Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

2016-02-07 Thread Romain Lapoux
My last test in conservation optimization, if I upload files with 4 parallel 
connections, it drop each in less 10 seconds.
(And don't free them on backend server, they stay ESTABLISHED in netstat.

Romain

-Original Message-
From: Romain Lapoux [mailto:romain.lap...@octopoos.com] 
Sent: Sunday, February 07, 2016 19:08
To: 'pfSense Support and Discussion Mailing List' 
Subject: RE: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

I tested conservative with same result.
Which value do you think I must manually increase?

Romain

From: Espen Johansen [mailto:pfse...@gmail.com]
Sent: Sunday, February 07, 2016 18:35
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 

Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

Sounds like it drops state, connection reset?
Try to set optimization longer.
-lsf

On Sun, Feb 7, 2016, 18:20 Romain Lapoux  wrote:
Hi,

It's my first post here.

Context:
- pfSense in HA (CARP)
- HAProxy used in pfSense for:
- SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source 
ipv4
- FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source 
ipv4
- HTTP
- HTTPS (SSL offloading, ALPN, h2)
- Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no 
importance here)
- 2x Ubuntu 14.04 in backend:
- FTP over SSH with SSHd&MySecureShell
- FTPS with Proftpd
- HTTP/HTTPS: Apache 2.4.18
- Firewall rules: the minimum to get this setup working :
- WAN: , 21, 49000-49500 (FTP PASV), 80, 443
- LAN: Authorize my internal networks

The problem:
pfSense seems to drop connection between client and backend servers on all 
ports, mainly visible during transfer of many small files on SFTP or FTPS.
The only NAT rule enable/disable does not matter, it is the same.
Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop 
connection.
I already try:
- all "Firewall Optimization Options" and some other advanced options.
- use/not another LAN interface to direct go on the backend servers network
- use/not transparency client IP with pfSense set as gateway on backend servers
- Tested with default wan address and CARP one

My background:
I use pfSense since near a year (HA and not) and it work well.
I am not a network expert, but I have some good base knowledge

Sorry I am French, I hope it is enough clear.

Regards,

Romain


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

2016-02-07 Thread Romain Lapoux
I tested conservative with same result.
Which value do you think I must manually increase?

Romain

From: Espen Johansen [mailto:pfse...@gmail.com] 
Sent: Sunday, February 07, 2016 18:35
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 

Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

Sounds like it drops state, connection reset?
Try to set optimization longer.
-lsf

On Sun, Feb 7, 2016, 18:20 Romain Lapoux  wrote:
Hi,

It's my first post here.

Context:
- pfSense in HA (CARP)
- HAProxy used in pfSense for:
- SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on
source ipv4
- FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on
source ipv4
- HTTP
- HTTPS (SSL offloading, ALPN, h2)
- Only one NAT rules to keep packet from backend to go out with CARP WAN IP
(no importance here)
- 2x Ubuntu 14.04 in backend:
- FTP over SSH with SSHd&MySecureShell
- FTPS with Proftpd
- HTTP/HTTPS: Apache 2.4.18
- Firewall rules: the minimum to get this setup working :
- WAN: , 21, 49000-49500 (FTP PASV), 80, 443
- LAN: Authorize my internal networks

The problem:
pfSense seems to drop connection between client and backend servers on all
ports, mainly visible during transfer of many small files on SFTP or FTPS.
The only NAT rule enable/disable does not matter, it is the same.
Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop
connection.
I already try:
- all "Firewall Optimization Options" and some other advanced options.
- use/not another LAN interface to direct go on the backend servers network
- use/not transparency client IP with pfSense set as gateway on backend
servers
- Tested with default wan address and CARP one

My background:
I use pfSense since near a year (HA and not) and it work well.
I am not a network expert, but I have some good base knowledge

Sorry I am French, I hope it is enough clear.

Regards,

Romain


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

2016-02-07 Thread Espen Johansen
Sounds like it drops state, connection reset?

Try to set optimization longer.

-lsf

On Sun, Feb 7, 2016, 18:20 Romain Lapoux  wrote:

> Hi,
>
> It's my first post here.
>
> Context:
> - pfSense in HA (CARP)
> - HAProxy used in pfSense for:
> - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on
> source ipv4
> - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on
> source ipv4
> - HTTP
> - HTTPS (SSL offloading, ALPN, h2)
> - Only one NAT rules to keep packet from backend to go out with CARP WAN IP
> (no importance here)
> - 2x Ubuntu 14.04 in backend:
> - FTP over SSH with SSHd&MySecureShell
> - FTPS with Proftpd
> - HTTP/HTTPS: Apache 2.4.18
> - Firewall rules: the minimum to get this setup working :
> - WAN: , 21, 49000-49500 (FTP PASV), 80, 443
> - LAN: Authorize my internal networks
>
> The problem:
> pfSense seems to drop connection between client and backend servers on all
> ports, mainly visible during transfer of many small files on SFTP or FTPS.
> The only NAT rule enable/disable does not matter, it is the same.
> Only when I disable the firewall (Advanced, Firewall/NAT), we don't get
> drop
> connection.
> I already try:
> - all "Firewall Optimization Options" and some other advanced options.
> - use/not another LAN interface to direct go on the backend servers network
> - use/not transparency client IP with pfSense set as gateway on backend
> servers
> - Tested with default wan address and CARP one
>
> My background:
> I use pfSense since near a year (HA and not) and it work well.
> I am not a network expert, but I have some good base knowledge
>
> Sorry I am French, I hope it is enough clear.
>
> Regards,
>
> Romain
>
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold


[pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

2016-02-07 Thread Romain Lapoux
Hi,

It's my first post here.

Context:
- pfSense in HA (CARP)
- HAProxy used in pfSense for:
- SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on
source ipv4
- FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on
source ipv4
- HTTP
- HTTPS (SSL offloading, ALPN, h2)
- Only one NAT rules to keep packet from backend to go out with CARP WAN IP
(no importance here)
- 2x Ubuntu 14.04 in backend:
- FTP over SSH with SSHd&MySecureShell
- FTPS with Proftpd
- HTTP/HTTPS: Apache 2.4.18
- Firewall rules: the minimum to get this setup working :
- WAN: , 21, 49000-49500 (FTP PASV), 80, 443
- LAN: Authorize my internal networks

The problem:
pfSense seems to drop connection between client and backend servers on all
ports, mainly visible during transfer of many small files on SFTP or FTPS.
The only NAT rule enable/disable does not matter, it is the same.
Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop
connection.
I already try:
- all "Firewall Optimization Options" and some other advanced options.
- use/not another LAN interface to direct go on the backend servers network
- use/not transparency client IP with pfSense set as gateway on backend
servers
- Tested with default wan address and CARP one

My background:
I use pfSense since near a year (HA and not) and it work well.
I am not a network expert, but I have some good base knowledge

Sorry I am French, I hope it is enough clear.

Regards,

Romain


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold