EofException:Timeout
-
Can i use Web Interface to upgrade pfsense and does my settings go if i upgrade it. Also while upgrading, i cannot afford to stop pfsense. Does it affect the proper functioning of the firewall while upgrading.
Yes, you can use the web interface. No, your settings will remain. Once the upgrade process completes you must reboot.
No, it does not send any emails with attachment either to a different mail client or internal to the mail server as it get disconnected after certain time. I read in some forums about idle_time on server settings. I'm not sure if that would help to prevent that.
Is that a disconnect between a mail client and mail server on the LAN? Then pfSense has nothing to do with that problem.
One more doubt was when i was getting disconnected for ever 30 seconds when i was using remote ssh connection every single time since installation.
From remote to the LAN, or from the LAN to remote?
I would like to send you both my LAN, WAN, and DMZ rules through personal IM as an attachment if that would be fine.
Please instead post them in this thread, where others than just I can look at them. If you send them to me in a PM I'll take that as permission to repost them in this thread.
-
Is that a disconnect between a mail client and mail server on the LAN? Then pfSense has nothing to do with that problem.
The LAN is setup such that, the mail server and the thin clients which use the public IP of the mail server are on the same LAN. I can send out emails without any attachments (like text emails). It only fails to send when it is sending out attachments with more than 50kB of size. The repeated error message is,
"Sending of message failed.
The message could not be sent because the connection to SMTP server postal.americanmutualloans.com timed out. Try again or contact your network administrator."From remote to the LAN, or from the LAN to remote?
A remote connection from PuTTY to the mail server was getting disconnected for every 30 seconds. Does the time out in the mail sending activity and this disconnection has any similarities?. Because both contact the mail server remotely and are disconnected abruptly after certain time.
I'm not sure if posting those rules would bring any potential harm to the firewall with all the IP's and accessible ports are visible.
-
The LAN is setup such that, the mail server and the thin clients which use the public IP of the mail server are on the same LAN. I can send out emails without any attachments (like text emails). It only fails to send when it is sending out attachments with more than 50kB of size. The repeated error message is,
"Sending of message failed.
The message could not be sent because the connection to SMTP server postal.americanmutualloans.com timed out. Try again or contact your network administrator."Is that when sending from the mail server? Does it happen with every mail server or just that one? What are the MTU settings on your pfSense host and the mail server? What type of WAN connection are you using?
A remote connection from PuTTY to the mail server was getting disconnected for every 30 seconds. Does the time out in the mail sending activity and this disconnection has any similarities?. Because both contact the mail server remotely and are disconnected abruptly after certain time.
It does suggest you have a problem, but at this time there is no way to know if the problem is with pfSense, your mail server or something else.
I'm not sure if posting those rules would bring any potential harm to the firewall with all the IP's and accessible ports are visible.
Then blur out the WAN IP address (if shown) but leave everything else in.
-
Is that when sending from the mail server? Does it happen with every mail server or just that one? What are the MTU settings on your pfSense host and the mail server? What type of WAN connection are you using?
I'm not sure what you meant by sending from mail server. I either use a TB client or the mail server UI accessed through its IP to send out emails. It is just this one. I have one installed which is out of the firewall accessed remotely, I never had issues with that.. I had no MTU settings on mail server and i'm not sure where to look up for MTU settings on Pfsense.
We have a Ethernet connection using GigaBit switches for LAN connections.It does suggest you have a problem, but at this time there is no way to know if the problem is with pfSense, your mail server or something else.
If it was the mail server failing the mails with the attachments, i'm not sure how would it send emails with attachment at the same IP outside the firewall. But sure, it could be something with the port connections too.
I'm attaching few images of the Rules of my LAN,WAN, DMZ settings.
I cannot Upload them as the file size exceeds.I have uploaded them on an online album.
Please find the link.
http://s1100.photobucket.com/albums/g408/ashrcks/
Thanks.
-
Does Uploading a file as an attachment from a remote server in LAN Connection has something to do with a webserver while preventing, as told by Cry, it is some javascript error causing the time out
-
I'm attaching few images of the Rules of my LAN,WAN, DMZ settings.
I cannot Upload them as the file size exceeds.I have uploaded them on an online album.
Please find the link.
http://s1100.photobucket.com/albums/g408/ashrcks/
Some of those images are too small to be read. We could also do with context to make sense of them - a network diagram would help a lot!
-
I am attaching a text file which desrcribes the Firewall Rules.
Hope it is understandable in format.
-
That's a step further on, but we still need a diagram. Knowing what your rules are doesn't help if we don't know where thing like your mail server are.
It would also help to get an idea of the number of states in use.
-
I'm not sure how to get the network Diagram. I can explain you contextually if you need me to answer specific questions. I'm not best at network topologies but understand the basic LAN/WAN Connections.
To begin with, the mail server, terminal servers, LDAP Server are all under the same firewall with different rules on each specific ports.
Im not sure how specific should my answer be. You can ask if i don't sound right.
-
I'm creating a network Diagram right now!
Will attach in a few minutes.IT would be something similar to this.
There is one more router which is configured as DMZ
-
This is turning into a game of 20 questions… :(
That diagram is very pretty, but it misses off all the important details. The diagram should include what the interface names are, what the IP addresses are etc. Otherwise just how do you expect us to join up the firewall rules you've provided with the diagram? If in doubt provide details rather than excluding it.
-
Sorry,
It took a lot of time to figure out the network connections.
Does MTU of the router and the MTU settings of the network interface of the mail server should be the same?
Still getting the same timeout error.
-
I still cannot figure out the problem. The ssh connection too aborts after using KeepAliveInterval 30 in sshd_config.
I just want to make sure into which category does this kind of error belongs to
(SMTP timeout)When Zimbra can attach and send normally any attachments outside the firewall. There should be something to deal with the Firewall. isn't it?
I'm not sure on that too. But, the firewall log of the rules i gave for mail server show the local IP is connected to mail server on port 25
Any help???
-
I received a PM from ashrocks asking for help with this problem. I was starting to feel it was too hard (too time consuming) to get the information I was looking for to be able to contribute to this discussion.
Ashrocks, I have other things I can be doing with my time. I'm not paid to contribute to this forum so if you repeatedly fail to provide requested information I'm likely to go off and do other things including spend time on other forum topics where people provide the information requested.
Thanks for your good looking network diagram. Its missing a few things including the IP addresses, interface names (e.g. WAN, LAN, OPT1) and physical interface names (e.g. em0, vr1, rl2 etc) of the pfSense box. Cry Havok asked for at least some of this information. The pfSense default configuration applies different attributes to the interfaces based on their names so we need the interface names. We want the physical interface names because certain families of interfaces have particular problems that MIGHT be relevant to your problem.
While on the network diagram, I have a number of issues with it:
-
please show the proxy server's connection to the network. For which services does this system act as a proxy?
-
Which system is the mail server under discussion?
-
You show a system with public IP address 66.29.44.19 (Postal) which is apparently unprotected by a firewall. Is this correct? If so, why is it unprotected by the firewall.
-
The switch dmz has a public IP address. Should it be a router? If not, why does it have a public IP address?
-
The Aktino router - what does it do? (presumably at least routing, port forwarding and NAT)
-
Please describe the categories LOCAL Users on Patchboards 1 and 2, for example, only desktop PCs and laptops on Patchboard 1, only VOIP phones on Patchboard 2
-
Your report:
@ashrocks:The ssh connection too aborts after using KeepAliveInterval 30 in sshd_config.
is not informative enough to be useful. I'm looking for reports like: An attempted ssh connection from xxx to yyy reported: which should be followed by a paste of the ssh command and its response. Your translation of the response from the ssh command doesn't allow us to distinguish between "unknown host", "timeout", "connection refused" etc, each of which is an indicator of a quite different problem from the others. The xxx and yyy should be systems shown on your network diagram (otherwise how will we know its relevance to this particular issue?)
But, the firewall log of the rules i gave for mail server show the local IP is connected to mail server on port 25
When I read this my first response was to ask "Does the log show BLOCK or PASS"? If it shows BLOCK then probably some firewall rule needs to be tweaked but since this report doesn't show source and destination addresses and doesn't show firewall action its impossible to know how relevant this is. When I go back looking through the replies I see the rules are posted at another web site. CryHavok reports that some of that posting is too small to read and I don't see a posting to say that has been fixed. I've already spent a long time on this reply so I'm less inclined to go following the link to the photo album displaying rules which might be too small for me to read. I think I'm doing you a favour by giving my time and experience to work on your problem. The harder it is for me to get the information I think I need to work effectively on your problem the less likely I am to continue to provide the favour. Please post an extract of the firewall log showing the access attempt to mail server on port 25.
Personal experience suggests this posting could be taken as a long complaint about you. Its not intended that way. I realise this is a complex field and its not easy to know what information is important. My remarks have been intended to help you give enough information to help your readers understand the problem in sufficient detail to help you quickly. You have a problem not commonly seen, you have a network that is a bit more complex than many described in the pfSense forums so its likely to take a bit of work to understand what is really happening.
One approach I commonly use in solving computer problems is I attempt to reproduce the problem (commonly on a configuration I construct in my mind, occasionally on a configuration I build out of physical systems). Then I commonly tweak that configuration by changing something I think might be relevant to the problem to see how the behaviour changes. Consider your problem report of ssh connection aborts. I can think of many ways to make an ssh connection abort, including:
-
specify a host name which doesn't have an IP address
-
specify a host name which doesn't have a running SSH server
-
specify a host IP address that is offline
The above are all problems before a connection is established. Perhaps the ssh connection aborted after the password prompt was displayed. Perhaps it aborted during login and before the shell prompt. But if you had provided the shell command and its error report I could relatively quickly eliminate some (if not most) of these possibilities. With a smaller "problem space" (fewer possibilities to consider) I'm likely to be able to reproduce your problem (including similar error reports and logs etc) more quickly than if if I have a larger problem space.
-
-
-
-
Wallabybob,
First of the all, Thank you so much for your time and efforts in providing assistance voluntarily and i highly value and appreciate it. I didn't mean to bother you by sending PM but felt you would know about it as you answered a similar problem. But yes!, each problem differs and depends on various situations.
And as i introduced, i'm a newbie and i have been left for myself to figure out a yet complex network settings on pfsense which does not have proper labelling or any Wiki page explaining where the rules and subnets are for. So, i'm taking time to provide as much information for my problem as i could so that i don't confuse myself or others while asking questions.
Ok, i would keep to point. I have attached a logical network diagram which shows WAN>LAN>DMZ(OPT1) subnets and the mail server (in question today). And also the interfaces and how the network is setup in my server room. The previous one on the above post is the physical diagram which was not right i guess, as all the DMZ and LAN Switches are inside the firewall. There is no port forwarding on any IPs except a 1:1 WAN Mapping. I don't think Aktino is router, as my ISP provider said they have a direct connection from my ISP provider to Aktino box to the firewall.(I'm not sure why is that for then :( )
We don't have any laptop PC's in LOCAL users, those are thin clients on NIC cards connected to terminal servers which are again under the LAN subnet. All these local PC's are connected through patch boards.I have seen the firewall logs to see if the IP through which i'm trying to send email with attachment is blocked, but the status showed that my IP is allowed to pass through to the mail server (postal) through port 25. That should be true because, I'm able to send text lines in the emails and emails with attachments size less than 50kB.
The reason i mentioned SSH Connection was because i felt both the network connection timeout errors on the ssh and smtp timeout are interconnected somehow.
Well, the ssh connection i made was from one of the client pc's on LAN to Postal Mail sever through port 22 on PuTTY. After every 30sec, the connection aborts with an error message which says, "Network Error: Connection reset by peer" or "Network Error: Software caused connection to abort".The mail server interfaces are eth0:Public IP and eth1: Local IP.
Please let me know if there is anything more i need to provide which might help clearing the confusion.
And once again, thanks everyone for helping out.
![Physical Network Dia.png](/public/imported_attachments/1/Physical Network Dia.png)
![Physical Network Dia.png_thumb](/public/imported_attachments/1/Physical Network Dia.png_thumb)
Firewallrules.txt
mailerrorattachment.txt -
Thanks for the updated information. I felt as if I was thrown in the deep end of the swimming pool when I started in networks. The learning curve seemed very steep.
An ongoing frustration I have with the reporting on this issue is that I have to keep asking for the same information. Two examples:
-
I asked for the IP addresses of the pfSense interfaces. I can't see them ALL on your diagram.
-
I asked for the ssh command you have been using to access the mail server.
Because the pfSense box on your diagram didn't have the interface names close to the box it took me a while to see them. It looks to me that WAN is rl0, OPT1 is rl1 and LAN is bfe0. Correct?
Realtek interfaces, especially the early rl interfaces, have a reputation for poor quality. Does your pfSense system log report anything involving rl0 or rl1?
There are two paths from client PCs to the mail server. Do you get different results for your ssh session depending on which path you use? (Try ssh to the mail server LOCAL IP address, ssh 10.10.0.146 and ssh to the mail server "public" IP address, ssh 69.29.44.19). Does either session last more than two minutes after login?
On the mail server, what brand and model of NICs are used? (post output of shell command lspci) Is there anything in the system log reporting any event on the nterfaces? Hopefully you don't have old generation Realteks there.
-