---
title: Stalled SSH connections
summary: >
  My pfSense removed valid connections obviosly.
  This is how I solved it.
  <small>The thumbnail was created with Google AI (Imagen 3).</small>
date: 2024-10-06T19:30:17+02:00
lastmod: 2025-01-12T16:24:13+0000
categories:
  - computerstuff
tags:
  - networking
  - pfSense
  - openssh
  - selfhost
---

I spent some time adjusting my SSH configuration because I often get stalled
connections to my servers but I never got that fixed until recently, when I
started looking in my firewall settings on the pfSense.

After changing the <kbd>Firewall Optimization Settings</kbd> within
<kbd>System</kbd> → <kbd>Advanced</kbd> → <kbd>Firewall & NAT</kbd> to
<kbd>Conservative</kbd> I had no more of these hangs of my SSH sessions.

![pfSense settings](pfsense-netopt-settings.png)

I use the `ControlMaster` setting in my SSH configuration so the stalled
connections have to be killed with something like

```console
$ ssh -O exit {short hostname}
```

every time -- which is annoying.

{{< alert "triangle-exclamation" >}}
**Update on December 17 2024:**  
A few changes to the SSH configuration on client and server have been made.
{{< /alert >}}

It got better, but I still experience the one or other hang.

I added/modified these entries within `Host *` in
<kbd>~/.ssh/config</kbd> on the client:

```apache
ServerAliveInterval 100
ServerAliveCountMax 10000
```

and made these changes/additions in <kbd>/etc/ssh/sshd_config</kbd>
on the server:

```apache
ClientAliveInterval 60
ClientAliveCountMax 10000
TCPKeepAlive yes
```

{{< alert "triangle-exclamation" >}}
**Update on January 5 2025:**  
Another change to the firewall setup in my home network.
{{< /alert >}}

I did not had this on my mind but I accidentally saw my firewall retrieving
a blacklist from my server and like instantly my ssh session was unusable again.

I now reduced the amount of updates the firewall retrieves the blacklist and
hope for the best!

![pfBlockerNG settings of blacklisted IPs](pfsense-pfblockerng-ipsettings.png "Image shows the settings screen of pfBlockerNG and the IPv4 feeds")

{{< alert "triangle-exclamation" >}}
**Update on January 12 2025:**  
_The final solution should be the removal of all IPv4 based blocks_
{{< /alert >}}

As the logs of the pfBlockerNG indicate: every hour runs a job that fetches and
updates blocklists for IP and DNS based blocking (if neccessary).

Since the script kills all states to IP addresses in these lists my guess was,
that I should remove these types of blacklist (as the firewall blocks incoming
traffic of unknown sources anyway).

I'm not sure how my servers IP got there, but I think the script kills all states
of any addresses listed in these lists, including those in whitelists.

```log
[ pfB_Top_v4 ] Removed 46 state(s) for [ 89.58.16.xxx ]

igb1 tcp 89.58.16.xxx:ssh <- 192.168.11.yyy:53226       ESTABLISHED:ESTABLISHED
igb0 tcp 192.168.31.zzz:25103 (192.168.11.yyy:53226) -> 89.58.16.xxx:ssh       ESTABLISHED:ESTABLISHED
igb1 tcp 89.58.16.xxx:ssh <- 192.168.11.aaa:49270       TIME_WAIT:TIME_WAIT
igb0 tcp 192.168.31.zzz:36706 (192.168.11.aaa:49270) -> 89.58.16.xxx:ssh       TIME_WAIT:TIME_WAIT
... and so on etc ...
```

Maybe it would have been enough to stop killing states but as I already wanted
to thin these lists anyway...

Otherwise this settings should suffice, theoretically:

![pfBlockerNG settings of IP settings](pfsense-ip-configutation.png)