Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Nat reflection issues (timeout) in both 1.2-RC2 and 1.2-RC3

    Scheduled Pinned Locked Moved NAT
    5 Posts 2 Posters 2.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kionez
      last edited by

      Hi all, i just installed in production environment 1.2-RC2 version (built on Fri Aug 17 17:46:06 EDT 2007)..
      i have 4 network interfaces: LAN, WAN, DMZ (opt1) and WAN2 (opt2)..

      i setup all port-foward, nat and rules correctly, from an external connection i can reach all of my services in DMZ..

      but i have some strange problems, if i try a LAN->WAN or LAN->WAN2(opt2) connection, such as SSH, RDP,  it fails after few seconds with timeout, but if i try LAN->DMZ connection it works without issues.

      I read many post about issues concerning Nat and reflections, port forward and so on.. one solution seems to upgrade to 1.2-RC3.. (where i can download it?) is this release quite stable? i have to put it on production… does it solve my nat-reflection problems? are there any solutions to get my firewall working?

      thanks in advance

      k.

      1 Reply Last reply Reply Quote 0
      • K
        kionez
        last edited by

        Hi.. i just updated my pfsense installation to 1.2-rc3 (built on Wed Nov 7 19:10:57 EST 2007)..
        but the issue isn't resolved…

        for example, if i try to telnet from a LAN workstation :

        telnet my.public.address 25

        after a while it hangs up with "Connection closed by foreign host."...
        this happens even with ssh, rdp, pop3.. any kind of connection..

        but if i try with:

        telnet my.dmz.address 25

        it works.

        what can i do?

        1 Reply Last reply Reply Quote 0
        • K
          kionez
          last edited by

          I'm here again.. ;)

          i do a little "debug" session to understand how reflection works..
          there is a inet.conf (located in /var/etc/) that spawn a simple "nc" between source and target ip…
          well, i think that the script who creates this file is buggy\broken, because it writes somethink like:
          "19056  stream  tcp    nowait/0        nobody  /usr/bin/nc nc -w 20 192.168.100.32 22"
          i read the manpage of nc, and i found that "-w 20" is the "timeout for connects and final net reads"...
          so i made a simple test:

          $ date ; ssh my.public.address ; date
          Thu Nov  8 15:09:43 CET 2007

          ----<ssh stuff="">----
          Connection to my.public.address closed.

          Thu Nov  8 15:10:03 CET 2007

          ..well, it's just 20 seconds...

          maybe is this the way to solve this issue?</ssh>

          1 Reply Last reply Reply Quote 0
          • K
            kionez
            last edited by

            ..i hope is the last one…

            i try to check /etc/inc/filter.inc file, on line  1172 i found the right
                        $reflectiontimeout = "2000";
            but on line 1231, the value come back to:
                        $reflectiontimeout = "20";

            is it correct?

            the first affects to "tcp\udp" connection, the second is for "tcp" or "udp" only, so for these last ones the timeout is 20secs and not 2000secs as default.

            k.

            1 Reply Last reply Reply Quote 0
            • F
              firbc
              last edited by

              Try this:

              http://forum.pfsense.org/index.php/topic,1528.0.html

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.