NethServer Version: 7.5 1804 Final Module: Webtop, Rspamd, Dokuwiki, Nextcloud and Mattermost
Hi@all,
I have the following problem:
My Nethserver starts automatically every morning at 07:00. Always shortly after the start the internet connection breaks completely. In the log of the firewall I see the message “Maximum sessions per host (2000) was exceeded ACCESS BLOCK” After a restart of the gateway, the Internet is back, but is interrupted again and again in the course of the day. If the Nethserver is off, the Internet will work without a problem.
i use a Zyxel UTM Firewall and the mistake in the link is not unknown for me. But this is not my problem.
I’ve set the session limit value to 0 (unlimited). The output of netstat -at shows nothing special
Could you tell us a bit more about your network setup?
Maybe issue could be nethserver, but also… could be the UTM/Gateway too.
2.000 NAT sessions are enough for home setup, with an internet connection of 10mbits.
Anyway, the “solution” could be reversing issues to NethServer and not to USG.
Do not allow more than 1500 connections par host, this will slow the network operativity for NethServer but will lower the chances to stuck the internet connection.
Otherwise, you can update your gateway with a new device or a “firewall only” Nethserver setup.
here comes the internet via cable from Unitymedia. Of those I have a FritzBox as a gateway. Behind the gateway comes the Zywall USG Firewall and then a managed Netgear Switch GS 108 T. If the Nethserver is off, there are no problems. But it starts every morning at 07:45 clock and then the problem begins with the interrupted Internet connection. I’ve already reset the USG and reconfigured. The problem remains. Here is a picture from the log of the USG.
The Nethserver tries to connect to the whole world, which is blocked by the USG. Virus scan shows no useful results. The Nethserver works in the DMZ of the USG.
i think i found the mistake. I have completely reinstalled the Nethserver. After installing nethserver-mail2-server the problem starts with the failure of the internet connection. After every start of Nethserver the log of the firewall is full of blocked connection attempts, as you can see in the picture above. What can i do to solve the problem?
Mail2 should download some blacklists, contact different hosts for update (DNS servers, MX Records, SPF, etc etc).
I’m quite… confused…
I installed a 7.3 (still not updated) mailserver into a office with a Zywall 2 Plus firewall as network gateway, Windows as DNS server. Often Zywall2 was “stuck” into too many NAT connections, but was not able to stuck the internet connections of the whole office; this appliance has a 3000 nat session limit and a session limiter par host; it was configured to 2500 hosts. Internet connection was a DSL 14/1mbps
I own an old USG20W (not “VPN” version) appliance, updated to latest firmware published by Zyxel HQ.
The session limiter has a maximum setup of 8192
with the capability to setup rules for few hosts (for instance 512 as general rule but 2.048 for 4-5 hosts)
If mailserver is a public mail server should be 24/7 available. If power consumption is quite too heavy, maybe you can find a bit more power efficient server (old corporate desktops have remarkably efficients PSU with capability of a couple of SATA disks)
Yes, i have access from LAN1 to the Nethserver in DMZ.
Two days ago, I installed Nethserver as a virtual machine on a Hyper-V 2008 R2. As an application only WebTop and RspamD run on it. The problem remains. Immediately after the installation of RspamD the application telephones with IP addresses all over the world and the internet here is off. This can not be due to theUSG firewall. It’s the same with a Cisco ASA 5505.
My provider tells me there are no problems on his side. On 30.09.2018 I reinstalled NS. With all applications as mentioned above but without RspamD. And since then I love my NS again, because he works without problems and without interruption of the Internet connection. I do not necessarily need RspamD because I have the anti-spam application running on the USG. However, RspamD convinced me more.
