Local LAN connections stop after 30 seconds
-
Hello
I know similar questions have been asked hundreds of times…read most of them with the advised settings..but to no help..
Following scenario I have:
pfSense Box (10/16) <-> LAN <-> Cisco Router (172.16/16)
The Cisco announces the 172.16/16 prefix via RIPv2 to the pfSense box, where it shows up correctly including next-hop address being in the 10/16 prefix.When doing a telnet connection to the Cisco router to its 172.16/16 address the connection freezes 30 seconds afterwards...as the FW state has been removed.
I've set the "bypass on same interface" option under firewall->advanced settings. Also adding a LAN/LAN rule with "sloppy" state settings doesn't help....
Does it have to do with the fact that the 172.16/16 is not a static route locally on the pfSense box but a learned route?
-
sim questions asked hundred of times?? Where?? Not on this forum..
Why would the firewall state be removed in 30 seconds? That is not the default timeout.. Are you running something other than normal in the firewall?
So the state would be removed if the timeout expired and pfsense saw no traffic, or it would be removed if one of the sides closed the connection with RST, or the clients closed with fin, etc.
I have to wonder about this network where you use a /16 as a transit network?? If your state is being closed, and your not closing it??? Then what are your tcp timeouts set to in pfsense?
You sure the telnet session was actually established? So here are the default timeouts
[2.3.2-RELEASE][root@pfsense.local.lan]/root: pfctl -st tcp.first 120s tcp.opening 30s tcp.established 86400s tcp.closing 900s tcp.finwait 45s tcp.closed 90s tcp.tsdiff 30s udp.first 60s udp.single 30s udp.multiple 60s icmp.first 20s icmp.error 10s other.first 60s other.single 30s other.multiple 60s frag 30s interval 10s adaptive.start 120600 states adaptive.end 241200 states src.track 0s
If your seeing the connection close in 30s, I would assume it never actual established and never got past the opening state.. Why don't you just sniff and see exactly what is going on.
If pfsense is not seeing the return traffic from the cisco and its getting to yoru client with another path.. Then pfsense would see the state as opening and never finishing so then yeah after 30 seconds it would close that state. So that would point to an asymmetrical routing problem. Which seems logical with the info given with a /16 and calling lan and another router on that network, etc. Vs showing a transit network to your other router.
edit: So for example.. Your box on your 10.0/16 sends traffic a 172.16/16 address pfsense sees the syn, so state is opened. But since the syn,ack would not flow back through pfsense it never sees the syn,ack and that conversation never goes into established state.
If you would use a transit network then pfsense would see both syn and syn,ack and could put your state into established now your timeout won't expire for long time and state will stay open until talkers close it with fin, or rst it, etc.