[GUIDE] Manually Adjusting State Timeouts for Sensitive Services (e.g VoIP)

mscaff

Hi All,

Some people may have issues with VoIP services retaining registration after a certain period, where PFsense is simply clearing the state table of open connections after a certain period as defined by the policy set within System > Advanced > Firewall & NAT, listed as "Firewall Optimization Options"

However, it seems the general consensus for resolving dropout issues, is to reduce the aggression of the Firewall in regards to ALL open connections, when in relation to VOIP, traffic is almost always UDP based.

Setting the state to conservative will generally use more memory and CPU, which is probably not what most people would want as we're creating a lot of open connections. However, there is a better way of achieving the same result, and that is manually adjusting the state timeouts for the specific type of traffic affected.

We can observe the configured timeouts on this particular policy, with the following command in Diagnostics > Command Prompt or ssh: pfctl -st

We can see with the "Conservative" policy, the following:

tcp.first                  3600s
tcp.opening                 900s
tcp.established          432000s
tcp.closing                3600s
tcp.finwait                 600s
tcp.closed                  180s
tcp.tsdiff                   60s
udp.first                   300s
udp.single                  150s
udp.multiple                900s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start           120000 states
adaptive.end             240000 states
src.track                     0s

And with the firewall on "Normal", the more aggressive setting, we can see the following:

tcp.first                   120s
tcp.opening                  30s
tcp.established           86400s
tcp.closing                 900s
tcp.finwait                  45s
tcp.closed                   90s
tcp.tsdiff                   30s
udp.first                    60s
udp.single                   30s
udp.multiple                 60s
icmp.first                   20s
icmp.error                   10s
other.first                  60s
other.single                 30s
other.multiple               60s
frag                         30s
interval                     10s
adaptive.start           120000 states
adaptive.end             240000 states
src.track                     0s

We can see in Diagnostics > States, filtering by IP to the host in question, you can determine the type and session/state of the sensitive traffic, whether it be FIRST, SINGLE or MULTIPLE, you can adjust these to be as granular as you like depending on the traffic originating from problem device/service.

So in my case, my the sessions/states I'm seeing are UDP based, with SINGLE and MULTIPLE associations, so these are the values I'm interested in, in the timeouts above.

Navigating back to System > Advanced > Firewall & NAT, set your "Firewall Optimisation Option" back to "Normal", then scroll to the bottom of the page.

Here at the bottom, you'll see manual "State Timeouts" for the values specified with "pfctl -st".

So for me, I've decided to set all the UDP timeouts, as per the conservative policy, just to be safe.

udp.first                   300s
udp.single                  150s
udp.multiple                900s

Set the values accordingly, your problem should now be resolved, however if you're still having issues, try relaxing these state timeouts even further for the type of traffic in question.

Hope this was helpful to someone! Unfortunately some of the PFsense staff are unaware of this feature, so I have passed this on.

Cheers!

hany88

can you please help me in this problem
https://forum.pfsense.org/index.php?topic=147436.0

Harvy66

Necro an unrelated thread?