tcp.established 86400s timeout?
-
Hello fellow Netgate Community members,
Can you please help?
What is a recommendation for
-
timeouts on lets say web GUI states?
-
timeouts for proxy connections to port 3128
-
timeouts for imap pop smtp connections
-
timeouts for VPN connections
Does everyone normally set this as 86400 seconds that is 24 hours.
Has anyone else looked into custom state timeouts on firewall ACLs?
-
-
For example my wife has a work issued laptop that accesses the guest wifi without proxy just IPS/IDS and she turns it off and I have to reset the states every time, it is like it doesn't clear the states. The states will stay established even if the DHCP lease expired and is gone from the DHCP server. So I just set that to 300 seconds or 5 mins without activity it will clear the states.
Has anyone else looked into this?
-
How many states remain open?
TCP states will almost always close when the connection finishes. You might have some left open if the laptop just goes into standby before closing them but I wouldn't expect a significant amount.
-
@stephenw10 It is only one or two that remain, but they will be there for a long time no transmit rate ever moves. I set it to 300 seconds and it fixed it 5 mins of no activity it will close it.
Guest wifi I set it to 300 seconds or 5 mins
GUI I set to 300 seconds and only allow one state at a time. I noticed at time that ACL would show double states or even 3 to 4 a lot. It works the same with it set to one.What would you set VPN for they close out when I and done accessing the NAS over a remote connection with OpenVPN the WAN side state hangs for a bit after again no traffic moves it just pauses before it drops off.
I also have never messed with Keep /ProxySYN for the window size
Should I set the VPN to proxysyn?
-
Personally I use the default settings there. A few rogue states that hang around for 24hrs is nothing in a state table of millions.
It's set high like that for TCP states because there are some applications that, perhaps incorrectly, that will try to use existing TCP connections after significant time.
-
@stephenw10 I use to leave it at default also, however me with my custom LEDs that are set to turn on and off for specific states all the sudden are stuck on and the laptop is shut down and dhcp lease is expired and gone. That is what caused the "how can I adjust the timer" Windows 11 did something with that new update, you know the one where some users have to manually adjust the RE partition? I had one that I needed to do that on my Toshiba, everything else updated RE without manual adjustment. Well after that update was a success this started to occur. What's weird is that should have nothing to do with a keep alive timer as the laptop is off. No clue it never use to have a state last that long they would all close after the device was offline.
LED Day
Circle set to flash white on Guest wifi use
Square is set to solid yellow when the amazon tablet is on
Circle set to Green when secure only mode is in use
Diamond is set to Purple when VPN is accessed and or work laptops to warn me to not do any firewall changesLED Night Mode
All LEDS flash read when Guest Wifi Is in use much like an update however with the RED led. It warns me that a kid is using the game systems.
All are off if guest wifi has no state established at nightMost often it works except when a device is left on.
But weird states are now stuck like I said for one device
-
Ah I see, that's a special case.
