Set specific NAT Timers

  • Hi All,

    Is it possible to directly set the NAT timeouts somehow?
    I know you can change 'Advanced > Firewall/NAT > Firewall Optimisation Options' from normal to conservative, but this is bogging the show down horrendously due to all the other timers being increased and the states table topping out.
    I just need to increase the following timers, all the others are fine:

    Can these be set directly via the shell? (if so, does anyone know the relevant command?)
    Or, is it possible to create an extra 'profile' containing our own timer values that can be applied under Firewall Optimisation Options?


  • I also have some more questions that I'm hoping someone can help with (in particular i'm interested in UDP behaviour, but if you know of TCP based behaviour and any differences with UDP, that would be much appreciated!):

    1. What is the behaviour of the NAT timer resets? (i.e. are timers reset only by outbound packets using a specific NAT binding or, only by inbound packets, or packets in either direction?)
    2. Would I be correct in saying that by default, pfSense implements Symmetric NAT?
    3. If yes to question 2, can it be changed to a restricted, port restricted or full cone variant of NAT?
    4. If not, does it use a port restricted NAT? (From it's behaviour, I'm guessing it does not implement restricted or full cone NAT)
    5. Does the NAT used in pfSense attempt to preserve the local host port during the binding process, if so, how rigorously? (i.e. does only the most recent request from of two local hosts on the same port bound, or does it produce separate bindings for each host?)
    6. Is the NAT behaviour the same for all bindings (i.e. primary, secondary and tertiary bindings)?

Log in to reply