How to set Service Ports connections timeout

thiagomedeiros · December 16, 2016, 5:44am

Hi, I would like to set NAT helper timeout (Service Ports) for PPTP protocol, is this possible? By default the time is 5 hours. Can I change this to another value?

PS: Connection tranking don’t work for service ports to limit connection time. Se below:

My service port configuration:

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes sip-timeout=1h
set pptp disabled=no
set udplite disabled=no
set dccp disabled=no
set sctp disabled=no

I saw that SIP has a timeout… can this be implemented to PPTP?

My connection tracking configuration:

/ip firewall connection tracking
set enabled=yes generic-timeout=5m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=5m tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-max-retrans-timeout=5m tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-time-wait-timeout=10s tcp-unacked-timeout=5m udp-stream-timeout=3m udp-timeout=10s

Connection print example:

Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat 

 #				 PROTOCOL	SRC-ADDRESS			  DST-ADDRESS           TCP-STATE   	TIMEOUT
44	SACs		tcp		  192.168.254.6:39202	171.39.218.49:5222	 established	 4m32s
45	SACs		tcp		  192.168.254.2:59802	189.47.181.193:1723	established	 4h59m59s
46	ESACs 	 gre		  192.168.254.2			189.47.181.193							  4h59m59s

thiagomedeiros · December 19, 2016, 12:46am

UP.

Van9018 · December 19, 2016, 7:27am

To limit time of PPTP session? Go to PPP > Profiles, edit the default-encryption profile. Go to Limits > Session Timeout.

thiagomedeiros · December 19, 2016, 3:01pm

Don’t work. I need every time to go to ip firewall service ports, disable and enable pptp, to the gre connection finish. The default time is 5h. I don’t like this.

Van9018 · December 21, 2016, 2:38am

Oh I see what you mean now.. I don’t think it’s possible at this time. You’d have to submit this as a feature request. Under connections > tracking is where GRE timeouts should go.

The session timeouts I mentioned in the previous post should disconnect the user and invalidate the connection.

What you see in Firewall > Connections is the timeout of the connection entry in the NAT table. You’ll see it jumps back to 5h each time a packet is received.

Because the PPTP session is invalidated after session timeout, the only concern of the 5h timeout would be if your NAT table is full. The size of this table is determined by amount of RAM.

thiagomedeiros · December 21, 2016, 3:07am

Thank you Van, I’ll ask for a feature request.