Connection drops for several seconds after changes

  • Hello guys,

    I have 3 pfsense 2.4.3 virtual machines on a windows 2016 dc server.
    The vm's are connected to the LAN and a trunk port.
    On one of the vm's i have about 56 vlans with interfaces.
    When i make changes in the configuration (i mostly change things in interfaces and firewall rules) and i press to save the configuration, all connections are lost for seconds. So all interfaces get interrupted and my customers notice that because they experiencing downtime.
    I have another vm with at least 70 vlans with interfaces, but that works like a charm.
    The problem vm was previously on a earlier version where the problem started, but after the update the problem remains.
    I also moved the vm to another server, but the problem remains.

    Does anyone have any idea what's going (wr)on(g) here?

    Best regards,


  • LAYER 8 Global Moderator

    The change your doing is causing a state reset would be my guess. Normal firewall changes should not cause this.

  • Sounds quite logic. Is there any setting i could adjust to prevent this from happening?

  • LAYER 8 Global Moderator

    There is a setting on advanced networking - reset all states..

    This option resets all states when a WAN IP Address changes instead of only states associated with the previous IP Address.

    Do you have that checked?

    Under advanced misc there is kill all states if gateway goes down

    Flush all states when a gateway goes down

    Do you have that checked?

  • No the first option is not checked. But if i understand correctly, all states will be reset anyhow if it is checked or not, isn't?

    The option Flush all states when a gateway goes down is checked on the problem vm, but not on the others.
    Could this be the problem?
    If so, i will uncheck it, but it doesn't make sense, because a gateway is not going down when i make a change, right?

  • LAYER 8 Global Moderator

    depends.. Its not that gateway actually goes down... But if the monitoring of that gateway goes down - then yeah all states would get reset..

    The monitor pings your gateway - if pings do not answer, be it the line full or packet loss then all states can get reset.. I have that uncheck on my setups..

    Normal firewall change like adding a rule should not reset states.. Your rules should just reload - if you have a shitton of rules and or something is causing an issue with the loading of the rules then yeah you could have some issues.. I would actually validate that your states are being reset... Should be simple enough to just look at the number of states you have and then change a rule - does that drop into the dirt for your number, etc..

    Are you running any packages on this instance.. Pfblocker?

  • Oke, i will uncheck that option and try if the problem remains.
    I will report to you shortly.

  • I have unchecked the option last night and made some changes where i knew before the connections will be dropped and all connections remained active! Thank god it was that simple.

    I haven't checked the number of states before, i wouldn't risk the dropped connections for that anymore.
    I don't have any packages installed.

    Thank you for your help, this solved my case.

Log in to reply