Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Steve Yates]

Romain Lapoux wrote on Thu, Feb 11 2016 at 4:36 pm:

> I did some test and does not work

Since you're listing things, what are your firewall rules for traffic 
to/from the FTP server?

If you create rules allowing all traffic to and from that IP address, 
do FTP connections work?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Romain Lapoux]

Hi,

I did the same setup with OPNSense 16.1 + Compiled HAProxy 1.6.3 using:
/sbin/kldload ipfw
ipfw table 1 list
ipfw table 1 add 10.124.192.1/32
ipfw table 1 add 10.124.192.2/32
ipfw table 1 add 10.124.192.3/32
ipfw table 1 add 10.124.192.4/32
ipfw table 1 list
ipfw list
ipfw add 10 fwd localhost tcp from 'table(1)' 22 to any in recv vmx1
ipfw add 10 fwd localhost tcp from 'table(1)' 21 to any in recv vmx1
ipfw add 10 fwd localhost tcp from 'table(1)' 49000-49500 to any in recv
vmx1
ipfw list
Because HAProxy & transparence client IP is not integrated.

I did not get any disconnection.

It work very well currently.

Romain


-Original Message-
From: List [mailto:list-boun...@lists.pfsense.org] On Behalf Of Steve Yates
Sent: Friday, February 12, 2016 16:27
To: pfSense Support and Discussion Mailing List <list@lists.pfsense.org>
Subject: Re: [pfSense] Bug? Firewall disable no random connection drop,
firewall enable random connection drop

Romain Lapoux wrote on Thu, Feb 11 2016 at 4:36 pm:

> I did some test and does not work

Since you're listing things, what are your firewall rules for
traffic to/from the FTP server?

If you create rules allowing all traffic to and from that IP
address, do FTP connections work?

--

Steve Yates
ITS, Inc.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Chris Buechler]

On Wed, Feb 10, 2016 at 3:47 PM, Romain Lapoux
 wrote:
> I am not agree, because how do you explain that all works correctly when I 
> disable only the firewall feature in pfSense ?
>

Because stateful firewalls must see both directions of traffic. If
you'd just fix your routing so reply traffic comes back in the same
interface the request left, things would work fine with the firewall
enabled. Given the Linux routing table earlier, you likely need to
check "Bypass firewall rules for traffic on the same interface" under
System>Advanced, Firewall/NAT. That may be enough, depending on
whether routing in other portions of your network is correct to keep
things symmetrical.


On Fri, Feb 12, 2016 at 6:11 PM, Romain Lapoux
 wrote:
> Hi,
>
> I did the same setup with OPNSense 16.1 + Compiled HAProxy 1.6.3 using:
> /sbin/kldload ipfw
...

Good luck with that hot mess.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Romain Lapoux]

I did some test and does not work (removed all required interface).

Here my network setup:
- pfSense:
WAN: xx.xx.xx.166/27
WAN CARP: xx.xx.xx.165/27
LAN: 10.124.193.206/21
LAN CARP: 10.124.193.205/21
PRIVATE: 192.168.7.6/24
GW_WAN (default): xx.xx.xx.190
GW_LAN: 10.124.199.254
Route: 10.124.0.0/16 => GW_LAN

Routing tables:
DestinationGatewayFlags  Netif Expire
defaultxx.xx.xx.190  UGSvmx0
10.124.0.0/16  10.124.199.254 UGSvmx1
10.124.192.0/21link#2 U  vmx1
10.124.193.205 link#2 UHS lo0
10.124.193.206 link#2 UHS lo0
xx.xx.xx.160/27   link#1 U  vmx0
xx.xx.xx.165  link#1 UHS lo0
xx.xx.xx.166  link#1 UHS lo0
127.0.0.1  link#6 UH  lo0

- Backend server:
LAN: 10.124.192.1/21
Default route: 10.124.193.205
Route: 10.124.0.0/16 => 10.124.199.254
LAN2 (storage access): 10.224.192.1/16

Route print:
Destination Gateway Genmask Flags Metric RefUse Iface
default 10.124.193.205  0.0.0.0 UG0  00 eth0
10.124.0.0  10.124.199.254  255.255.0.0 UG0  00 eth0
10.124.192.0*   255.255.248.0   U 0  00 eth0
10.224.0.0  *   255.255.0.0 U 0  00 eth1

Regards,

Romain

From: Espen Johansen [mailto:pfse...@gmail.com] 
Sent: Wednesday, February 10, 2016 22:50
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org>
Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

Firewall disable = no state = asymmetric routing will not get return packets 
dropped. Are your servers multihomed?

On Wed, Feb 10, 2016, 22:48 Romain Lapoux <romain.lap...@octopoos.com> wrote:
I am not agree, because how do you explain that all works correctly when I 
disable only the firewall feature in pfSense ?

Romain

-Original Message-
From: Chris Buechler [mailto:c...@pfsense.com]
Sent: Wednesday, February 10, 2016 21:50
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org>
Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux <romain.lap...@octopoos.com> 
wrote:
> My last test in conservation optimization, if I upload files with 4 parallel 
> connections, it drop each in less 10 seconds.
> (And don't free them on backend server, they stay ESTABLISHED in netstat.
>

More than likely because one or more of the hosts involved are dual homed and 
you have asymmetric routing.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Chris Buechler]

On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux
 wrote:
> My last test in conservation optimization, if I upload files with 4 parallel 
> connections, it drop each in less 10 seconds.
> (And don't free them on backend server, they stay ESTABLISHED in netstat.
>

More than likely because one or more of the hosts involved are dual
homed and you have asymmetric routing.
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Espen Johansen]

Firewall disable = no state = asymmetric routing will not get return
packets dropped. Are your servers multihomed?

On Wed, Feb 10, 2016, 22:48 Romain Lapoux <romain.lap...@octopoos.com>
wrote:

> I am not agree, because how do you explain that all works correctly when I
> disable only the firewall feature in pfSense ?
>
> Romain
>
> -Original Message-
> From: Chris Buechler [mailto:c...@pfsense.com]
> Sent: Wednesday, February 10, 2016 21:50
> To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing
> List <list@lists.pfsense.org>
> Subject: Re: [pfSense] Bug? Firewall disable no random connection drop,
> firewall enable random connection drop
>
> On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux <romain.lap...@octopoos.com>
> wrote:
> > My last test in conservation optimization, if I upload files with 4
> parallel connections, it drop each in less 10 seconds.
> > (And don't free them on backend server, they stay ESTABLISHED in netstat.
> >
>
> More than likely because one or more of the hosts involved are dual homed
> and you have asymmetric routing.
>
> ___
> pfSense mailing list
> https://lists.pfsense.org/mailman/listinfo/list
> Support the project with Gold! https://pfsense.org/gold
>
___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Romain Lapoux]

I am not agree, because how do you explain that all works correctly when I 
disable only the firewall feature in pfSense ?

Romain

-Original Message-
From: Chris Buechler [mailto:c...@pfsense.com] 
Sent: Wednesday, February 10, 2016 21:50
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org>
Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

On Sun, Feb 7, 2016 at 12:24 PM, Romain Lapoux <romain.lap...@octopoos.com> 
wrote:
> My last test in conservation optimization, if I upload files with 4 parallel 
> connections, it drop each in less 10 seconds.
> (And don't free them on backend server, they stay ESTABLISHED in netstat.
>

More than likely because one or more of the hosts involved are dual homed and 
you have asymmetric routing.

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Romain Lapoux]

My last test in conservation optimization, if I upload files with 4 parallel 
connections, it drop each in less 10 seconds.
(And don't free them on backend server, they stay ESTABLISHED in netstat.

Romain

-Original Message-
From: Romain Lapoux [mailto:romain.lap...@octopoos.com] 
Sent: Sunday, February 07, 2016 19:08
To: 'pfSense Support and Discussion Mailing List' <list@lists.pfsense.org>
Subject: RE: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

I tested conservative with same result.
Which value do you think I must manually increase?

Romain

From: Espen Johansen [mailto:pfse...@gmail.com]
Sent: Sunday, February 07, 2016 18:35
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org>
Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

Sounds like it drops state, connection reset?
Try to set optimization longer.
-lsf

On Sun, Feb 7, 2016, 18:20 Romain Lapoux <romain.lap...@octopoos.com> wrote:
Hi,

It's my first post here.

Context:
- pfSense in HA (CARP)
- HAProxy used in pfSense for:
- SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on source 
ipv4
- FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on source 
ipv4
- HTTP
- HTTPS (SSL offloading, ALPN, h2)
- Only one NAT rules to keep packet from backend to go out with CARP WAN IP (no 
importance here)
- 2x Ubuntu 14.04 in backend:
- FTP over SSH with SSHd
- FTPS with Proftpd
- HTTP/HTTPS: Apache 2.4.18
- Firewall rules: the minimum to get this setup working :
- WAN: , 21, 49000-49500 (FTP PASV), 80, 443
- LAN: Authorize my internal networks

The problem:
pfSense seems to drop connection between client and backend servers on all 
ports, mainly visible during transfer of many small files on SFTP or FTPS.
The only NAT rule enable/disable does not matter, it is the same.
Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop 
connection.
I already try:
- all "Firewall Optimization Options" and some other advanced options.
- use/not another LAN interface to direct go on the backend servers network
- use/not transparency client IP with pfSense set as gateway on backend servers
- Tested with default wan address and CARP one

My background:
I use pfSense since near a year (HA and not) and it work well.
I am not a network expert, but I have some good base knowledge

Sorry I am French, I hope it is enough clear.

Regards,

Romain


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

Re: [pfSense] Bug? Firewall disable no random connection drop, firewall enable random connection drop

[Romain Lapoux]

I tested conservative with same result.
Which value do you think I must manually increase?

Romain

From: Espen Johansen [mailto:pfse...@gmail.com] 
Sent: Sunday, February 07, 2016 18:35
To: romain.lap...@octopoos.com; pfSense Support and Discussion Mailing List 
<list@lists.pfsense.org>
Subject: Re: [pfSense] Bug? Firewall disable no random connection drop, 
firewall enable random connection drop

Sounds like it drops state, connection reset?
Try to set optimization longer.
-lsf

On Sun, Feb 7, 2016, 18:20 Romain Lapoux <romain.lap...@octopoos.com> wrote:
Hi,

It's my first post here.

Context:
- pfSense in HA (CARP)
- HAProxy used in pfSense for:
- SFTP: tcp, clitcpka, srvtcpka, balance=source, stick tables on
source ipv4
- FTPS: tcp, clitcpka, srvtcpka, balance=source, stick tables on
source ipv4
- HTTP
- HTTPS (SSL offloading, ALPN, h2)
- Only one NAT rules to keep packet from backend to go out with CARP WAN IP
(no importance here)
- 2x Ubuntu 14.04 in backend:
- FTP over SSH with SSHd
- FTPS with Proftpd
- HTTP/HTTPS: Apache 2.4.18
- Firewall rules: the minimum to get this setup working :
- WAN: , 21, 49000-49500 (FTP PASV), 80, 443
- LAN: Authorize my internal networks

The problem:
pfSense seems to drop connection between client and backend servers on all
ports, mainly visible during transfer of many small files on SFTP or FTPS.
The only NAT rule enable/disable does not matter, it is the same.
Only when I disable the firewall (Advanced, Firewall/NAT), we don't get drop
connection.
I already try:
- all "Firewall Optimization Options" and some other advanced options.
- use/not another LAN interface to direct go on the backend servers network
- use/not transparency client IP with pfSense set as gateway on backend
servers
- Tested with default wan address and CARP one

My background:
I use pfSense since near a year (HA and not) and it work well.
I am not a network expert, but I have some good base knowledge

Sorry I am French, I hope it is enough clear.

Regards,

Romain


___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold

___
pfSense mailing list
https://lists.pfsense.org/mailman/listinfo/list
Support the project with Gold! https://pfsense.org/gold