Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Slow response from DMZ pfsense 1.2.3

    Scheduled Pinned Locked Moved NAT
    3 Posts 2 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      mdur
      last edited by

      Problem:  When I connect to a server on the dmz via sftp or ssh the connecting system hangs for about 30 seconds before allowing me to log in, then the session works perfectly.  This system was perfectly responsive when it was on the LAN.  Tested from multiple locations.

      Here are some details:

      -netgate m1n1wall w/3 interfaces: WAN(dhcp), LAN(dhcp 192.168.x.x), DMZ (static 172.128.x.x)(opt)
      -built a freebsd server up on the LAN, then moved it to the DMZ (opt)
      -using this machine for ssh, and sftp entirely on port 22 (so no ftp helper is needed, right?)
      -added a nat rule to forward 22 to this machine
      -added a rule to the dmz interface to allow 22 from DMZ subnet to *
      -enabled reflection (so LAN can reach sftp server)

      Thanks for your thoughts

      1 Reply Last reply Reply Quote 0
      • D
        danswartz
        last edited by

        Is it possible that the server is trying to identify the client (using ident protocol, tcp port 113?)  The tricky thing about that is that the server will try contacting the client on port 113 - a positive response is okay, as is a TCP RST (connection refused.)  If the client is behind a stealth firewall, nothing will happen and it will time out.  I would run a packet trace on the DMZ interface, and try a connect from outside and post the results.  Could be something else too (some kind of DNS issue.)  Without more info, we can't say…

        1 Reply Last reply Reply Quote 0
        • M
          mdur
          last edited by

          Your mention of a stealth firewall reminded me that on the LAN interface I set deny rules to reject rather than block for responsiveness.

          Changing the default deny at the bottom of the DMZ rules to reject remedied the situation.
          Thanks for putting me back on the path!

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.