|
|
|
Problem with FW states: msg#00008security.firewalls.pfsense.user
Hi, I'm not able to find a solution to this problem: I've got some devices on the WAN net that need to open telnet connections to a telnet server on the LAN net. (OK, don't tell me anything about incoming telnet from WAN. At the moment I need to go on this way... ) LAN is bridged with WAN. I've set up the FW rules and everything works fine. But... It often happens that the devices need to be resetted while a telnet connection is estabilished. In this case, when the device "reboots" I have to wait many minutes to estabilish a telnet connection. Looking at the FW state logs, I see that every "regular" telnet connection is coming from the x port of the device where x is everytime the same. Every time the device reboots, the new connection, estabilished just waiting many minutes, comes from port x+1. On the FWStates log, I see that the old state is still active. If I delete the FW states table before rebooting the device, the new connection after reboot is estabilished immediately. Furthermore, if I connect the device directly on the LAN switch, (excluding PFSense filtering), I can reboot the device and have the new connection immediately. I have not been able to analyze the network traffic, but I suppose that the device tries everytime to estabilish the telnet connection form port x and this is happening 1. A connection is estabilished 2. PFSense keeps an active state DEV:x ==> SRV:23 3. Devicereboot 4. Device tries to estabilish a new connection (Syn from DEV:x to SRV:23) 5. PFSense knows from it's states table that a connection DEV:x ==> SRV:23 is already estabilished and drops the new DEV:x ==> SRV:23 Syn packet 6. After some minutes the device reaches the time-out and tries a new connection from port x+1. This new connection works fine. I've being trying to solve the problem by configuring PFSense 1. inserting a new pass rule SRV:23 ==> DEV:(x...x+5) 2. not to keep (Firewall: Rules: Edit: State Type: (Advanced) None) the state for the "pass" rules DEV:(x...x+5) ==> SRV:23 SRV:23 ==> DEV:(x...x+5) It doesn't work, even after rebooting PFSense. Furthermore, I can see the the state in the States table. So I suppose that the advanced option "State type: none" doesn't work. I also tried to set a state timeout to 10 seconds. The same effect: I can see the connection state on the active state table for a long time. Any suggestion-info-idea? Thanks in advance to everybody Odette |
|
| <Prev in Thread] | Current Thread | [Next in Thread> |
|---|---|---|
| Previous by Date: | Re: Known PFsense Limits?: 00008, Odette |
|---|---|
| Next by Date: | Re: FTP Server Logging: 00008, Ben Flores |
| Previous by Thread: | Re: Known PFsense Limits?i: 00008, Odette |
| Next by Thread: | Re: Problem with FW states: 00008, Espen Johansen |
| Indexes: | [Date] [Thread] [Top] [All Lists] |
|
|
| News | FAQ | advertise |