[GUIDE] Manually Adjusting State Timeouts for Sensitive Services (e.g VoIP)



  • Hi All,

    Some people may have issues with VoIP services retaining registration after a certain period, where PFsense is simply clearing the state table of open connections after a certain period as defined by the policy set within System > Advanced > Firewall & NAT, listed as "Firewall Optimization Options"

    However, it seems the general consensus for resolving dropout issues, is to reduce the aggression of the Firewall in regards to ALL open connections, when in relation to VOIP, traffic is almost always UDP based.

    Setting the state to conservative will generally use more memory and CPU, which is probably not what most people would want as we're creating a lot of open connections. However, there is a better way of achieving the same result, and that is manually adjusting the state timeouts for the specific type of traffic affected.

    We can observe the configured timeouts on this particular policy, with the following command in Diagnostics > Command Prompt or ssh: pfctl -st

    We can see with the "Conservative" policy, the following:

    
    tcp.first                  3600s
    tcp.opening                 900s
    tcp.established          432000s
    tcp.closing                3600s
    tcp.finwait                 600s
    tcp.closed                  180s
    tcp.tsdiff                   60s
    udp.first                   300s
    udp.single                  150s
    udp.multiple                900s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start           120000 states
    adaptive.end             240000 states
    src.track                     0s
    

    And with the firewall on "Normal", the more aggressive setting, we can see the following:

    tcp.first                   120s
    tcp.opening                  30s
    tcp.established           86400s
    tcp.closing                 900s
    tcp.finwait                  45s
    tcp.closed                   90s
    tcp.tsdiff                   30s
    udp.first                    60s
    udp.single                   30s
    udp.multiple                 60s
    icmp.first                   20s
    icmp.error                   10s
    other.first                  60s
    other.single                 30s
    other.multiple               60s
    frag                         30s
    interval                     10s
    adaptive.start           120000 states
    adaptive.end             240000 states
    src.track                     0s
    

    We can see in Diagnostics > States, filtering by IP to the host in question, you can determine the type and session/state of the sensitive traffic, whether it be FIRST, SINGLE or MULTIPLE, you can adjust these to be as granular as you like depending on the traffic originating from problem device/service.

    So in my case, my the sessions/states I'm seeing are UDP based, with SINGLE and MULTIPLE associations, so these are the values I'm interested in, in the timeouts above.

    Navigating back to System > Advanced > Firewall & NAT, set your "Firewall Optimisation Option" back to "Normal", then scroll to the bottom of the page.

    Here at the bottom, you'll see manual "State Timeouts" for the values specified with "pfctl -st".

    So for me, I've decided to set all the UDP timeouts, as per the conservative policy, just to be safe.

    udp.first                   300s
    udp.single                  150s
    udp.multiple                900s
    

    Set the values accordingly, your problem should now be resolved, however if you're still having issues, try relaxing these state timeouts even further for the type of traffic in question.

    Hope this was helpful to someone! Unfortunately some of the PFsense staff are unaware of this feature, so I have passed this on.

    Cheers!



  • can you please help me in this problem
    https://forum.pfsense.org/index.php?topic=147436.0



  • Necro an unrelated thread?