Author Topic: Connection time-out 900s - State violatie rule (Read 566 times)

Mwason · « **on:** April 12, 2024, 01:56:46 pm »

Hello,

I have a setup with multiple VLAN's.
They all can connect to the 'main'vlan by a floating rule.

Connections can be made but after 900s (since Firewall mode conservative active, in normal-mode much earlier!) the connections time-out and are blocked by 'Default deny/state violation rule'.
But are rebuild directly after accepted by the 'floating rule'.
(see attachment)

How can I prevent the connection to time-out and/or being blocked.

Looking forward at your suggestions...

Mwason

Patrick M. Hausen · « **Reply #1 on:** April 12, 2024, 02:05:11 pm »

What type of connections? Can you enable some sort of keepalive? E.g. in SSH?

Mwason · « **Reply #2 on:** April 12, 2024, 03:51:36 pm »

Via TCP they connect to a adress at port 30300.
There is only temporarely traffic but the connection should stay open...

Patrick M. Hausen · « **Reply #3 on:** April 12, 2024, 04:28:27 pm »

OPNsense will timeout any connection if there is no packet flow. Either implement keepalive on the application side or disable state tracking for these rules. IIRC that means you need a reverse rule for the packets to flow in both directions. Never needed this so far.

Author Topic: Connection time-out 900s - State violatie rule (Read 566 times)

Mwason

Connection time-out 900s - State violatie rule

Patrick M. Hausen

Re: Connection time-out 900s - State violatie rule

Mwason

Re: Connection time-out 900s - State violatie rule

Patrick M. Hausen

Re: Connection time-out 900s - State violatie rule