Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    RST Question

    Scheduled Pinned Locked Moved General pfSense Questions
    9 Posts 3 Posters 2.2k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T Offline
      tomli
      last edited by

      Hi all,

      Normal TCP flow

      Client –---SYN----->PFsense NAT (Web Server)
      Client <-SYN/ACK-->PFsense NAT (Web Server)
      Client -----ACK------PFsense NAT (Web Server)
      ....
      Client <----FIN/ACK-----PFsense NAT (Web Server)
      Client ------FIN/ACK----->PFsense NAT (Web Server)
      Client <------ACK--------- PFsense NAT (Web Server)

      Can I use PFsense to change the FIN/ACK to RST? I want to disconnect the session immediately.

      Client -----SYN----->PFsense NAT (Web Server)
      Client <-SYN/ACK-->PFsense NAT (Web Server)
      Client -----ACK------PFsense NAT (Web Server)
      ....
      Client <----RST–---PFsense NAT (Web Server)
      ....

      Please advise.

      1 Reply Last reply Reply Quote 0
      • H Offline
        Harvy66
        last edited by

        That breaks the standard. If packets are received out of order, the RST packet will forced the client to close the connection before completing the transfer.

        You can tweak the timeouts of the different stages, making PFSense quickly close the state after FIN/ACK has occurred.

        1 Reply Last reply Reply Quote 0
        • T Offline
          tomli
          last edited by

          Hi all,

          My client send RST to the pfsense. In the pfsense, I still see the record in state table.

          status: TIME_WAIT:TIME_WAIT

          Can I configure the pfsense clear/delete the record after it received RST from client immediately?

          Please advise

          1 Reply Last reply Reply Quote 0
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            What exactly are you doing that your "client" should be sending a RST?  In a normal setup looking at a client/server where the "client" initiating the communication to a "server" why would the client send RST?

            Normally a RST means not valid connection, so client sent a fin ack and never got back a fin ack and closed the session anyway and the "server" is still trying to send data?

            Normally you see RST come from the server side of the communication, where client trying to talk to something that is not there, or server application restarted and client still trying to talk to something server does not have a clue about, etc.

            Not saying client would never send rst..  But it would be most helpful in trying to help you if we actually knew what your wanting to accomplish and why..  Maybe your trying to skin the cat the wrong way??

            Normally if everything working as it should devices talking to each other via tcp would not send RST, they would close the session gracefully with fin ack..  RST normally means somebody doesn't want to talk real bad, or your talking to something I don't know about, etc.  Can you post up sniff of this conversation and then pfsense states showing it still open after normal graceful closure.. Bit confused as to why you believe pfsense should send RST on behalf of something.  Why wouldn't the client or server actually send the RST when there is communication that it doesn't want or no about, etc.  Or for when it wants to abort a conversation.  To be honest the firewall should not really interfere with client/server communications.  Sure you might have your firewall send a RST if someone talking to a port your not forwarding to anything, etc.  But quite often you would just drop that packet..

            You do understand that time wait serves a purpose in tcp so that delayed packets don't end up in a previous conversation, etc. While you can quite often modify the timewait time that stuff is left in timewait not exactly sure why you think this state should be just closed instantly?

            While I have never had to dive this deep into how pfsense exactly does or what the timers are by default.  Normally firewall will have specific timers for timewait and remove the session after it sees fin acks from both parties and or a RST, etc.  Maybe this diagram will help?

            firewallclosetimewait.png
            firewallclosetimewait.png_thumb

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • T Offline
              tomli
              last edited by

              Hi,

              My PC installed a program that it can send some data to my remote server for 10 per second. I only assign one special NAT port for the PC to use it. After sent data, my program will disconnect it immediately. Therefore, I want the pfsense can clear the state table record as soon as possible. Otherwise, my PC cannot build up a new connection. It is because the NAT port was used by the old record.

              Thanks.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Yeah there is  REASON the firewall does that ;)  See my edited post with diagram on when a session is removed on firewall, etc..  You should be able to edit the time wait timer to have it remove the session faster if you so desire that.

                what program are you using?  Is it something wrote in house?  Common tool?  So your program is using the same source port.. Or you have your nat setup with static nat ports?  Why exactly??

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • T Offline
                  tomli
                  last edited by

                  Hi,

                  It is in house program and use static nat ports.

                  Would u mind teaching me how to change the timer in PFSense?

                  Thanks.

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Well first off your doing your program WRONG to start with!!  There should be no reason to have to modify the default timers, so having issues your program is not working with the tcp standards..

                    You can view the current timers with pfctl -st

                    These are the normal settings

                    [2.2.4-RELEASE][root@pfSense.local.lan]/root: pfctl -st
                    tcp.first                  120s
                    tcp.opening                  30s
                    tcp.established          86400s
                    tcp.closing                900s
                    tcp.finwait                  45s
                    tcp.closed                  90s
                    tcp.tsdiff                  30s
                    udp.first                    60s
                    udp.single                  30s
                    udp.multiple                60s
                    icmp.first                  20s
                    icmp.error                  10s
                    other.first                  60s
                    other.single                30s
                    other.multiple              60s
                    frag                        30s
                    interval                    10s
                    adaptive.start          120600 states
                    adaptive.end            241200 states
                    src.track                    0s

                    You can firewall opt mode in advanced, firewall and nat (1st arrow) or you can modify specifics at the bottom (2nd arrow)  But I really would take a look to why you would have to adjust these to do what your doing..

                    timeoutsadjust.png
                    timeoutsadjust.png_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      tomli
                      last edited by

                      Hi,

                      Thank you for your informaiton :)

                      1 Reply Last reply Reply Quote 0
                      • First post
                        Last post
                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.