Slow response from DMZ pfsense 1.2.3
Problem: When I connect to a server on the dmz via sftp or ssh the connecting system hangs for about 30 seconds before allowing me to log in, then the session works perfectly. This system was perfectly responsive when it was on the LAN. Tested from multiple locations.
Here are some details:
-netgate m1n1wall w/3 interfaces: WAN(dhcp), LAN(dhcp 192.168.x.x), DMZ (static 172.128.x.x)(opt)
-built a freebsd server up on the LAN, then moved it to the DMZ (opt)
-using this machine for ssh, and sftp entirely on port 22 (so no ftp helper is needed, right?)
-added a nat rule to forward 22 to this machine
-added a rule to the dmz interface to allow 22 from DMZ subnet to *
-enabled reflection (so LAN can reach sftp server)
Thanks for your thoughts
Is it possible that the server is trying to identify the client (using ident protocol, tcp port 113?) The tricky thing about that is that the server will try contacting the client on port 113 - a positive response is okay, as is a TCP RST (connection refused.) If the client is behind a stealth firewall, nothing will happen and it will time out. I would run a packet trace on the DMZ interface, and try a connect from outside and post the results. Could be something else too (some kind of DNS issue.) Without more info, we can't say…
Your mention of a stealth firewall reminded me that on the LAN interface I set deny rules to reject rather than block for responsiveness.
Changing the default deny at the bottom of the DMZ rules to reject remedied the situation.
Thanks for putting me back on the path!