Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NAT reflection disconnects after 20s idle

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 2.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wacko
      last edited by

      Hi,

      I enabled NAT reflection in order to be able to access services from inside the LAN the same way as I would do it from outside. It works, only that the connection is dropped after exactly 20s if idle.

      For a test (replicating the problem) you can do the following: Create a port redirection for SSH (or any other interactive TCP connection) to an internal SSH capable pc and enable reflection. From outside my LAN I can now ssh in without any problems no matter how long I stay idle. From inside the LAN the connection will be dropped after 20s idletime. Hence ONLY the reflected connection is affected.

      Everything works if I generate traffic. However generating enough traffci is not a solution, since I need a jabber server (uses TCP 5222) inside the LAN (access via the WAN adress in order to not need to change if ouside the LAN) with the result that it keeps me logging in and out periodically.

      This question was already asked, however there was no solution yet. I tried different settings for keeping the state for the original port redirection rule with no influence. Also changing the general optimisation policy does not change the above described behaviour.

      Since I'm not (yet) so familiar with pf could someone point me towards where e.g. the timeouts for states are set? I see the /etc/pf.conf does not contain anything usefull (doesn't seem to be used at all).

      Can sombody help? It's easy to replicate - just use putty and ssh and wait for 20s - the connection will drop..

      Regards
      Arno

      1 Reply Last reply Reply Quote 0
      • S
        sullrich
        last edited by

        Upgrade to 1.2-BETA-1.  The timeout has been set to 1 hour and there is a hidden configurable option in there forum if this is not enough.

        1 Reply Last reply Reply Quote 0
        • W
          wacko
          last edited by

          Hi,

          thanks for the response. I was already using 1.2-BETA (pfSense-Full-Update-1.2-BETA-1-TESTING-SNAPSHOT-05-04-07.tgz downloaded on 0505). Did you make the change later? I will look now for the hidden option (i suppose in the config.xml?)

          Thanks
          Arno

          1 Reply Last reply Reply Quote 0
          • S
            sullrich
            last edited by

            The change is already made in that version and it should be a lot longer than 20 seconds.  The folks that requested it even verified that the change worked.  All discussed in this forum.

            1 Reply Last reply Reply Quote 0
            • W
              wacko
              last edited by

              Now I found the right thread: http://forum.pfsense.org/index.php/topic,1528.0.html - don't know why I didnt find it earliear when i was trying to solve the problem myself :( sorry for the trouble.

              Thanks
              Arno

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.