SSH session disconnect, fragmenteg packets blocked.

  • Hello.

    My eth interface configured with some vlans on it and pfsense routes between this vlans.
    Everything works except SSH session between my pc and catalysts managment interface in another vlan.
    I can connect to device but after 20-30 seconds session dies.

    in attach picture with firewall log, there is blocked TCP:PA packed from my pc to this device.

    My version is
    2.0-RC1 (i386)
    built on Fri Mar 25 20:35:06 EDT 2011

  • If it were me I would try changing some of the options on the System: Advanced: Firewall and NAT page.

  • Already changed this values:

    Disable Firewall Scrub
    Hardware Checksum Offloading
    Hardware TCP Segmentation Offloading

    But it doesn't help. Sometimes instead TCP:PA, blocked TCP:R
    and the same result, I can login do something and my session is broken.

    Anything else that can help????

  • Try Conservative optimization, and maybe turn on the first option on that page.

  • HAH  :)

    It's working now!
    Thanks a lot for your help…

    Only strange why it's doing this in normal behavior???  And only to routed packets
    SSH to any interface of pfsense is working well.

    Anyway thank you!

  • I'm not familiar with the specifics behind the firewall optimization options, or why normal works for some and others have to use conservative. Perhaps it has to do with the way your ssh client or server is configured.

    Personally I use conservative optimization because I have no shortage of RAM, and as a voip user I don't want to risk having the firewall drop any calls (or games, etc).

  • My opinion is that SSH should work without troubles and in default configuration.

    It works everywhere, it's standard I think, so why not here?
    I was ready to switch to another solution for routing and firewalling….......
    But because I'm curios and like pfsence delay for 3-4 days is nothing.  8)

  • Thanks for these incredible pointers guys! I've been experiencing MANY problems with this in the past months. Never was able to figure it out. It actually only occurred for all IPv6 traffic between two VLANs on my network being connected via pfSense. Since IPv6 traffic is prioritized over IPv4 traffic, when connecting using DNS or NETBIOS names instead of an explicit IPv4 address, it would always cause trouble. It wasn't just one protocol, it was with every protocol and every type of traffic (i.e. RDP, filesharing over NETBIOS, streaming audo, SSH sessions). Very irritating. Strange that it didn't occur with IPv4 traffic though. Switching the setting at System -> Advanced -> Firewall/NAT -> Firewall Optimization Options to conservative solved it all. And increased memory usage? Its still at 5% of the 4GB of RAM the machine is equipped with, just like it was before  :)


Log in to reply