Debug.pfftpproxy=1 to enable LAN to WAN FTP

lucky

I started having issues on around the May 9th snapshot. I didn't notice it until this past week because my FTP server isn't used much. Setting debug.pfftpproxy=1 has restored services, for now.

My setup is fairly straightforward - three NICs, one WAN two LAN. The FTP server is in a VM that sits on one of the LAN segments. FTP server is a default Ubuntu wu-ftp daemon install. I have a NAT rule in place for FTP. I have traffic shaping, though FTP is not part of any special queue. That's about it. This has worked solidly until ~ May 9.

Note - When I was initially troubleshooting, I noticed that the firewall was denying SYN ACKs going from the FTP server back to the client. The client failed to properly FTP data to my server in both active and passive mode.

If I can provide anything else to help troubleshoot, please let me know and I'll get it for you.

eri--

Wait for snapshots of tomorrow and test.

athurdent

FTP did not get any better with the lastest snapshot Mon Jul 8 21:53:11 EDT 2013 . It should contain the newest fixes according to```
cat /etc/version.lastcommit

Half of the time passive FTP works, but I am still seeing those in the logs when the passive FTP session hangs.
em0 is the LAN interface. My test system is single LAN/WAN.

Jul  9 08:51:02 pfsense-ipv6 pf: 00:00:14.413456 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 24551, offset 0, flags [DF], proto TCP (6), length 52)
Jul  9 08:51:02 pfsense-ipv6 pf:     83.141.4.210.56941 > 192.168.x.x.56941: Flags [S.], cksum 0xa08a (correct), seq 1305586650, ack 72292906, win 5840, options [mss 1380,nop,nop,sackOK,nop,wscale 7], length 0

So the state table still does not get updated correctly by the FTP proxy/helper.
On the bright side, at least pfSense did not crash, yet.

Edit:
Active FTP does not work anymore, I'm getting those in the log:

Jul  9 09:25:29 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [P.], cksum 0x966e (correct), ack 212331008, win 5840, length 51
Jul  9 09:25:29 pfsense-ipv6 pf: 00:00:00.212976 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 9015, offset 0, flags [DF], proto TCP (6), length 91)
Jul  9 09:25:29 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [P.], cksum 0x966e (correct), ack 212331008, win 5840, length 51
Jul  9 09:25:30 pfsense-ipv6 pf: 00:00:00.090747 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 52027, offset 0, flags [DF], proto TCP (6), length 52)
Jul  9 09:25:30 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [.], cksum 0x1e4e (correct), ack 212331009, win 5840, options [nop,nop,sack 1 {212330981:212331009}], length 0
Jul  9 09:25:30 pfsense-ipv6 pf: 00:00:00.335257 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 23454, offset 0, flags [DF], proto TCP (6), length 91)
Jul  9 09:25:30 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [P.], cksum 0x966d (correct), ack 212331009, win 5840, length 51
Jul  9 09:25:30 pfsense-ipv6 pf: 00:00:00.255013 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 41021, offset 0, flags [DF], proto TCP (6), length 52)
Jul  9 09:25:30 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [.], cksum 0x1e4d (correct), ack 212331009, win 5840, options [nop,nop,sack 1 {212330981:212331010}], length 0
Jul  9 09:25:31 pfsense-ipv6 pf: 00:00:00.597293 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 24176, offset 0, flags [DF], proto TCP (6), length 91)
Jul  9 09:25:31 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [P.], cksum 0x966d (correct), ack 212331009, win 5840, length 51
Jul  9 09:25:31 pfsense-ipv6 pf: 00:00:00.604381 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 26446, offset 0, flags [DF], proto TCP (6), length 52)
Jul  9 09:25:31 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [.], cksum 0x1e4d (correct), ack 212331009, win 5840, options [nop,nop,sack 1 {212330981:212331010}], length 0
Jul  9 09:25:32 pfsense-ipv6 pf: 00:00:01.101145 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 11135, offset 0, flags [DF], proto TCP (6), length 91)
Jul  9 09:25:32 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [P.], cksum 0x966d (correct), ack 212331009, win 5840, length 51
Jul  9 09:25:32 pfsense-ipv6 pf: 00:00:00.103532 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 42482, offset 0, flags [DF], proto TCP (6), length 52)
Jul  9 09:25:32 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [.], cksum 0x1e4d (correct), ack 212331009, win 5840, options [nop,nop,sack 1 {212330981:212331010}], length 0
Jul  9 09:25:34 pfsense-ipv6 pf: 00:00:01.204942 rule 4/0(match): block out on em0: (tos 0x0, ttl 53, id 64293, offset 0, flags [DF], proto TCP (6), length 52)
Jul  9 09:25:34 pfsense-ipv6 pf:    83.141.4.210.21 > 192.168.x.x.49686: Flags [.], cksum 0x1e4d (correct), ack 212331009, win 5840, options [nop,nop,sack 1 {212330981:212331010}], length 0

lucky

@ermal:

Wait for snapshots of tomorrow and test.

Still having the issue on: 2.1-RC0 (amd64) built on Tue Jul 9 23:33:36 EDT 2013

Update: just to clarify, setting debug.pfftpproxy=1 still makes connections to my FTP server work again.

doktornotor

@lucky:

Still having the issue on: 2.1-RC0 (amd64) built on Tue Jul 9 23:33:36 EDT 2013

I had no issues before the latest patches. Broke more than it fixed.

athurdent

My issues with FTP began after:
https://redmine.pfsense.org/issues/2650#note-9
Would be great if those patches could be reverted. FTP is sluggish/broken on both of my WAN lines now.

gogol

I am on "built on Fri Jul 12 10:55:43 EDT 2013" but I still have problems when the proxy is enabled (default value).

doktornotor

On another note, I still managed to get kernel panic with FTP traffic with

2.1-RC0 (i386) built on Thu Jul 11 23:06:42 EDT 2013 FreeBSD 8.3-RELEASE-p8

The more patches here go in, the more broken the thing is, and I have yet to see anyone reporting any improvement to the issues they were supposed to be fixed. Please, revert the stuff altogether.

datentod

Same issue here on same build.

@doktornotor:

On another note, I still managed to get kernel panic with FTP traffic with

2.1-RC0 (i386) built on Thu Jul 11 23:06:42 EDT 2013 FreeBSD 8.3-RELEASE-p8

The more patches here go in, the more broken the thing is, and I have yet to see anyone reporting any improvement to the issues they were supposed to be fixed. Please, revert the stuff altogether.

doktornotor

@datentod:

Same issue here on same build.

The patches thankfully got reverted.. Try later with today's snapshots, the panics should be all gone.

athurdent

Just updated to the lastest snapshot. Passive FTP is still hanging frequently. It would be really nice if the patches from about 2 month ago could be reverted, too. After those FTP started to behave odd, it was working perfectly fine before.

AeroWB

Same problem here with a simple setup and the snapshot from July 17, the browser ftp test to dd-wrt fails. While pfSense 2.0.3 works.
Hopefully these ftp helper changes get reverted to what worked in 2.0.3

I do not have multi WAN so I am not affected by the problems that the old code had, hopefully for those who do there exists a good workaround.

Maybe a new ftp helper could be tested and developed on a different version then pfSense stable and release candidate as it seems to be quite complicated as the 2.1.0 release candidates have a broken ftp helper for over 2 months.

doktornotor

Devs, could someone make a testing "out-of-band" 2.1 snapshots with the recent (2+ months) FTP "fixes" removed? I suspect those really don't improve much, but rather keep breaking things for more people. This way, those lots of people who posted on this thread could test those and report if they get actual improvement, or whether there are some regressions from reverting the patches, or whether it changes nothing for them.

On a positive note, after several days of downloading and uploading via FTP, the panics seem to be gone for good. Pheeeeew.

athurdent

Many thanks to Jimp for finally removing the rest of the problematic patches! FTP is finally working again :)

lucky

@athurdent:

Many thanks to Jimp for finally removing the rest of the problematic patches! FTP is finally working again :)

Awesome! Do you know which snapshot this takes/took effect in? I'd like to test it out. Thanks!

doktornotor

@lucky:

Awesome! Do you know which snapshot this takes/took effect in? I'd like to test it out. Thanks!

Certainly there with 2.1-RC1 (i386)  built on Thu Aug 1 19:03:48 EDT 2013 and anything newer.

athurdent

This is the last revert:
https://github.com/pfsense/pfsense-tools/commit/3e9741ca7738bee066bfac95d5efba343ddf4c48
So it's already in the latest snapshots, I just upgraded und tested.

lucky

@doktornotor:

@lucky:

Awesome! Do you know which snapshot this takes/took effect in? I'd like to test it out. Thanks!

Certainly there with 2.1-RC1 (i386)  built on Thu Aug 1 19:03:48 EDT 2013 and anything newer.

I just upgraded to 2.1-RC1 (amd64) built on Thu Aug 1 19:39:40 EDT 2013, everything looks good now :)

gogol

Thanx, I can confirm FTP works again with the default value!

boohoo

Is this an issue for WAN > LAN > FTP ? I did some editing on my rules table and now I cannot get it to work.. I even reverted back to my original settings.

I posted a comment in url below hoping for a reply but I also found this which caught my attention…

http://forum.pfsense.org/index.php/topic,58678.msg315592/topicseen.html#msg315592

thanks!