NAT Reflection (timeout problem)
-
This timeout issue is causing me a lot of heartache as well.
I've just replaced a WRT54G running DD-WRT with a pfsense box (VLAN-based one-armed router) and everybody is complaining about ssh timeouts and the like. 20s is way too short.
In my case, making that timeout an hour wouldn't hurt much, since there are about four forwards on the box, and I can't see more than a few connections to each. Certainly consuming two states is a non-issue.
I really like the other features of pfSense, but unfortunately this could be a dealbreaker for us.
-Zandr
-
This timeout issue is causing me a lot of heartache as well.
I've just replaced a WRT54G running DD-WRT with a pfsense box (VLAN-based one-armed router) and everybody is complaining about ssh timeouts and the like. 20s is way too short.
In my case, making that timeout an hour wouldn't hurt much, since there are about four forwards on the box, and I can't see more than a few connections to each. Certainly consuming two states is a non-issue.
I really like the other features of pfSense, but unfortunately this could be a dealbreaker for us.
-Zandr
Maybe turn on SSH keep-alives? Putty supports it and so does ssh.
-
Maybe turn on SSH keep-alives? Putty supports it and so does ssh.
That takes care of SSH, and we've done that, but we have other applications (our software) that expect idle connections to last more than a few seconds.
Even just making that configurable would be a huge help.
-Z
-
Okay, I added a hidden option for controlling this.
edit config.xml by downloading it via the webConfigurator backup feature.
add a <reflectiontimeout>100</reflectiontimeout> area to <system>So it should end up looking something like:
<system><reflectiontimeout>100</reflectiontimeout>
Upload the changed config.xml … The firewall will reboot.
This will show up in about 2 hours after the snapshot server rebuilds the images.</system></system>
-
Outstanding. I'll grab a new image in the morning. Thanks for the super-fast response.
-Zandr
-
Very nice this thing also works for me. Will be this features also integrated into GUI?
-
Very nice this thing also works for me. Will be this features also integrated into GUI?
Doubtful.
-
I never followed up here… This is working great. I set it to 3600s (1hr) and all of the issues with our other apps have gone away.
We only have a few forwards anyway, so I'm not too concerned about the resources consumed by those nc's.
I'd second the suggestion to tuck this into the GUI somewhere, it's a pretty useful feature. Though, if it were superseded by Dhauzimmer's patch, that could be even better.
Thanks again.
-
Will consider the GUI option after I pass it by other devs.
The patch was submitted to coreteam but had the potential to break QOS and Multi-Wan so it is not quite ready yet. This is going from memory.. I am terribly sorry if I am confusing two different incidents.
-
Will consider the GUI option after I pass it by other devs.
The patch was submitted to coreteam but had the potential to break QOS and Multi-Wan so it is not quite ready yet. This is going from memory.. I am terribly sorry if I am confusing two different incidents.
Why not just default it to 1 hour? I'd rather not see yet another knob that people will twist for no good reason exposed.
–Bill
-
I am perfectly fine with this as long as no DOS potential is present?
-
Question
I see in blogspot that you change NAT reflection timeout to 2000 by default, so I decide to remove line <reflectiontimeout>2000</reflectiontimeout> (work with this line) from config.xml. I reboot my server machine and try connecting to battle.net (the way I testing nat reflection timeout) with 2 users on LAN. After 20s LAN user joined in game has been disconnected.
So question, am I need to install fresh copy of pfsense or is this normally and I just put those line back to config.xml?
I using last version of pfsense 1.2 RC2 18.8.2007
Thx
-
You cannot simply remove the line. It needs a value.
-
As far as I see this line is optional and only change default value to value that you want. So I thought that now when default is 2000s line in config.xlm for reflection time out isn’t needed any more. Am I wrong?
-
Yes, that is wrong. If you do not want a timeout, set it to 0.
-
Ok and what is default timeout if there is no line in config.xml? I asking because you add that options in past »I added a hidden option for controlling this«.
-
300 seconds IIRC.
-
Thx. for info.