[GUIDE] Manually Adjusting State Timeouts for Sensitive Services (e.g VoIP)
-
Hi All,
Some people may have issues with VoIP services retaining registration after a certain period, where PFsense is simply clearing the state table of open connections after a certain period as defined by the policy set within System > Advanced > Firewall & NAT, listed as "Firewall Optimization Options"
However, it seems the general consensus for resolving dropout issues, is to reduce the aggression of the Firewall in regards to ALL open connections, when in relation to VOIP, traffic is almost always UDP based.
Setting the state to conservative will generally use more memory and CPU, which is probably not what most people would want as we're creating a lot of open connections. However, there is a better way of achieving the same result, and that is manually adjusting the state timeouts for the specific type of traffic affected.
We can observe the configured timeouts on this particular policy, with the following command in Diagnostics > Command Prompt or ssh: pfctl -st
We can see with the "Conservative" policy, the following:
tcp.first 3600s tcp.opening 900s tcp.established 432000s tcp.closing 3600s tcp.finwait 600s tcp.closed 180s tcp.tsdiff 60s udp.first 300s udp.single 150s udp.multiple 900s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 120000 states adaptive.end 240000 states src.track 0sAnd with the firewall on "Normal", the more aggressive setting, we can see the following:
tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 120000 states adaptive.end 240000 states src.track 0sWe can see in Diagnostics > States, filtering by IP to the host in question, you can determine the type and session/state of the sensitive traffic, whether it be FIRST, SINGLE or MULTIPLE, you can adjust these to be as granular as you like depending on the traffic originating from problem device/service.
So in my case, my the sessions/states I'm seeing are UDP based, with SINGLE and MULTIPLE associations, so these are the values I'm interested in, in the timeouts above.
Navigating back to System > Advanced > Firewall & NAT, set your "Firewall Optimisation Option" back to "Normal", then scroll to the bottom of the page.
Here at the bottom, you'll see manual "State Timeouts" for the values specified with "pfctl -st".
So for me, I've decided to set all the UDP timeouts, as per the conservative policy, just to be safe.
udp.first 300s udp.single 150s udp.multiple 900sSet the values accordingly, your problem should now be resolved, however if you're still having issues, try relaxing these state timeouts even further for the type of traffic in question.
Hope this was helpful to someone! Unfortunately some of the PFsense staff are unaware of this feature, so I have passed this on.
Cheers!
-
can you please help me in this problem
https://forum.pfsense.org/index.php?topic=147436.0 -
Necro an unrelated thread?