The firewall enters all currently permitted connections into the connection list. After a certain time (timeout) the entries automatically disappear from the connection list again, unless data is transmitted over the connection, which resets the timeout.
The general aging settings occasionally cause connections to be terminated before the requested data packets have been received by the remote site. In this case, there may still be an entry for a valid connection in the connection list even though the connection itself no longer exists.
The session-recovery parameter determines the firewall's behavior for packets that point to a former connection:
- Always denied: The firewall does not restore the session and drops the packet.
- Denied for default route: The firewall only restores the session if the packet was not received via the default route.
- Denied for WAN: The firewall only restores the session if the packet was not received over any of the WAN interfaces.
- Always allowed: The firewall always restores the connection if the packet belongs to a "former" connection from the connection list.
Important: Because the function of the virtual router is based on checks of the interface tags, additional routes must be included as "default routes" in addition to the untagged default routes:
- When a packet is received at a WAN interface, the firewall considers the WAN interface to be a default route if either a tagged or an untagged default route refers to this WAN interface.
- If a packet is received at a LAN interface and is to be routed to a WAN interface, then this WAN interface is considered to be a default route if either the untagged default route or a default route tagged with the interface tag refers to this WAN interface.
Similarly, the default-router filters take effect even if the default route is in the LAN. Here it applies that the filter takes effect when
- A packet was received over a tagged LAN interface and is to be sent over a default route tagged with the interface, or
- A packet from another router was received at a tagged LAN interface and there is a default route with the interface tag to the packet's source address, or
- A packet was received from the WAN and is to be sent to the LAN via a default route with any tag
