<![CDATA[NAT reflection disconnects after 20s idle]]>Hi,

I enabled NAT reflection in order to be able to access services from inside the LAN the same way as I would do it from outside. It works, only that the connection is dropped after exactly 20s if idle.

For a test (replicating the problem) you can do the following: Create a port redirection for SSH (or any other interactive TCP connection) to an internal SSH capable pc and enable reflection. From outside my LAN I can now ssh in without any problems no matter how long I stay idle. From inside the LAN the connection will be dropped after 20s idletime. Hence ONLY the reflected connection is affected.

Everything works if I generate traffic. However generating enough traffci is not a solution, since I need a jabber server (uses TCP 5222) inside the LAN (access via the WAN adress in order to not need to change if ouside the LAN) with the result that it keeps me logging in and out periodically.

This question was already asked, however there was no solution yet. I tried different settings for keeping the state for the original port redirection rule with no influence. Also changing the general optimisation policy does not change the above described behaviour.

Since I'm not (yet) so familiar with pf could someone point me towards where e.g. the timeouts for states are set? I see the /etc/pf.conf does not contain anything usefull (doesn't seem to be used at all).

Can sombody help? It's easy to replicate - just use putty and ssh and wait for 20s - the connection will drop..

Regards
Arno

]]>https://forum.netgate.com/topic/4422/nat-reflection-disconnects-after-20s-idleRSS for NodeFri, 17 Apr 2026 07:01:34 GMTSat, 05 May 2007 18:00:54 GMT60<![CDATA[Reply to NAT reflection disconnects after 20s idle on Sun, 06 May 2007 20:29:50 GMT]]>Now I found the right thread: http://forum.pfsense.org/index.php/topic,1528.0.html - don't know why I didnt find it earliear when i was trying to solve the problem myself :( sorry for the trouble.

Thanks
Arno

]]>https://forum.netgate.com/post/154234https://forum.netgate.com/post/154234Sun, 06 May 2007 20:29:50 GMT<![CDATA[Reply to NAT reflection disconnects after 20s idle on Sun, 06 May 2007 19:23:30 GMT]]>The change is already made in that version and it should be a lot longer than 20 seconds.  The folks that requested it even verified that the change worked.  All discussed in this forum.

]]>https://forum.netgate.com/post/154227https://forum.netgate.com/post/154227Sun, 06 May 2007 19:23:30 GMT<![CDATA[Reply to NAT reflection disconnects after 20s idle on Sun, 06 May 2007 19:07:07 GMT]]>Hi,

thanks for the response. I was already using 1.2-BETA (pfSense-Full-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-04-07.tgz downloaded on 0505). Did you make the change later? I will look now for the hidden option (i suppose in the config.xml?)

Thanks
Arno

]]>https://forum.netgate.com/post/154226https://forum.netgate.com/post/154226Sun, 06 May 2007 19:07:07 GMT<![CDATA[Reply to NAT reflection disconnects after 20s idle on Sat, 05 May 2007 18:26:09 GMT]]>Upgrade to 1.2-BETA-1.  The timeout has been set to 1 hour and there is a hidden configurable option in there forum if this is not enough.

]]>https://forum.netgate.com/post/154165https://forum.netgate.com/post/154165Sat, 05 May 2007 18:26:09 GMT