Nat reflection issues (timeout) in both 1.2-RC2 and 1.2-RC3
-
Hi all, i just installed in production environment 1.2-RC2 version (built on Fri Aug 17 17:46:06 EDT 2007)..
i have 4 network interfaces: LAN, WAN, DMZ (opt1) and WAN2 (opt2)..i setup all port-foward, nat and rules correctly, from an external connection i can reach all of my services in DMZ..
but i have some strange problems, if i try a LAN->WAN or LAN->WAN2(opt2) connection, such as SSH, RDP, it fails after few seconds with timeout, but if i try LAN->DMZ connection it works without issues.
I read many post about issues concerning Nat and reflections, port forward and so on.. one solution seems to upgrade to 1.2-RC3.. (where i can download it?) is this release quite stable? i have to put it on production… does it solve my nat-reflection problems? are there any solutions to get my firewall working?
thanks in advance
k.
-
Hi.. i just updated my pfsense installation to 1.2-rc3 (built on Wed Nov 7 19:10:57 EST 2007)..
but the issue isn't resolved…for example, if i try to telnet from a LAN workstation :
telnet my.public.address 25
after a while it hangs up with "Connection closed by foreign host."...
this happens even with ssh, rdp, pop3.. any kind of connection..but if i try with:
telnet my.dmz.address 25
it works.
what can i do?
-
I'm here again.. ;)
i do a little "debug" session to understand how reflection works..
there is a inet.conf (located in /var/etc/) that spawn a simple "nc" between source and target ip…
well, i think that the script who creates this file is buggy\broken, because it writes somethink like:
"19056 stream tcp nowait/0 nobody /usr/bin/nc nc -w 20 192.168.100.32 22"
i read the manpage of nc, and i found that "-w 20" is the "timeout for connects and final net reads"...
so i made a simple test:$ date ; ssh my.public.address ; date
Thu Nov 8 15:09:43 CET 2007----<ssh stuff="">----
Connection to my.public.address closed.Thu Nov 8 15:10:03 CET 2007
..well, it's just 20 seconds...
maybe is this the way to solve this issue?</ssh>
-
..i hope is the last one…
i try to check /etc/inc/filter.inc file, on line 1172 i found the right
$reflectiontimeout = "2000";
but on line 1231, the value come back to:
$reflectiontimeout = "20";is it correct?
the first affects to "tcp\udp" connection, the second is for "tcp" or "udp" only, so for these last ones the timeout is 20secs and not 2000secs as default.
k.
-
Try this:
http://forum.pfsense.org/index.php/topic,1528.0.html