Verified as bug in 2.4.4

https://redmine.pfsense.org/issues/9296

No. It does not.

The only package currently available is ClamAV which is part if the Squid package. It can scan cached http(s) traffic.

Steve

I think I found a solution.. Load Balancing... I will dig into this

I find the solution
Thanks

A policy routing rule on the LAN only works for connections created by that rule -- new connections leaving the LAN and exiting the firewall (in this case, via IPsec).

The connection that didn't work are in the opposite direction -- Permitted by the rule on the IPsec interface, NOT the rule on LAN. And putting a gateway on that rule would not be valid.

We use pfSense for another installation with Sony Playstation clients. Those devices are really stubborn when it comes to port randomization, they just wont work with it. That's the reason why we made it the default which doesn't seem to be a good standard.
Cisco seems to be doing a mix of both with iOS. They use static ports as long as there's no conflict and only if they detect one, they gamble a different source port.

I understand, and I have mitigated some problems like this, adding in my hosts file the IP 10.0.0.3 to the mail.domain.com domain, however I have 10 VMs using the same service, I have done the same action in the 10VMs, my question is why does this happen? Why Pfsense has that behavior, if everything will work fine, I shouldn't do this, that is, there is a problem because this is a temporary solution, if everything will work fine I would not have to make any changes to my servers to add that data.

Thanks @johnpoz

So here's the resolution. Writing things down for my previous posts helped me to debug it.

The answer was: create a new interface for the openvpn client use and then update the NAT rules to use that new interface.

So to setup a vpn for your subnet behind pfsense, you need to do these three things:

setup openvpn client create a new interface for the openvpn client dev create NAT rules for the new interface

Point 2 is not necessary if you have exactly one openvpn something (=client or server) on pfsense. But it would be good practice to always create a new interface, as it avoids errors later on.

@malbor said in FTP Server behind PFSENSE not directory listing (active/passive connections):

nat over ports 20

That never going to be needed - there is never a scenario where you would port forward 20..

Understanding how active/passive works is step 1
https://slacksite.com/other/ftp.html

Where are you testing from? You need to test from outside... Throwing nat reflection into the mix, ie trying to hit your public IP to be forwarded back in from a client on your network is going to be just more confusion for you.

If your doing active ftp from outside... The only thing required is port forward 21 (control channel).. Since now the server will make the connection to the client for the data channel.. So unless your filtering outbound connections server would be able to talk to the client. Where you could run into issues with that is the client firewall not opening the inbound ports for the data connection from the server.

In passive connection to the server.. You need to make sure that the server actually sends your public IP, and not its rfc1918 local IP. You also need to make sure that server uses a specific range of IPs for its passive ports, and you forward these on pfsense to the server, say 5000-6000 or something..

Where you run into a problem with that from the client point of view is maybe those ports are not allowed outbound..

So again.. Understanding how the protocol works, what your doing active or passive is step 1..

Another issue you could run into is if the client is say windows cmd line ftp command, it can not do passive only active. So even when you send the pasv command, it doesn't work.. Since the client is only capable of active.

but there are batch scripts that require this type of connection.

That gets me to think your using the windows ftp client, which can not do passive connections.. You know sftp/scp can be scripted as well.. And now you only need the 1 port..

Have you read
https://docs.netgate.com/pfsense/en/latest/nat/setup-ftp-server-behind-pfsense.html

Nope no magic there - I would assume it just takes the first IP it finds in the alias.

What I ended up doing was using pftop, filtering on the dst port (which should be the internal port on the internal host), and looking for established connections.

Also do you have firewall rules on the WAN ?

So if host say on .131 wants to talk to 73.x he hits pfsense as his gateway... Which pfsense sends to .130, but return traffic will just go straight to .131 So now you are asymmetrical

If 73.x is wanting to talk to say .131 on your /29 no need to send to pfsense, so pfsense never see syn, and the syn,ack the .131 box would send back via pfsense would be out of state and pfsense would not allow the traffic, etc..

You would have to be natting on your downstream, or do host routing to prevent such things.. Its best to just use it as pure transit and not put any hosts on it..

I suppose i could of called him Steve :)

@akuma1x

Gil