I just setup Filezilla ftp server here on Win XP and it worked fine with any ftp client I threw at it. However the exact same (I think!) config on a remote site just got me a login, but no data connection. I could even make directories, but no LIST. Filezilla client did the same.

I then tried leap FTP client to connect to the remote Filezilla server and it works fine. ftp://ftp2.leapware.com/pub/lftp276.exe

I have no idea why Leap works and the others fail.

:-(

Moral of the story: its probably your ftp server config thats the problem, not the firewall.

resolved 1.0.1 update. thanks.

Sorry I didn't notice the reply until now, I had to set aside pfSense and temporarly use something else to get a IIS site up.

First, I'll try to keep in mind the 'order of operations'.

Second, I'm glad I was able to help find a bug.  I hope the fix made it to 1.0 stable.

I plan on testing 1.0 in the near future.

Thanks to all who replied.

It's (unfortunately) a bug. You won't have to reboot with version 1.0.1. This bug doesn't appear always and with all configurations which made it a bit hard to find but it's already fixed.

natreflection doesn't work for 1:1 nats. If this is only a mailserver and you only need few ports (25,110,…) turn off the 1:1 nat and use a combination of protforward and advanced outbound nat for this and enable nat reflection at system>advanced ( at the very bottom of the page). Other option is to set up split DNS like you suggested.

@bobvan:

On one hand, I like the UPNP approach because it should only open what's necessary when it's necessary.  On the other hand, it's a license for any rogue bit of malware on my network to open anything it wants.  (Thankfully, I seldom run Windows.)  If I get UPNP working, I should probably add firewall rules that allow only the XBOX to talk to miniupnpd.

This is a common misconception that doesn't stand up to analysis.

The fact is, if you have malware on your network, on a typical firewall it's fully capable of opening up any outbound connections it wants. UPnP does allow it to open up inbound ports too, but only in a limited way. Is there anything that can be done with a upnp inbound connection that couldn't, technically, be done through an outbound connection? No. In fact it's probably far easier and less likely to be detected (and certainly more reliable) for malware to create vulnerabilities through initiating outbound connections and local network sniffing.

The reality is in a lot of cases UPnP is a lot more secure than alternatives like static inbound mappings as the ports are only opened when required. They are also (if the upnp IGD is capable) loggable and monitorable.

Sure, you don't want UPnP on a typical corporate network, but there's certainly a big place for it on home networks and even SME networks.

Cheers,

Keith

@mickrussom:

Is there a way for the public to file bugs?

You can create bug tickets at http://cvstrac.pfsense.com/ but pleaso only file tickets when you are absolutely sure that you found a bug in the LATEST version or after you have been told by one of the devs to create a ticket. First discuss at forum or mailinglist to make sure the problem is not caused by misconfiguration or whatever.

Problem solved. Thanks

Make sure your dyndns update was successfull. Also are you talking about portforwards you created at WAN or to access directly to the pfSense? If you try to reach portforwards you need to enable nat reflection at system>advanced (very bottom of the page).

Do you see the traffic being blocked at status>system, firewall? Also what gateway do the clients at the bridged OPT1 use?

Yep, that fixed it, thanks :)

i have proxyARP virtual IPs. i couldn't configure basic port 22 forwarding from
ProxyArp ip into OPT1 interface.
i need 1:1 NAT anyway and it is working now including ping (ICMP).
How does it work? or it shouldn't work and I have to use CARP?

Use a split DNS setup.

ygm

Nevermind…. When I first tried this I didn't have pasv_address defined at all in the config. pftpx does translate it. I set pasv_address=10.10.1.15 the internal ip and it works great both internal and external.

Confusing as I swear it didn't work before.

So is your bogus bug report.

FYI, Enable filtering bridge is now checked, and rules added for the OPT1 interface. Everything seems to be working fine now… What a headache...

Yes, that was fixed.

i will try to get more information from them, maybe they can clear this up.

thanks for your help!