NAT Reflection (timeout problem)

sullrich · Mar 28, 2007, 12:17 AM

Okay, I added a hidden option for controlling this.

edit config.xml by downloading it via the webConfigurator backup feature.

add a <reflectiontimeout>100</reflectiontimeout> area to <system>So it should end up looking something like:

Upload the changed config.xml … The firewall will reboot.

This will show up in about 2 hours after the snapshot server rebuilds the images.</system></system>

n6mod · Mar 28, 2007, 1:05 AM

Outstanding. I'll grab a new image in the morning. Thanks for the super-fast response.

-Zandr

firbc · Mar 28, 2007, 2:59 PM

Very nice this thing also works for me. Will be this features also integrated into GUI?

sullrich · Mar 28, 2007, 5:22 PM

@firbc:

Very nice this thing also works for me. Will be this features also integrated into GUI?

Doubtful.

n6mod · Apr 3, 2007, 12:47 AM

I never followed up here… This is working great. I set it to 3600s (1hr) and all of the issues with our other apps have gone away.

We only have a few forwards anyway, so I'm not too concerned about the resources consumed by those nc's.

I'd second the suggestion to tuck this into the GUI somewhere, it's a pretty useful feature. Though, if it were superseded by Dhauzimmer's patch, that could be even better.

Thanks again.

sullrich · Apr 3, 2007, 12:56 AM

Will consider the GUI option after I pass it by other devs.

The patch was submitted to coreteam but had the potential to break QOS and Multi-Wan so it is not quite ready yet. This is going from memory.. I am terribly sorry if I am confusing two different incidents.

billm · Apr 3, 2007, 2:33 AM

@sullrich:

Will consider the GUI option after I pass it by other devs.

The patch was submitted to coreteam but had the potential to break QOS and Multi-Wan so it is not quite ready yet. This is going from memory.. I am terribly sorry if I am confusing two different incidents.

Why not just default it to 1 hour? I'd rather not see yet another knob that people will twist for no good reason exposed.

–Bill

sullrich · Apr 3, 2007, 3:45 AM

I am perfectly fine with this as long as no DOS potential is present?

firbc · Aug 18, 2007, 10:37 AM

Question

I see in blogspot that you change NAT reflection timeout to 2000 by default, so I decide to remove line <reflectiontimeout>2000</reflectiontimeout> (work with this line) from config.xml. I reboot my server machine and try connecting to battle.net (the way I testing nat reflection timeout) with 2 users on LAN. After 20s LAN user joined in game has been disconnected.

So question, am I need to install fresh copy of pfsense or is this normally and I just put those line back to config.xml?

I using last version of pfsense 1.2 RC2 18.8.2007

Thx

sullrich · Aug 18, 2007, 5:58 PM

You cannot simply remove the line. It needs a value.

firbc · Aug 20, 2007, 6:00 PM

As far as I see this line is optional and only change default value to value that you want. So I thought that now when default is 2000s line in config.xlm for reflection time out isn’t needed any more. Am I wrong?

sullrich · Aug 20, 2007, 6:01 PM

Yes, that is wrong. If you do not want a timeout, set it to 0.

firbc · Aug 20, 2007, 6:10 PM

Ok and what is default timeout if there is no line in config.xml? I asking because you add that options in past »I added a hidden option for controlling this«.

sullrich · Aug 20, 2007, 6:11 PM

300 seconds IIRC.

firbc · Aug 20, 2007, 6:19 PM

Thx. for info.