2 Issues with pfSense 1.2 RC3
-
Thanks for this… Can I assume that FTP outbound from LAN was working before you put in the temporary FTP server?
-
Yeah, outbound was working before adding the NAT for the temporary ftp.
-
thank you sir! couple of questions/comments…
(1) based on the FTP Helper screenshots you have, it is the default settings from pfSense - "out of the box"
(2) virtual ip's (aka VIP) for this is CARP not Proxy Arp; I suppose this is the only way to get it to work? based on my previous posting I had to set up by VIP with Proxp ARP to get my 1:1 to go across for various services (HTTP, HTTPS, RDP, PPTP, SMTP, etc) with various servers - I have maybe 8 servers that require the same exact ports open and translated using 1:1 Proxy ARP per previous suggestion. I guess my question here is since I have static mappings going 1:1 in a range, should I remove my Proxy ARP and change to a RANGE as you have there using CARP, then manually taking care of the actual mappings of each port at the firewall rules level?
NOTE: with pfSense, I was told in previous post that if I wanted 1:1 to work and all my servers had same services, I had to use Proxy Arp with VIP - looks like you are saying I can use a range of say 216.x.x.x/28 with CARP instead, then follow up with individual firewall rules for each server and service?
(3) the magic I see here is perhaps having the port forwarding you have for port 21 (not a 1:1) ;how would this work if I had two or more FTP servers? Would I just port forward 21 using different source IP (part of VIP range) natted to proper internal ip?
(4) lastly, could you briefly expand on that ftp hack piece?
thank you again!
-
(2) virtual ip's (aka VIP) for this is CARP not Proxy Arp; I suppose this is the only way to get it to work? based on my previous posting I had to set up by VIP with Proxp ARP to get my 1:1 to go across for various services (HTTP, HTTPS, RDP, PPTP, SMTP, etc) with various servers - I have maybe 8 servers that require the same exact ports open and translated using 1:1 Proxy ARP per previous suggestion. I guess my question here is since I have static mappings going 1:1 in a range, should I remove my Proxy ARP and change to a RANGE as you have there using CARP, then manually taking care of the actual mappings of each port at the firewall rules level?
Here are my Caveats:
- I haven't had the need to setup more than one ftp server behind a single pfSense.
- I generally use port-forward instead of 1-1 NAT, as I like to create duplicate port-forwards for each WAN and AFAIK, you can't do that with 1-1's.
- I'm more concerned with outbound ftp than inbound- if someone wants data from a network I manage, I'm in a better position to insist they use something other than ftp. I view outbound ftp as a necessary evil.
So far, the only outbound issues I've had have been with dual-wan (which is fixed by adding the rule which allows traffic to the ftp proxy process listening on loopback) and a few times where I've seen the pftpx process die. That's why I asked about the pftpx process in ps. I've only seen it a few times, and they were pre-1.2 builds, but I fixed it by disabling the ftp helper on the LAN, saving, then re-enabling.
CARP addresses are added singly, but require the correct subnet mask. I thought the issue with proxy-arp's was that you couldn't run the ftp-helper on them, but I'm not sure. My thought is that a 1-1 NAT would be better suited for running an FTP server than port-forwards, but can't confirm that from experience.
'FTP Hack' is just what I named the rule that makes sure traffic reaches the ftp proxy running on loopback.
(TCP LAN-net * 127.0.0.1/31 * *) -
again, thx for the time in explaining your configs and your ideas; however, in my configuration it seems this will not work. I see how you got it to work with port forwards but since I truly use 1:1 instead of port forwards (which is for single server/port solution). I'm really back to my original post…I will have to further test additional ideas over the weekend. MY config is dramatically different in that I have port 80/443/25/3389/20/21 for almost all my servers hence I use 1:1 proxy arps. for those that do not know - 1:1 = I have 10 useable public ip's and I have them mapped to 10 internal servers - all different servers but same services (http,https, smtp, etc); hence port forward not suitable as it can not handle more than one server/port.
-
Guys,
I am in EXACTLY the same boat, but with a different config… My issue is even simpler (I believe) as I'm not trying to host FTP, simply USE ftp from LAN... I am Dual WAN, HA / CARP VIPs... 80 / 443 / 3389 perform perfectly and failover perfectly, even with 5,000 active sessions. The outbound NAT works great to keep my source IP the same regardless of which box is MASTER... I simply can't FTP out - I get a login and then the session dies.....
I tried to strip down my VIPs, NAT FORWARD and NAT OUTBOUND and RULES, push FTP helper off and on (on LAN) and rebuild the entire thing under the assumption that it is somehow an "ordering" issue since FTP HELPER was disabled on LAN by default... All that did was completely hose up my boxes to the point where they would not function in or out for any port... I had to restore from backup configs and am back on-line, but still no FTP...
Why in the world is this so hard??? Very frustrating. Why is the order so important when building...
Can you please confirm that the loopback rule (TCP LAN-net * 127.0.0.1/31 * *) suggested above is for the LAN interface?
-
Is is possible that doing an upgrade from 1.0.1 rather than a clean install of 1.2 RC3 is causing my FTP hell?
-
That's why I asked about the pftpx process in ps.
I followed that pointer, thanks. I ran the command in the shell and got some feedback that I couldn't interpret. But there was one line and you said to expect one per Helper-Enabled Interface, so that seemed right to me.
-
See also:
http://forum.pfsense.org/index.php/topic,6107.0.html
Which I'm having a hard time understanding…
-
This issue seems to go WAY back:
http://www.mail-archive.com/discussion@pfsense.com/msg01852.html
-
FTP (outbound) works fine here. Granted we only have one WAN, one LAN(vlan), and one OPT(vlan). The FTP helper etc. is DISBALED on all interfaces. No special port forwards/firewall rules on 21 or anything like that. We just had to tinker with the ftp proxy option on different interfaces but we got there. Lucky for us we were one of the 99% user error category.
-
Thanks mhab12.
Could you provide some detail on the "tinker with the FTP proxy options" for me?
-
Tinker with the FTP proxy options = Toggle the FTP proxy option on and off in various combinations across all your interfaces.
-
Okay… In the newest version I think it's called "FTP Helper", so I'm assuming we're talking about the same thing.
Thanks for your help.
-
FTP Helper is a FTP Proxy. It is called "FTP Helper" in the GUI but it's basically a proxy.
-
Thanks. At this point, I've come to the conclusion there are some very serious bugs in the FTP HELPER (proxy) in PFSense 1.2 RC3. I know many people have posted that they have it working, but I've now put over 40 hours into this single issue (yes, it's crazy) and I simply can't get it to work with my config. I'm thinking it has to do with being Multi-WAN and CARP…
I am, sadly, going to back-out my PFSense HA implementation and go back to SmoothWall until I can get FTP working on the bench. I had neglected to test FTP before putting this into production (my bad), and had also assumed this would not be a big deal. From the volume of posts around, it certainly IS a big deal. My personal belief is that it will hold this software back until addressed. I know what the sentiment is for FTP, and I don't disagree on technical grounds, but it's simply used too much by big corporate players today to be overlooked...
When I get back on SmoothWall, I will start removing pieces of my PFSense config to see if I can isolate exactly where FTP dies on the bench. I'm going to try a single-WAN / CARP config next... See if that works. If it doesn't I will try single-WAN single PFSense, see if that works. Sure hope the larger community decides FTP needs attention before RC3 becomes a real release....
All the input and time responding to my questions is deeply appreciated.
-
Thats strange as I know of NO FTP bugs…. Maybe you should walk through http://devwiki.pfsense.org/FTPTroubleShooting first.
-
When I get back on SmoothWall, I will start removing pieces of my PFSense config to see if I can isolate exactly where FTP dies on the bench. I'm going to try a single-WAN / CARP config next… See if that works. If it doesn't I will try single-WAN single PFSense, see if that works. Sure hope the larger community decides FTP needs attention before RC3 becomes a real release....
IMO It's always a good practice to do a test with as default install as possible first. If that works one can move closer to one's intended install until it breaks. Then report what has been done so it is possible to duplicate.
I do also appreciate when software is released, that known limits is shown beside features.
just my 2 cent…..
-
Thats strange as I know of NO FTP bugs…. Maybe you should walk through http://devwiki.pfsense.org/FTPTroubleShooting first.
Thanks… But I've been through that like 6 times.
-
Thats strange as I know of NO FTP bugs…. Maybe you should walk through http://devwiki.pfsense.org/FTPTroubleShooting first.
Thanks… But I've been through that like 6 times.
Well thats fine but it really does fix 99% of the edge cases. I Honestly see nothing strange with your configuration. So suit yourself.
