Nat reflection issues (timeout) in both 1.2-RC2 and 1.2-RC3



  • Hi all, i just installed in production environment 1.2-RC2 version (built on Fri Aug 17 17:46:06 EDT 2007)..
    i have 4 network interfaces: LAN, WAN, DMZ (opt1) and WAN2 (opt2)..

    i setup all port-foward, nat and rules correctly, from an external connection i can reach all of my services in DMZ..

    but i have some strange problems, if i try a LAN->WAN or LAN->WAN2(opt2) connection, such as SSH, RDP,  it fails after few seconds with timeout, but if i try LAN->DMZ connection it works without issues.

    I read many post about issues concerning Nat and reflections, port forward and so on.. one solution seems to upgrade to 1.2-RC3.. (where i can download it?) is this release quite stable? i have to put it on production… does it solve my nat-reflection problems? are there any solutions to get my firewall working?

    thanks in advance

    k.



  • Hi.. i just updated my pfsense installation to 1.2-rc3 (built on Wed Nov 7 19:10:57 EST 2007)..
    but the issue isn't resolved…

    for example, if i try to telnet from a LAN workstation :

    telnet my.public.address 25

    after a while it hangs up with "Connection closed by foreign host."...
    this happens even with ssh, rdp, pop3.. any kind of connection..

    but if i try with:

    telnet my.dmz.address 25

    it works.

    what can i do?



  • I'm here again.. ;)

    i do a little "debug" session to understand how reflection works..
    there is a inet.conf (located in /var/etc/) that spawn a simple "nc" between source and target ip…
    well, i think that the script who creates this file is buggy\broken, because it writes somethink like:
    "19056  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 192.168.100.32 22"
    i read the manpage of nc, and i found that "-w 20" is the "timeout for connects and final net reads"...
    so i made a simple test:

    $ date ; ssh my.public.address ; date
    Thu Nov  8 15:09:43 CET 2007

    ----<ssh stuff="">----
    Connection to my.public.address closed.

    Thu Nov  8 15:10:03 CET 2007

    ..well, it's just 20 seconds...

    maybe is this the way to solve this issue?</ssh>



  • ..i hope is the last one…

    i try to check /etc/inc/filter.inc file, on line  1172 i found the right
                $reflectiontimeout = "2000";
    but on line 1231, the value come back to:
                $reflectiontimeout = "20";

    is it correct?

    the first affects to "tcp\udp" connection, the second is for "tcp" or "udp" only, so for these last ones the timeout is 20secs and not 2000secs as default.

    k.




Log in to reply