iPads that sleep need to log back in
-
Hi there. We used to have pfSense 2.4.3 (I recall) and everything was fine with the iPads. through Ubiquiti wireless AP's to get to a couple websites that require secure login.
Recently we moved to a different ISP (Metronet) and with that we put a pfSense 2.4.5 in place. Now it seems the iPads when they sleep get disconnected (as if their state is being terminated) and then the users have to log back into the websites. Clover is one, and XTime is another.
I hope this is the right area to post this. Excuse me if not.
I set the System Advanced firewall and NAT settings for greater lengths of time , didn't help.
now higher than defaults they are
TCP First is 3600 seconds
TCP Opening 900
TCP Established 86400
Closing 3600
FIN Wait 600
Closed 180
Rebooted pf and those changes didnt' help at all
Does this make sense in any way? We haven't had to tune pf for anything like this before.
Thanks for any thoughts. I'm not convinced the iPads are innocent. Maybe they are turning off the wireless and switching to cellular when they go to sleep, and that terminates the connection through pf?
Rich
-
@sunbeltpcls The states on pfsense have zero to do with it... If your client isn't keeping the connection alive to the server - then yeah they prob log you out.. My bank if you don't doing anything disconnects you in like 5 minutes.
2.4.5 - really?
-
Someone figured 2.4.5 was fine since there isn't any VPN or other stuff open to the Internet. Just site-to-site IPsec VPN.
Elsewhere we have been testing the newest versions of two of the other "free" firewalls. I don't know if I should mention them here.
-
@sunbeltpcls who figured - its from 3 years ago.. Where did you even get it. You can not download it from pfsense..
-
@johnpoz the 2.4.5 came from prepared flash drives we kept for the functioning firewalls. 2.4.5 ran for over 400 days without a reboot. Intel dual port gig cards. Pretty stable. Running on older business PC's on 20-100Mbit connections. Testing for something better now that we finally have gigabit around here.
-
@sunbeltpcls said in iPads that sleep need to log back in:
since there isn't any VPN or other stuff open to the Internet. Just site-to-site IPsec VPN
IPSEC is (a form of) VPN.
With 2.4.5 : its probably still using SHA1 or HMAC, or an animal like that, so their is the possibility that your 'tunel' can get decrypted in real time as it is using a very old (now) SSL library. Very soon, you can make a choice : using the much faster 'No IPSEC at all' as it doesn't matter anymore.I understand : don't (or why) touch a good running system ?
Consider this reasoning : the day you have a security issue, you won't notice it. No news flashes on Fox news and CCN. Nothing. As no one bothers, none of them (us) was using that old software anyway.
About the sessions times expiring way faster as before : you missed the "session replay story". It goes like this : my trojan in your PC steals (send to me) the fresh cookie in your browser's cache. As soon as a login takes place, I can also use that cookie and "no questions asked", I'm right in. Its as easy as that.
edit : Ok, I'm exaggerating. I know, "2.4.5" was known to be good.
-
@Gertjan said in iPads that sleep need to log back in:
I know, "2.4.5" was known to be good.
But did they even update it to p1, which had a lot of security fixes in it. I don't think 2.4.5p1 is available to update too if they had some stick with only 2.4.5 on it.
I just don't understand not updating your security software.. Also if you have any questions, this doesn't work, or how do I do xyz - nobody is going to help you with 3 year old version of the software.
-
@johnpoz Sirs, thank you for your recommendations and all.
we are running this updated 2.4.5 . I know it is still old and we are going to take your recommendations and start pushing forward to newer versions and systems. Thank you thank you for injecting more sanity into my world. There's never enough good ideas. I appreciate you.
2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:17 EDT 2020
FreeBSD 11.3-STABLE