TCP connection problems.
-
Hello everybody,
Here is a schema of the network solution we just put in production :
INTERNET
|
|
Router –--- Network A (10.X.0.0/8)
|
|
Interconnection (192.168.224.65/28)
|
|
CARP A
/ \
/
/ pfSync
PFSense 1 <---> PFSense 2
\ /
\ /
\ /
CARP B
|
|
Network B (10.Y.0.0/8)My problem is that the firewall actually blocks a lot of packets with TCP P, PA, and some of FA, R, RA.
This is annoying because it breaks TCP sessions like LDAP, IMAP and SSH.After a search on "our friend" and the forum, i changed the firewall mode to conservative, but there is always PA packets blocked that breaks TCP sessions.
I also found that it could be a problem of asymmetric routing, but i don't think it's the problem here.Does anyone have a clue ?
Information on the system :
Version : 2.1-DEVELOPMENT (i386) (for IPv6 support)
Build : built on Wed Aug 24 23:56:55 EDT 2011 -
Hi,
try with an other Firewall-State:
FIREWALL -> Rules -> Edit the rules for ldap, imap und ssh and then go to advanced features and State Type = none
-
Hello,
Thanks for your reply !
I tried with a "state type" of none and only the TCP:S was authorized (every other state is blocked).
By the way, i also tried the state type of "sloppy" and th TCP:PA were blocked too… :(Do you have another suggestion ?
Can i give you more information to help me ?Thanks in advance !
-
I am sorry.
Not sure, if the firewall Stae was pointing you to the right direction. I am not familar with CARP and perhaps this is really a routing issue.
Perhaps you could try without carp and just use one pfsense box and test if you have the same problems like now.
-
Trying without CARP will be hard to try, but i will as soon as i can.
After deeper inspection, it seems that only idle TCP connections encounter this problem. For exemple, only SSH sessions without any traffic will be closed after a few minutes. That is the same thing for LDAP or IMAP connections.
Is there something wrong with timeouts in pf ?