My last test in conservation optimization, if I upload files with 4 parallel connections, it drop each in less 10 seconds. (And don't free them on backend server, they stay ESTABLISHED in netstat.
Romain -----Original Message----- From: Romain Lapoux [mailto:romain.lap...@octopoos.com] Sent: Sunday, February 07, 2016 19:08 To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org> Subject: RE: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop I tested conservative with same result. Which value do you think I must manually increase? Romain From: Espen Johansen [mailto:pfse...@gmail.com] Sent: Sunday, February 07, 2016 18:35 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List <list@lists.pfsense.org> Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop Sounds like it drops state, connection reset? Try to set optimization longer. -lsf On Sun, Feb 7, 2016, 18:20 Romain Lapoux <romain.lap...@octopoos.com> wrote: Hi, It's my first post here. Context: - pfSense in HA (CARP) - HAProxy used in pfSense for: - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - HTTP - HTTPS (SSL offloading, ALPN, h2) - Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no importance here) - 2x Ubuntu 14.04 in backend: - FTP over SSH with SSHd&MySecureShell - FTPS with Proftpd - HTTP/HTTPS: Apache 2.4.18 - Firewall rules: the minimum to get this setup working : - WAN: 2222, 21, 49000-49500 (FTP PASV), 80, 443 - LAN: Authorize my internal networks The problem: pfSense seems to drop connection between client and backend servers on all ports, mainly visible during transfer of many small files on SFTP or FTPS. The only NAT rule enable/disable does not matter, it is the same. Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop connection. I already try: - all "Firewall Optimization Options" and some other advanced options. - use/not another LAN interface to direct go on the backend servers network - use/not transparency client IP with pfSense set as gateway on backend servers - Tested with default wan address and CARP one My background: I use pfSense since near a year (HA and not) and it work well. I am not a network expert, but I have some good base knowledge Sorry I am French, I hope it is enough clear. Regards, Romain _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold _______________________________________________ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold