Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [GUIDE] Manually Adjusting State Timeouts for Sensitive Services (e.g VoIP)

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 3 Posters 10.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mscaff
      last edited by

      Hi All,

      Some people may have issues with VoIP services retaining registration after a certain period, where PFsense is simply clearing the state table of open connections after a certain period as defined by the policy set within System > Advanced > Firewall & NAT, listed as "Firewall Optimization Options"

      However, it seems the general consensus for resolving dropout issues, is to reduce the aggression of the Firewall in regards to ALL open connections, when in relation to VOIP, traffic is almost always UDP based.

      Setting the state to conservative will generally use more memory and CPU, which is probably not what most people would want as we're creating a lot of open connections. However, there is a better way of achieving the same result, and that is manually adjusting the state timeouts for the specific type of traffic affected.

      We can observe the configured timeouts on this particular policy, with the following command in Diagnostics > Command Prompt or ssh: pfctl -st

      We can see with the "Conservative" policy, the following:

      
      tcp.first                  3600s
      tcp.opening                 900s
      tcp.established          432000s
      tcp.closing                3600s
      tcp.finwait                 600s
      tcp.closed                  180s
      tcp.tsdiff                   60s
      udp.first                   300s
      udp.single                  150s
      udp.multiple                900s
      icmp.first                   20s
      icmp.error                   10s
      other.first                  60s
      other.single                 30s
      other.multiple               60s
      frag                         30s
      interval                     10s
      adaptive.start           120000 states
      adaptive.end             240000 states
      src.track                     0s
      

      And with the firewall on "Normal", the more aggressive setting, we can see the following:

      tcp.first                   120s
      tcp.opening                  30s
      tcp.established           86400s
      tcp.closing                 900s
      tcp.finwait                  45s
      tcp.closed                   90s
      tcp.tsdiff                   30s
      udp.first                    60s
      udp.single                   30s
      udp.multiple                 60s
      icmp.first                   20s
      icmp.error                   10s
      other.first                  60s
      other.single                 30s
      other.multiple               60s
      frag                         30s
      interval                     10s
      adaptive.start           120000 states
      adaptive.end             240000 states
      src.track                     0s
      

      We can see in Diagnostics > States, filtering by IP to the host in question, you can determine the type and session/state of the sensitive traffic, whether it be FIRST, SINGLE or MULTIPLE, you can adjust these to be as granular as you like depending on the traffic originating from problem device/service.

      So in my case, my the sessions/states I'm seeing are UDP based, with SINGLE and MULTIPLE associations, so these are the values I'm interested in, in the timeouts above.

      Navigating back to System > Advanced > Firewall & NAT, set your "Firewall Optimisation Option" back to "Normal", then scroll to the bottom of the page.

      Here at the bottom, you'll see manual "State Timeouts" for the values specified with "pfctl -st".

      So for me, I've decided to set all the UDP timeouts, as per the conservative policy, just to be safe.

      udp.first                   300s
      udp.single                  150s
      udp.multiple                900s
      

      Set the values accordingly, your problem should now be resolved, however if you're still having issues, try relaxing these state timeouts even further for the type of traffic in question.

      Hope this was helpful to someone! Unfortunately some of the PFsense staff are unaware of this feature, so I have passed this on.

      Cheers!

      1 Reply Last reply Reply Quote 4
      • H
        hany88
        last edited by

        can you please help me in this problem
        https://forum.pfsense.org/index.php?topic=147436.0

        1 Reply Last reply Reply Quote 0
        • H
          Harvy66
          last edited by

          Necro an unrelated thread?

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.