Subject: Re: NAT on tun0 used with OpenVPN - msg#00013

Previous Message by Date: click to view message preview

Re: Problem with FW states

Thanks Espen, I already tried what you are suggesting, but it didn't solve my problem. I also tried to play with all the "Advanced" options reachable from the web interface. It seems some of them (e.g. state: none, max states, states timeout) don't work. I've been able to analyze the network traffic: the situation is exactly the one I described in the first post (reported below): when a state ESTABLISHED exists because of a previous connection, the new SYN packet, coming from the same IP:PORT of the previously established connection, is blocked by PF, even if - in FW rule page (firewall_rules_edit.php), ADVANCED options I set up PFSense not to keep the state (working on the state number, timout) - in the FW rule page (firewall_rules_edit.php) I set State Type to "none" Furthermore, even if: 1.I set up the rule pass DEV:high-ports=>SRV:23 State Type none 2. I don't set up any rule to enable the SRV's replies to pass through the firewall 3. I reboot PFsense I can establish new connections between DEV(:x) and SRV(:23). I think this demonstrates that the "State Type none" option doesn't work. Does it. Any suggestion on how to solve my problem or fix PFSense State none issue? Once again, thanks in advance and MC&HNY to everybody. Odette Alle 15:30, lunedì 18 dicembre 2006, Espen Johansen ha scritto: > You can try to set "Firewall optimization options" in the Advanced > page to "aggressive" and see if that helps. > > -lsf > > On 12/15/06, Odette <odette.nsaka@xxxxxxxxx> wrote: > > Hi, > > > > I'm not able to find a solution to this problem: > > > > I've got some devices on the WAN net that need to open telnet connections > > to a telnet server on the LAN net. (OK, don't tell me anything about > > incoming telnet from WAN. At the moment I need to go on this way... ) > > LAN is bridged with WAN. > > I've set up the FW rules and everything works fine. > > > > But... > > > > It often happens that the devices need to be resetted while a telnet > > connection is estabilished. In this case, when the device "reboots" I > > have to wait many minutes to estabilish a telnet connection. > > > > Looking at the FW state logs, I see that every "regular" telnet > > connection is coming from the x port of the device where x is everytime > > the same. > > > > Every time the device reboots, the new connection, estabilished just > > waiting many minutes, comes from port x+1. On the FWStates log, I see > > that the old state is still active. > > > > If I delete the FW states table before rebooting the device, the new > > connection after reboot is estabilished immediately. > > Furthermore, if I connect the device directly on the LAN switch, > > (excluding PFSense filtering), I can reboot the device and have the new > > connection immediately. > > > > I have not been able to analyze the network traffic, but I suppose that > > the device tries everytime to estabilish the telnet connection form port > > x and this is happening > > > > 1. A connection is estabilished > > 2. PFSense keeps an active state DEV:x ==> SRV:23 > > 3. Devicereboot > > 4. Device tries to estabilish a new connection (Syn from DEV:x to SRV:23) > > 5. PFSense knows from it's states table that a connection DEV:x ==> > > SRV:23 is already estabilished and drops the new DEV:x ==> SRV:23 Syn > > packet 6. After some minutes the device reaches the time-out and tries a > > new connection from port x+1. This new connection works fine. > > > > I've being trying to solve the problem by configuring PFSense > > 1. inserting a new pass rule SRV:23 ==> DEV:(x...x+5) > > 2. not to keep (Firewall: Rules: Edit: State Type: (Advanced) None) the > > state for the "pass" rules > > DEV:(x...x+5) ==> SRV:23 > > SRV:23 ==> DEV:(x...x+5) > > > > It doesn't work, even after rebooting PFSense. Furthermore, I can see the > > the state in the States table. So I suppose that the advanced option > > "State type: none" doesn't work. > > > > I also tried to set a state timeout to 10 seconds. The same effect: I can > > see the connection state on the active state table for a long time. > > > > Any suggestion-info-idea? > > > > Thanks in advance to everybody > > > > Odette

Next Message by Date: click to view message preview

2-node pfSense cluster failover

I really really like what I see in http://pfsense.iserv.nl/tutorials/carp/carp-cluster-new.htm and I happen to have a former HA NFS system based on mini-ITX with two dead drives I would like to convert to a firewall. This would work with the embedded image, right? I've flashed a couple of CFDISK.1E (from PC Engines) with a 256 MByte CF, which does seem to boot, and talk on serial. Unfortunately I don't have access to these mini-ITX (VIA EPIA CL10000, that's a C3 chip) to test. But these should work, right? Unfortunately, these systems only have two NICs, and are in a Travla C147 case http://206.14.132.88/products/Travla/c147/C147.html so I'm not sure I can get more NICs in, even with a PCI riser. My prior HA setup (drbd/heartbeat) used a crossover over serial for signalling. No way to do that with pfsense, right? -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature

Previous Message by Thread: click to view message preview

Problem with FW states

Hi, I'm not able to find a solution to this problem: I've got some devices on the WAN net that need to open telnet connections to a telnet server on the LAN net. (OK, don't tell me anything about incoming telnet from WAN. At the moment I need to go on this way... ) LAN is bridged with WAN. I've set up the FW rules and everything works fine. But... It often happens that the devices need to be resetted while a telnet connection is estabilished. In this case, when the device "reboots" I have to wait many minutes to estabilish a telnet connection. Looking at the FW state logs, I see that every "regular" telnet connection is coming from the x port of the device where x is everytime the same. Every time the device reboots, the new connection, estabilished just waiting many minutes, comes from port x+1. On the FWStates log, I see that the old state is still active. If I delete the FW states table before rebooting the device, the new connection after reboot is estabilished immediately. Furthermore, if I connect the device directly on the LAN switch, (excluding PFSense filtering), I can reboot the device and have the new connection immediately. I have not been able to analyze the network traffic, but I suppose that the device tries everytime to estabilish the telnet connection form port x and this is happening 1. A connection is estabilished 2. PFSense keeps an active state DEV:x ==> SRV:23 3. Devicereboot 4. Device tries to estabilish a new connection (Syn from DEV:x to SRV:23) 5. PFSense knows from it's states table that a connection DEV:x ==> SRV:23 is already estabilished and drops the new DEV:x ==> SRV:23 Syn packet 6. After some minutes the device reaches the time-out and tries a new connection from port x+1. This new connection works fine. I've being trying to solve the problem by configuring PFSense 1. inserting a new pass rule SRV:23 ==> DEV:(x...x+5) 2. not to keep (Firewall: Rules: Edit: State Type: (Advanced) None) the state for the "pass" rules DEV:(x...x+5) ==> SRV:23 SRV:23 ==> DEV:(x...x+5) It doesn't work, even after rebooting PFSense. Furthermore, I can see the the state in the States table. So I suppose that the advanced option "State type: none" doesn't work. I also tried to set a state timeout to 10 seconds. The same effect: I can see the connection state on the active state table for a long time. Any suggestion-info-idea? Thanks in advance to everybody Odette

Next Message by Thread: click to view message preview

2-node pfSense cluster failover

I really really like what I see in http://pfsense.iserv.nl/tutorials/carp/carp-cluster-new.htm and I happen to have a former HA NFS system based on mini-ITX with two dead drives I would like to convert to a firewall. This would work with the embedded image, right? I've flashed a couple of CFDISK.1E (from PC Engines) with a 256 MByte CF, which does seem to boot, and talk on serial. Unfortunately I don't have access to these mini-ITX (VIA EPIA CL10000, that's a C3 chip) to test. But these should work, right? Unfortunately, these systems only have two NICs, and are in a Travla C147 case http://206.14.132.88/products/Travla/c147/C147.html so I'm not sure I can get more NICs in, even with a PCI riser. My prior HA setup (drbd/heartbeat) used a crossover over serial for signalling. No way to do that with pfsense, right? -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature