Slightly Confused–> Outbound FTP via VIP

ScottC · Mar 28, 2007, 3:55 AM

Well…this is an interesting problem (from my humble position, anyways).

I have a dual-FW with CARP running on both LAN and WAN sides.

Everything seems to be working great with one small exception.

An FTP client on the LAN side can't make a proper connection to a remote server on the WAN side.

Turning off the Userland FTP Proxy let's the user make a connection, but a command-line ftp client fails at transferring anything.

IE (yikes!) will actually transfer files back and forth fine over this connection. I know part of the problem is that the remote firewall (not under my control) will only allow connections from the VIP, not from the real IP on either firewall.

Telnet works fine, so I know outbound NAT is actually working ok...so it's SOMETHING specific to FTP.

Yes, I absolutely feel like an idiot on this one. :-[

Thanks for any help!
Scott

sullrich · Mar 28, 2007, 3:59 AM

This is a FAQ.

ScottC · Mar 28, 2007, 1:37 PM

I'm not quite sure which FAQ you're pointing me to. I tried doing a search in faq.pfsense.com, but I don't get any hits on CARP, translation, outbound or any of a few other keywords.

When I have a single firewall, it works like a champ, it's only in a dual-firewall config that I'm having the problem.

The only faq I find that i thought you might have been referring to was the one about ensuring a rule was in place to allow port 21 to the loopback. When I had the helper enabled, the rule was still there allowing LAN anywhere, or do I need to add a specific rule for some reason? Sorry about being an idiot, but I think I have a mental block on this.

Thanks for any input!
Scott

sullrich · Mar 28, 2007, 6:33 PM

Hrm, yes it appears the faq servers searching functions are broken.. Just one more thing I have to fix. Sigh.

At any rate, there really should be no issues in using 2 firewalls with CARP + FTP. I run this configuration at my work and at home, etc..

ScottC · Mar 28, 2007, 8:23 PM

Can you give me a train of thought to follow on troubleshooting? I don't mind doing the work, I'm just out of ideas.

Thanks so much for any input you can give!!
Scott

ScottC · Mar 29, 2007, 9:05 PM

Someone? I'm definitely out of ideas. I understand that it SHOULDN'T be a problem and I'm definitely not pointing the finger at the software, but there's also definitely something wrong….in what I've done, a corrupt file or some strange bug in the hardware/software combination.

I still can't search FAQ's and I can't find it just by reading through them. I've already tried that.

I can't find the post in the forum that I thought had the answer in it either.

I'm definitely not trying to nag...just seeking answers.

Thanks for any help!!
Scott

sullrich · Mar 29, 2007, 9:25 PM

Upgrade to a recent snapshot. FTP should just work for the LAN interface out of the box.

ScottC · Mar 30, 2007, 5:07 PM

I'm currently running 3-15-2007, but I will upgrade to the latest after I test a little bit.

Thanks!
Scott