Text only | Text with Images

OPNsense Forum

Archive => 24.1, 24.4 Legacy Series => Topic started by: Mwason on April 12, 2024, 01:56:46 PM

Title: Connection time-out 900s - State violatie rule
Post by: Mwason on April 12, 2024, 01:56:46 PM
Hello,

I have a setup with multiple VLAN's.
They all can connect to the 'main'vlan by a floating rule.

Connections can be made but after 900s (since Firewall mode conservative active, in normal-mode much earlier!) the connections time-out and are blocked by 'Default deny/state violation rule'.
But are rebuild directly after accepted by the 'floating rule'.
(see attachment)

How can I prevent the connection to time-out and/or being blocked.

Looking forward at your suggestions...

Mwason
Title: Re: Connection time-out 900s - State violatie rule
Post by: Patrick M. Hausen on April 12, 2024, 02:05:11 PM
What type of connections? Can you enable some sort of keepalive? E.g. in SSH?
Title: Re: Connection time-out 900s - State violatie rule
Post by: Mwason on April 12, 2024, 03:51:36 PM
Via TCP they connect to a adress at port 30300.
There is only temporarely traffic but the connection should stay open...
Title: Re: Connection time-out 900s - State violatie rule
Post by: Patrick M. Hausen on April 12, 2024, 04:28:27 PM
OPNsense will timeout any connection if there is no packet flow. Either implement keepalive on the application side or disable state tracking for these rules. IIRC that means you need a reverse rule for the packets to flow in both directions. Never needed this so far.
Text only | Text with Images