NAT Reflection (timeout problem)

firbc · Jun 28, 2006, 4:34 PM

Hello to everyone!

I have problem with NAT Reflection (timeout problem). Problem occur when two user of local network conect to Battle.net, one open the host and second join. After 15sec joined user drop out of lobby. I think there is a timeout problem in NAT reflected sesion. Have anyone an idea how to fix it?

sullrich · Jun 28, 2006, 4:57 PM

Why do you need reflection for battle.net? Simply switch it off.

firbc · Jun 28, 2006, 5:04 PM

I needed because I have 2 computer on same network witch joining in same game with othere players on internet. If I disable NAT Reflection player who is joining do not see game on Battle.net.

firbc · Jun 28, 2006, 5:08 PM

I forgot to mention this is happned only when host is one of local computers…

sullrich · Jun 28, 2006, 5:16 PM

I have no idea, sorry.

rsw686 · Jul 20, 2006, 8:05 PM

The problem with the NAT relfection is that your requests from the local network are going to pfsense box and then back to the game host. This is laggy as the nat reflection is more of a hack. All you have to do is have people outside your network join the game with your internet address. People inside the network join the game with the local private ip for the machine. Problem solved and you can leave nat reflection on or off depening on if you use it for other things.

firbc · Aug 18, 2006, 9:17 AM

Hello again!
I still didn’t solve my problem with NAT redirect rules. Problem occur when PC1 or PC2 create host for Warcraft 3 Frozen Throne on Battle.net. Direct IP connection for that game isn’t possible. I need to enable NAT redirect rules options in advanced system setting if PC1 or PC2 (one of those is host, other is joining into the game) wants connect to hosted games. Problem is that when joined player (PC1 or PC2) is in hosted game after few second in it he drop out, but other users form WAN have no problems at all. I think there is a timeout problem in NAT redirect rules. Is there any way to solve this? Sorry for my bad English.

PC1 and PC2 are computers on my LAN behind PFsense firewall. There is also no problem if host is one of WAN users.

hoba · Aug 18, 2006, 9:48 AM

Not sure if this actually might have an effect on this but try to check the "static routing" option at system>advanced.

Dhauzimmer · Mar 4, 2007, 8:12 PM

Hi all,

Not sure if anyone's still following this, but I ran in to this problem myself. I installed pfSense yesterday, rigged 'er up for my network, and then found that my jabber server was dropping and reconnecting every few minutes. I tried the fixes recommended here with no success, so I started digging about to find out how NAT reflection is implemented and configured under the hood.

As it turns out, the netcat sessions used for NAT reflection are spawned with a 20-second idle timeout which is not configurable. Of course, using a higher timeout means a greater likelihood of dead netcat sessions kicking about on one's firewall, so I'm not convinced that simply tweaking this value is the right answer here.

I'll post back later after I've had a bit longer to play with it - there's got to be a better way of implementing NAT reflection!

-Dhauzimmer

sullrich · Mar 4, 2007, 8:15 PM

We followed the standard way:

http://www.openbsd.org/faq/pf/rdr.html

But by all means, feel free to make a better solution!

Dhauzimmer · Mar 5, 2007, 3:47 AM

Thanks for the link - invaluable information for a BSD newbie. :)

I've cobbled together a solution that is based around the fourth ("not recommended") pattern - it uses tagging to ensure that only relevant packets get mangled by the return NAT rule. Before I pass it along, though, a quick question: This solution will use two 'states' instead of running TCP proxy daemons. Will that consume more CPU/memory/other resources?

I also haven't fully cleaned out all the spawn-inetd stuff, nor have I thoroughly tested the fix for all possible cases. I did a bit of cleanup on the surrounding code, though, and added a clause to suppress issuing redirect rules for interfaces that are currently disabled. There may also be some cross-interface issues if you've got optional interfaces involved; I didn't do a thorough analysis of all the possible permutations. However, it has the up side that it will properly handle large port ranges at no extra charge.

If you're interested, where would I go to submit a patch?

-D

sullrich · Mar 5, 2007, 5:10 AM

Patches and the format can be found here http://wiki.pfsense.com/wikka.php?wakka=SubmittingPatches

We absolutely appreciate patches.

Thanks!

n6mod · Mar 28, 2007, 12:03 AM

This timeout issue is causing me a lot of heartache as well.

I've just replaced a WRT54G running DD-WRT with a pfsense box (VLAN-based one-armed router) and everybody is complaining about ssh timeouts and the like. 20s is way too short.

In my case, making that timeout an hour wouldn't hurt much, since there are about four forwards on the box, and I can't see more than a few connections to each. Certainly consuming two states is a non-issue.

I really like the other features of pfSense, but unfortunately this could be a dealbreaker for us.

-Zandr

sullrich · Mar 28, 2007, 12:05 AM

@n6mod:

This timeout issue is causing me a lot of heartache as well.

I've just replaced a WRT54G running DD-WRT with a pfsense box (VLAN-based one-armed router) and everybody is complaining about ssh timeouts and the like. 20s is way too short.

In my case, making that timeout an hour wouldn't hurt much, since there are about four forwards on the box, and I can't see more than a few connections to each. Certainly consuming two states is a non-issue.

I really like the other features of pfSense, but unfortunately this could be a dealbreaker for us.

-Zandr

Maybe turn on SSH keep-alives? Putty supports it and so does ssh.

n6mod · Mar 28, 2007, 12:09 AM

@sullrich:

Maybe turn on SSH keep-alives? Putty supports it and so does ssh.

That takes care of SSH, and we've done that, but we have other applications (our software) that expect idle connections to last more than a few seconds.

Even just making that configurable would be a huge help.

-Z

sullrich · Mar 28, 2007, 12:17 AM

Okay, I added a hidden option for controlling this.

edit config.xml by downloading it via the webConfigurator backup feature.

add a <reflectiontimeout>100</reflectiontimeout> area to <system>So it should end up looking something like:

Upload the changed config.xml … The firewall will reboot.

This will show up in about 2 hours after the snapshot server rebuilds the images.</system></system>

n6mod · Mar 28, 2007, 1:05 AM

Outstanding. I'll grab a new image in the morning. Thanks for the super-fast response.

-Zandr

firbc · Mar 28, 2007, 2:59 PM

Very nice this thing also works for me. Will be this features also integrated into GUI?

sullrich · Mar 28, 2007, 5:22 PM

@firbc:

Very nice this thing also works for me. Will be this features also integrated into GUI?

Doubtful.

n6mod · Apr 3, 2007, 12:47 AM

I never followed up here… This is working great. I set it to 3600s (1hr) and all of the issues with our other apps have gone away.

We only have a few forwards anyway, so I'm not too concerned about the resources consumed by those nc's.

I'd second the suggestion to tuck this into the GUI somewhere, it's a pretty useful feature. Though, if it were superseded by Dhauzimmer's patch, that could be even better.

Thanks again.