Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    TCP connection problems.

    Scheduled Pinned Locked Moved Firewalling
    5 Posts 2 Posters 2.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A
      alexis.olivier
      last edited by

      Hello everybody,

      Here is a schema of the network solution we just put in production :

      INTERNET
                    |
                    |
                Router –--- Network A (10.X.0.0/8)
                    |
                    |
      Interconnection (192.168.224.65/28)
                    |
                    |
                 CARP A
                /         \  
               /          
              /  pfSync  
      PFSense 1 <---> PFSense 2
              \             /
               \           /
                \         /
                 CARP B
                    |
                    |
         Network B (10.Y.0.0/8)

      My problem is that the firewall actually blocks a lot of packets with TCP P, PA, and some of FA, R, RA.
      This is annoying because it breaks TCP sessions like LDAP, IMAP and SSH.

      After a search on "our friend" and the forum, i changed the firewall mode to conservative, but there is always PA packets blocked that breaks TCP sessions.
      I also found that it could be a problem of asymmetric routing, but i don't think it's the problem here.

      Does anyone have a clue ?

      Information on the system :
      Version : 2.1-DEVELOPMENT  (i386) (for IPv6 support)
      Build : built on Wed Aug 24 23:56:55 EDT 2011

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        Hi,

        try with an other Firewall-State:

        FIREWALL -> Rules -> Edit the rules for ldap, imap und ssh and then go to advanced features and State Type = none

        1 Reply Last reply Reply Quote 0
        • A
          alexis.olivier
          last edited by

          Hello,

          Thanks for your reply !

          I tried with a "state type" of none and only the TCP:S was authorized (every other state is blocked).
          By the way, i also tried the state type of "sloppy" and th TCP:PA were blocked too… :(

          Do you have another suggestion ?
          Can i give you more information to help me ?

          Thanks in advance !

          1 Reply Last reply Reply Quote 0
          • N
            Nachtfalke
            last edited by

            I am sorry.

            Not sure, if the firewall Stae was pointing you to the right direction. I am not familar with CARP and perhaps this is really a routing issue.

            Perhaps you could try without carp and just use one pfsense box and test if you have the same problems like now.

            1 Reply Last reply Reply Quote 0
            • A
              alexis.olivier
              last edited by

              Trying without CARP will be hard to try, but i will as soon as i can.

              After deeper inspection, it seems that only idle TCP connections encounter this problem. For exemple, only SSH sessions without any traffic will be closed after a few minutes. That is the same thing for LDAP or IMAP connections.

              Is there something wrong with timeouts in pf ?

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.