Firewall changes drop existing ssh, irc, etc. sessions



  • Current version: 2.0-RC3
    Built On: Sat Sep 10 18:37:11 EDT 2011

    Should I be able to make changes to pfSense virtual ip's, nat 1:1, and firewall rules without pfsense dropping existing ssh, irc, etc. sessions to ip's unrelated to the rule changes?

    If I have an existing ssh session from 1.1.1.1 to 2.2.2.2 and I create new firewall virtual ip, nat 1:1, and firewall rules for 1.1.1.100 should I expect that my ssh, irc, etc. sessions will be dropped?

    I looked but I couldn't find any documentation regarding this behavior. What changes can be made without dropping existing ssh, irc, etc. sessions? What changes can't?

    Thanks in advance.


  • Rebel Alliance Developer Netgate

    That is not something that happens by default. You may have a package or feature enabled that is resetting on filter reload and cutting things off, but it doesn't happen on a stock release that I've seen.



  • Interesting, thanks for the feedback.

    Packages installed:
    ntop
    OpenVPN Client Export Utility

    And I'm also using:
    Firewall: Traffic Shaper



  • Version:
    2.0-RELEASE (amd64)
    built on Tue Sep 13 17:33:40 EDT 2011

    I upgraded from 2.0-RC3 to 2.0-RELEASE

    I finally got around to removing the ntop package and removing traffic shaping. So with only the OpenVPN Client Export Utility package remaining installed the above behavior is unchanged.

    Any change applied to firewall virtual ip, nat 1:1, or firewall rules causes my ssh, irc, etc. sessions to drop.

    I haven't tried a stock release in a long time. Some day I'll try that.



  • I saw it once with a misconfigured netmask /32 in wan interface.

    Check routes, interfaces ips and netmasks.



  • Could such disconnects be due to weak hardware?

    I'm having the same problem on two machines, one is an old Athlon (slot A) machine at 700 MHz, the other one a Pentium III running at ~500MHz (I don't recall the amounts of RAM for either of these machines). The Athlon machine runs pfSense 2.0.1-RELEASE and the Pentium machine runs pfSense 2.0-RELEASE.

    The second machine - Pentium III - initially only lost connections when I was changing firewall rules, since I have begun playing with OpenVPN it disconnects me after each config change for the OpenVPN server, after deinstalling packages (I stripped packages down to the OpenVPN config exporter), but strangely enough not after reinstalling the Cron package. There are only two interfaces, a PPPoE dialup interface and a LAN interface with a 192.168.x.y/16 network (NIC is a GBit ethernet card, can't recall the model, MAC starts with 14:d6:4d:…).

    -MK


  • Rebel Alliance Developer Netgate

    This can also happen if you have a static route configured or some other gateway setup that pfSense believes is down. Reloading the filter with a down gateway, it will (by default) kill all of the states it believes are going through that gateway.

    You can disable gateway monitoring for local gateways on an individual basis if this is the case.



  • Yepp, that is it.
    I have one "offline" gateway - which is the WAN uplink gateway, the PtP address of the PPPoE link. That gateway definitively is online (I'm accessing the webConfigurator through an SSH tunnel through a connection via this link). Edit: apparently the gateway cannot be pinged, if I ping the gw address from the router it receives "Communication prohibited by filter" from the GW IP.

    I turned off (tick on System>Advanced>Miscellaneous>Gateway Monitoring>States) and now filter reloads happen without disconnect.

    Thanks jimp.


Locked