Applying Changes



  • Sorry if this has been answered before but I haven't found it specifically. I have worked with several firewall models/brands but this is the first I have worked with pfSense and want to be sure before potentially causing problem at a remote site. Do existing connections (VOIP, site-to-site VPN, etc) drop when applying changes?

    Thanks,
    James


  • LAYER 8 Moderator

    @jgray said in Applying Changes:

    Do existing connections (VOIP, site-to-site VPN, etc) drop when applying changes?

    Could you be a bit more specific? What changes exactly?
    If you do e.g. configuration of an interface and apply those changes, yes it's very possible that routes, gateways etc. will be reloaded and thus VPNs will re-connect to be safe.
    But if you e.g. do work in the Firewall category (rules, NAT, aliases etc.) that would do nothing to VPNs or connections that have their state already established.

    So the answer is "depends on what" :)



  • Good point. Certainly changing interfaces or routes could cause drops. Right now I am setting up VPNs and adding VPN-related firewall rules. Would this cause VOiP, streaming, etc. connections to break?

    Thanks for your time,
    James


  • LAYER 8 Moderator

    Hey James,

    if you add/modify other (e.g.) OpenVPN servers, the others are left safe. Only the one you're working on will be modified. Same should go for IPsec, we never had a drop on our DC cluster when I add another customer VPN location either OVPN or IPsec. So that's pretty safe.
    Also changing/inserting rules don't interfere with states (connections) already established. The only thing that would get e.g. your VoIP or streaming kicked is if you'd modify that rule or kill its states manually. Otherwise even if you'd change the pass rule to a block, as long as there's an established state for the rule that one still has precedence over the new block. That's what few users find irritating if they change a rule from pass to block. The client doesn't instantly loose connections as established states will be helt. If they timeout or get closed later they can't be re-established and the client will be blocked than. Or you serach for all its states and kill them manually.

    So no, if you're editing rules you shouldn't have problems with streaming or VoIP connectivity unless you hit something that would trigger a state reset/loss or a complete interface refresh/restart that would reset all states. Otherwise you should be fine :)

    Cheers
    \jens



  • That's exactly what I needed to know. Thanks!


Log in to reply