FTP problems
-
Hey guys
I'm newish to pfSense and we went from a single connection box to using the LB. Ever since then i can't connect via FTP.
We have 2 ADSL connections which are connected via 2 modems that are using NAT and we have two WAN interfaces ("WAN" and "TPG") with local IPs (10.10.20.1, 10.10.30.1)
I've tried creating rules to force FTP traffic (Ports 20 & 21) and any traffic between ports 1024:65535 through a specific interface.
I've also turned the FTP proxy thing in Interfaces menu on and off for all the interfaces
When i ftp out , the client netstat table just shows SYN_SENT on port 21.
At the moment, our TPG connection is temperamental so we have disabled the LB. FTP is still not working.
Some of my rules have been omitted from these lists, if you think they might be relevant please let me know.
Here is my WAN rule table:
TCP/UDP * * 10.10.10.10 873 * NAT RSYNC -> NAS
TCP * * 10.10.10.253 25 (SMTP) * NAT Mail -> Proxy
TCP * * 10.10.10.6 22 (SSH) * NAT iiNET SSH -> Tintin
TCP * * 10.10.10.9 3389 (MS RDP) * NAT iiNET RDP -> XP
TCP * 80 (HTTP) 10.10.10.6 80 (HTTP) * NAT iiNet Web -> TintinHere is my TPG rule table:
TCP * * 10.10.10.253 22 (SSH) * NAT iiNET SSH -> Proxy
TCP/UDP * * 10.10.10.10 873 * NAT RSYNC -> NASHere is my LAN rule table:
UDP * * * 27000 - 27020 iiNet STEAM (UDP) -> iiNet
TCP * * 208.113.148.18 * iiNet Dreamhost -> iiNet
TCP * * 203.59.27.133 * iiNet ftp.iinet.net.au -> iiNet
TCP * * * 21 (FTP) iiNet FTP -> iiNet
TCP * * * 1024 - 65535 iiNet Everything -> iiNet
TCP * * * 20 iiNet FTP data -> iiNet
TCP * * 203.59.27.13 * iiNet games.iinet.net.au -> iiNet
TCP * * * 25 (SMTP) iiNet Mail -> iiNet
ICMP * * * * iiNet ICMP
ICMP * * * * TPG ICMP
TCP * * * 443 (HTTPS) iiNet LAN -> HTTPS -> iiNet- LAN net * 10.10.20.0/24 * iiNet LAN -> iiNet ADSL Modem
- LAN net * 10.10.30.0/24 * TPG LAN -> TPG ADSL Modem
TCP LAN net * * * iiNet iiNet/TPG LoadBalancer
TCP/UDP 10.10.10.253 * * 161 (SNMP) * Nagios -> SNMP
Here is my NAT table:
TPG TCP/UDP 873 10.10.10.10(ext.: 10.10.30.1) 873 RSYNC -> NAS
WAN TCP/UDP 873 10.10.10.10(ext.: 10.10.20.1) 873 RSYNC -> NAS
WAN TCP 25 (SMTP) 10.10.10.253(ext.: 10.10.20.1) 25 (SMTP) Mail -> Proxy
WAN TCP 22 (SSH) 10.10.10.6(ext.: 10.10.20.1) 22 (SSH) iiNET SSH -> Tintin
TPG TCP 22 (SSH) 10.10.10.253(ext.: 10.10.30.1) 22 (SSH) TPG SSH -> Proxy
WAN TCP/UDP 80 (HTTP) 10.10.10.9(ext.: 10.10.20.1) 80 (HTTP) Web -> Tintin -
When using multiwan ftp will only work if you add a firewall rule at lan to send all traffic to destination 127.0.0.1 to the default gateway and enable the ftphelper at lan. ftp-traffic will only work on the original wan interface then.
-
For ftp port? When u said default GW, do you mean the gateway item "Default", or "LB"??
So would the rule look like this? :
TCP * * * 21 (FTP) * FTP
-
please reread more closely ;)
at firewall>rules, lan, very top of the rules: any protocol, any source, destination 127.0.0.1, gateway "default"save, apply, maybe reset states if it does not work immediately.
-
I read your post, i just didn't fully understand what to do.
I've done that, when u say enable the ftp helper on the Lan interface, do you mean make sure this thing is unticked?:
FTP Helper Disable the userland FTP-Proxy application
-
right, the logic is reversed. it should be running on lan so don't disable it ;)
-
OK -it works thx very much :)
Is this ftp helper anything like the iptables conntrack_ftp module ?
-
ftp uses more than one port. the proxy is dynamically openening ports by listening what ports the client and the server request/assign. if the proxy is not in use it's most likely that the different ports that belong to the same session are getting balanced which will break stuff as the source IPs for the same session are different. as the proxy is living on 127.0.0.1 you have to make sure with that rule that the ftp traffic reaches the proxy and is not sent out directly to one of the wans.
-
Thanks for that- very helpful
While i got you here, quick question - is there any way to we can get Nagios to monitor pfSense? I've looked around but the SNMP stuff seems mostly performance & stats related
Thanks