during backup?:

What's your hardware, still a Netgate 2100 ?

Yes

johnpoz

@furom said in Firewall states time out during backup?:

is reset for some reason?

If your moving traffic over the connection it shouldn't time out. But sure there might be reasons for it to get killed. Do you have any schedules setup for firewall rules? Do you have your firewall set to kill all states on loss of wan?

furom

@johnpoz said in Firewall states time out during backup?:

Do you have your firewall set to kill all states on loss of wan?

Oh... You may be on to something... I have the first one enabled, as it should generally be a good thing, right... My IP hasn't changed in a while though, but could a re-negiotiation of DHCP possibly be able to cause it to think wan was dropped/IP changed?

NogBadTheBad

@furom Have you tried disabling firewall scrubbing:-

furom

@nogbadthebad said in Firewall states time out during backup?:

@furom Have you tried disabling firewall scrubbing:-

No, I haven't. I see NFS is especially mentioned at that. After having hit the pfSense documentation I found that this is something that is "highly recommended", thus I will take the initial advice and simply move the NAS.

So I've learned that disabling this may absolutely work fine, but at a cost of lowered security.

Thanks all for the help and advice!