Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
My last test in conservation optimization, if I upload files with 4 parallel connections, it drop each in less 10 seconds. (And don't free them on backend server, they stay ESTABLISHED in netstat. Romain -Original Message- From: Romain Lapoux [mailto:romain.lap...@octopoos.com] Sent: Sunday, February 07, 2016 19:08 To: 'pfSense Support and Discussion Mailing List' Subject: RE: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop I tested conservative with same result. Which value do you think I must manually increase? Romain From: Espen Johansen [mailto:pfse...@gmail.com] Sent: Sunday, February 07, 2016 18:35 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop Sounds like it drops state, connection reset? Try to set optimization longer. -lsf On Sun, Feb 7, 2016, 18:20 Romain Lapoux wrote: Hi, It's my first post here. Context: - pfSense in HA (CARP) - HAProxy used in pfSense for: - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - HTTP - HTTPS (SSL offloading, ALPN, h2) - Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no importance here) - 2x Ubuntu 14.04 in backend: - FTP over SSH with SSHd&MySecureShell - FTPS with Proftpd - HTTP/HTTPS: Apache 2.4.18 - Firewall rules: the minimum to get this setup working : - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 - LAN: Authorize my internal networks The problem: pfSense seems to drop connection between client and backend servers on all ports, mainly visible during transfer of many small files on SFTP or FTPS. The only NAT rule enable/disable does not matter, it is the same. Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop connection. I already try: - all "Firewall Optimization Options" and some other advanced options. - use/not another LAN interface to direct go on the backend servers network - use/not transparency client IP with pfSense set as gateway on backend servers - Tested with default wan address and CARP one My background: I use pfSense since near a year (HA and not) and it work well. I am not a network expert, but I have some good base knowledge Sorry I am French, I hope it is enough clear. Regards, Romain ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
I tested conservative with same result. Which value do you think I must manually increase? Romain From: Espen Johansen [mailto:pfse...@gmail.com] Sent: Sunday, February 07, 2016 18:35 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop Sounds like it drops state, connection reset? Try to set optimization longer. -lsf On Sun, Feb 7, 2016, 18:20 Romain Lapoux wrote: Hi, It's my first post here. Context: - pfSense in HA (CARP) - HAProxy used in pfSense for: - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - HTTP - HTTPS (SSL offloading, ALPN, h2) - Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no importance here) - 2x Ubuntu 14.04 in backend: - FTP over SSH with SSHd&MySecureShell - FTPS with Proftpd - HTTP/HTTPS: Apache 2.4.18 - Firewall rules: the minimum to get this setup working : - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 - LAN: Authorize my internal networks The problem: pfSense seems to drop connection between client and backend servers on all ports, mainly visible during transfer of many small files on SFTP or FTPS. The only NAT rule enable/disable does not matter, it is the same. Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop connection. I already try: - all "Firewall Optimization Options" and some other advanced options. - use/not another LAN interface to direct go on the backend servers network - use/not transparency client IP with pfSense set as gateway on backend servers - Tested with default wan address and CARP one My background: I use pfSense since near a year (HA and not) and it work well. I am not a network expert, but I have some good base knowledge Sorry I am French, I hope it is enough clear. Regards, Romain ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Sounds like it drops state, connection reset? Try to set optimization longer. -lsf On Sun, Feb 7, 2016, 18:20 Romain Lapoux wrote: > Hi, > > It's my first post here. > > Context: > - pfSense in HA (CARP) > - HAProxy used in pfSense for: > - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on > source ipv4 > - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on > source ipv4 > - HTTP > - HTTPS (SSL offloading, ALPN, h2) > - Only one NAT rules to keep packet from backend to go out with CARP WAN IP > (no importance here) > - 2x Ubuntu 14.04 in backend: > - FTP over SSH with SSHd&MySecureShell > - FTPS with Proftpd > - HTTP/HTTPS: Apache 2.4.18 > - Firewall rules: the minimum to get this setup working : > - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 > - LAN: Authorize my internal networks > > The problem: > pfSense seems to drop connection between client and backend servers on all > ports, mainly visible during transfer of many small files on SFTP or FTPS. > The only NAT rule enable/disable does not matter, it is the same. > Only when I disable the firewall (Advanced, Firewall/NAT), we don't get > drop > connection. > I already try: > - all "Firewall Optimization Options" and some other advanced options. > - use/not another LAN interface to direct go on the backend servers network > - use/not transparency client IP with pfSense set as gateway on backend > servers > - Tested with default wan address and CARP one > > My background: > I use pfSense since near a year (HA and not) and it work well. > I am not a network expert, but I have some good base knowledge > > Sorry I am French, I hope it is enough clear. > > Regards, > > Romain > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Hi, It's my first post here. Context: - pfSense in HA (CARP) - HAProxy used in pfSense for: - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - HTTP - HTTPS (SSL offloading, ALPN, h2) - Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no importance here) - 2x Ubuntu 14.04 in backend: - FTP over SSH with SSHd&MySecureShell - FTPS with Proftpd - HTTP/HTTPS: Apache 2.4.18 - Firewall rules: the minimum to get this setup working : - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 - LAN: Authorize my internal networks The problem: pfSense seems to drop connection between client and backend servers on all ports, mainly visible during transfer of many small files on SFTP or FTPS. The only NAT rule enable/disable does not matter, it is the same. Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop connection. I already try: - all "Firewall Optimization Options" and some other advanced options. - use/not another LAN interface to direct go on the backend servers network - use/not transparency client IP with pfSense set as gateway on backend servers - Tested with default wan address and CARP one My background: I use pfSense since near a year (HA and not) and it work well. I am not a network expert, but I have some good base knowledge Sorry I am French, I hope it is enough clear. Regards, Romain ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold