Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
On Wed, Feb 10, 2016 at 3:47 PM, Romain Lapoux wrote: > I am not agree, because how do you explain that all works correctly when I > disable only the firewall feature in pfSense ? > Because stateful firewalls must see both directions of traffic. If you'd just fix your routing so reply traffic comes back in the same interface the request left, things would work fine with the firewall enabled. Given the Linux routing table earlier, you likely need to check "Bypass firewall rules for traffic on the same interface" under System>Advanced, Firewall/NAT. That may be enough, depending on whether routing in other portions of your network is correct to keep things symmetrical. On Fri, Feb 12, 2016 at 6:11 PM, Romain Lapoux wrote: > Hi, > > I did the same setup with OPNSense 16.1 + Compiled HAProxy 1.6.3 using: > /sbin/kldload ipfw ... Good luck with that hot mess. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Hi, I did the same setup with OPNSense 16.1 + Compiled HAProxy 1.6.3 using: /sbin/kldload ipfw ipfw table 1 list ipfw table 1 add 10.124.192.1/32 ipfw table 1 add 10.124.192.2/32 ipfw table 1 add 10.124.192.3/32 ipfw table 1 add 10.124.192.4/32 ipfw table 1 list ipfw list ipfw add 10 fwd localhost tcp from 'table(1)' 22 to any in recv vmx1 ipfw add 10 fwd localhost tcp from 'table(1)' 21 to any in recv vmx1 ipfw add 10 fwd localhost tcp from 'table(1)' 49000-49500 to any in recv vmx1 ipfw list Because HAProxy & transparence client IP is not integrated. I did not get any disconnection. It work very well currently. Romain -Original Message- From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates Sent: Friday, February 12, 2016 16:27 To: pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop Romain Lapoux wrote on Thu, Feb 11 2016 at 4:36 pm: > I did some test and does not work Since you're listing things, what are your firewall rules for traffic to/from the FTP server? If you create rules allowing all traffic to and from that IP address, do FTP connections work? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Romain Lapoux wrote on Thu, Feb 11 2016 at 4:36 pm: > I did some test and does not work Since you're listing things, what are your firewall rules for traffic to/from the FTP server? If you create rules allowing all traffic to and from that IP address, do FTP connections work? -- Steve Yates ITS, Inc. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
I did some test and does not work (removed all required interface). Here my network setup: - pfSense: WAN: xx.xx.xx.166/27 WAN CARP: xx.xx.xx.165/27 LAN: 10.124.193.206/21 LAN CARP: 10.124.193.205/21 PRIVATE: 192.168.7.6/24 GW_WAN (default): xx.xx.xx.190 GW_LAN: 10.124.199.254 Route: 10.124.0.0/16 => GW_LAN Routing tables: DestinationGatewayFlags Netif Expire defaultxx.xx.xx.190 UGSvmx0 10.124.0.0/16 10.124.199.254 UGSvmx1 10.124.192.0/21link#2 U vmx1 10.124.193.205 link#2 UHS lo0 10.124.193.206 link#2 UHS lo0 xx.xx.xx.160/27 link#1 U vmx0 xx.xx.xx.165 link#1 UHS lo0 xx.xx.xx.166 link#1 UHS lo0 127.0.0.1 link#6 UH lo0 - Backend server: LAN: 10.124.192.1/21 Default route: 10.124.193.205 Route: 10.124.0.0/16 => 10.124.199.254 LAN2 (storage access): 10.224.192.1/16 Route print: Destination Gateway Genmask Flags Metric RefUse Iface default 10.124.193.205 0.0.0.0 UG0 00 eth0 10.124.0.0 10.124.199.254 255.255.0.0 UG0 00 eth0 10.124.192.0* 255.255.248.0 U 0 00 eth0 10.224.0.0 * 255.255.0.0 U 0 00 eth1 Regards, Romain From: Espen Johansen [mailto:pfse...@gmail.com] Sent: Wednesday, February 10, 2016 22:50 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop Firewall disable = no state = asymmetric routing will not get return packets dropped. Are your servers multihomed? On Wed, Feb 10, 2016, 22:48 Romain Lapoux wrote: I am not agree, because how do you explain that all works correctly when I disable only the firewall feature in pfSense ? Romain -Original Message- From: Chris Buechler [mailto:c...@pfsense.com] Sent: Wednesday, February 10, 2016 21:50 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux wrote: > My last test in conservation optimization, if I upload files with 4 parallel > connections, it drop each in less 10 seconds. > (And don't free them on backend server, they stay ESTABLISHED in netstat. > More than likely because one or more of the hosts involved are dual homed and you have asymmetric routing. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Firewall disable = no state = asymmetric routing will not get return packets dropped. Are your servers multihomed? On Wed, Feb 10, 2016, 22:48 Romain Lapoux wrote: > I am not agree, because how do you explain that all works correctly when I > disable only the firewall feature in pfSense ? > > Romain > > -Original Message- > From: Chris Buechler [mailto:c...@pfsense.com] > Sent: Wednesday, February 10, 2016 21:50 > To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing > List > Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, > firewall enable random connection drop > > On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux > wrote: > > My last test in conservation optimization, if I upload files with 4 > parallel connections, it drop each in less 10 seconds. > > (And don't free them on backend server, they stay ESTABLISHED in netstat. > > > > More than likely because one or more of the hosts involved are dual homed > and you have asymmetric routing. > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
I am not agree, because how do you explain that all works correctly when I disable only the firewall feature in pfSense ? Romain -Original Message- From: Chris Buechler [mailto:c...@pfsense.com] Sent: Wednesday, February 10, 2016 21:50 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux wrote: > My last test in conservation optimization, if I upload files with 4 parallel > connections, it drop each in less 10 seconds. > (And don't free them on backend server, they stay ESTABLISHED in netstat. > More than likely because one or more of the hosts involved are dual homed and you have asymmetric routing. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux wrote: > My last test in conservation optimization, if I upload files with 4 parallel > connections, it drop each in less 10 seconds. > (And don't free them on backend server, they stay ESTABLISHED in netstat. > More than likely because one or more of the hosts involved are dual homed and you have asymmetric routing. ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
My last test in conservation optimization, if I upload files with 4 parallel connections, it drop each in less 10 seconds. (And don't free them on backend server, they stay ESTABLISHED in netstat. Romain -Original Message- From: Romain Lapoux [mailto:romain.lap...@octopoos.com] Sent: Sunday, February 07, 2016 19:08 To: 'pfSense Support and Discussion Mailing List' Subject: RE: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop I tested conservative with same result. Which value do you think I must manually increase? Romain From: Espen Johansen [mailto:pfse...@gmail.com] Sent: Sunday, February 07, 2016 18:35 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop Sounds like it drops state, connection reset? Try to set optimization longer. -lsf On Sun, Feb 7, 2016, 18:20 Romain Lapoux wrote: Hi, It's my first post here. Context: - pfSense in HA (CARP) - HAProxy used in pfSense for: - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - HTTP - HTTPS (SSL offloading, ALPN, h2) - Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no importance here) - 2x Ubuntu 14.04 in backend: - FTP over SSH with SSHd&MySecureShell - FTPS with Proftpd - HTTP/HTTPS: Apache 2.4.18 - Firewall rules: the minimum to get this setup working : - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 - LAN: Authorize my internal networks The problem: pfSense seems to drop connection between client and backend servers on all ports, mainly visible during transfer of many small files on SFTP or FTPS. The only NAT rule enable/disable does not matter, it is the same. Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop connection. I already try: - all "Firewall Optimization Options" and some other advanced options. - use/not another LAN interface to direct go on the backend servers network - use/not transparency client IP with pfSense set as gateway on backend servers - Tested with default wan address and CARP one My background: I use pfSense since near a year (HA and not) and it work well. I am not a network expert, but I have some good base knowledge Sorry I am French, I hope it is enough clear. Regards, Romain ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
I tested conservative with same result. Which value do you think I must manually increase? Romain From: Espen Johansen [mailto:pfse...@gmail.com] Sent: Sunday, February 07, 2016 18:35 To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop Sounds like it drops state, connection reset? Try to set optimization longer. -lsf On Sun, Feb 7, 2016, 18:20 Romain Lapoux wrote: Hi, It's my first post here. Context: - pfSense in HA (CARP) - HAProxy used in pfSense for: - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - HTTP - HTTPS (SSL offloading, ALPN, h2) - Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no importance here) - 2x Ubuntu 14.04 in backend: - FTP over SSH with SSHd&MySecureShell - FTPS with Proftpd - HTTP/HTTPS: Apache 2.4.18 - Firewall rules: the minimum to get this setup working : - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 - LAN: Authorize my internal networks The problem: pfSense seems to drop connection between client and backend servers on all ports, mainly visible during transfer of many small files on SFTP or FTPS. The only NAT rule enable/disable does not matter, it is the same. Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop connection. I already try: - all "Firewall Optimization Options" and some other advanced options. - use/not another LAN interface to direct go on the backend servers network - use/not transparency client IP with pfSense set as gateway on backend servers - Tested with default wan address and CARP one My background: I use pfSense since near a year (HA and not) and it work well. I am not a network expert, but I have some good base knowledge Sorry I am French, I hope it is enough clear. Regards, Romain ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Sounds like it drops state, connection reset? Try to set optimization longer. -lsf On Sun, Feb 7, 2016, 18:20 Romain Lapoux wrote: > Hi, > > It's my first post here. > > Context: > - pfSense in HA (CARP) > - HAProxy used in pfSense for: > - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on > source ipv4 > - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on > source ipv4 > - HTTP > - HTTPS (SSL offloading, ALPN, h2) > - Only one NAT rules to keep packet from backend to go out with CARP WAN IP > (no importance here) > - 2x Ubuntu 14.04 in backend: > - FTP over SSH with SSHd&MySecureShell > - FTPS with Proftpd > - HTTP/HTTPS: Apache 2.4.18 > - Firewall rules: the minimum to get this setup working : > - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 > - LAN: Authorize my internal networks > > The problem: > pfSense seems to drop connection between client and backend servers on all > ports, mainly visible during transfer of many small files on SFTP or FTPS. > The only NAT rule enable/disable does not matter, it is the same. > Only when I disable the firewall (Advanced, Firewall/NAT), we don't get > drop > connection. > I already try: > - all "Firewall Optimization Options" and some other advanced options. > - use/not another LAN interface to direct go on the backend servers network > - use/not transparency client IP with pfSense set as gateway on backend > servers > - Tested with default wan address and CARP one > > My background: > I use pfSense since near a year (HA and not) and it work well. > I am not a network expert, but I have some good base knowledge > > Sorry I am French, I hope it is enough clear. > > Regards, > > Romain > > > ___ > pfSense mailing list > https://lists.pfsense.org/mailman/listinfo/list > Support the project with Gold! https://pfsense.org/gold > ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold
[pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop
Hi, It's my first post here. Context: - pfSense in HA (CARP) - HAProxy used in pfSense for: - SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source ipv4 - HTTP - HTTPS (SSL offloading, ALPN, h2) - Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no importance here) - 2x Ubuntu 14.04 in backend: - FTP over SSH with SSHd&MySecureShell - FTPS with Proftpd - HTTP/HTTPS: Apache 2.4.18 - Firewall rules: the minimum to get this setup working : - WAN: , 21, 49000-49500 (FTP PASV), 80, 443 - LAN: Authorize my internal networks The problem: pfSense seems to drop connection between client and backend servers on all ports, mainly visible during transfer of many small files on SFTP or FTPS. The only NAT rule enable/disable does not matter, it is the same. Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop connection. I already try: - all "Firewall Optimization Options" and some other advanced options. - use/not another LAN interface to direct go on the backend servers network - use/not transparency client IP with pfSense set as gateway on backend servers - Tested with default wan address and CARP one My background: I use pfSense since near a year (HA and not) and it work well. I am not a network expert, but I have some good base knowledge Sorry I am French, I hope it is enough clear. Regards, Romain ___ pfSense mailing list https://lists.pfsense.org/mailman/listinfo/list Support the project with Gold! https://pfsense.org/gold