FTP Proxy / Nat dependency Bug
-
Okay, here's the config.xml. I initially forgot that interfaces -> wan disable ftp helper was not checked and panic'd but after that it sprung to life as it should have:
<pfsense><version>2.3</version>
<lastchange><theme>metallic</theme>
<system><optimization>normal</optimization>
<hostname>pfSense</hostname>
<domain>local</domain>
<dnsserver><dnsallowoverride><username>admin</username>
<password>$1$dSJImFph$GvZ7.1UbuWu.Yb8etC0re.</password>
<timezone>Etc/UTC</timezone>
<time-update-interval>300</time-update-interval>
<timeservers>pool.ntp.org</timeservers>
<webgui><protocol>http</protocol>
<certificate><private-key></private-key></certificate></webgui>
<disablenatreflection>yes</disablenatreflection>
<enablesshd>yes</enablesshd><maximumstates></maximumstates></dnsallowoverride></dnsserver></system>
<interfaces><lan><if>le0</if>
<ipaddr>192.168.1.1</ipaddr>
<subnet>24</subnet>
<media><mediaopt><bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype></mediaopt></media></lan>
<wan><if>le1</if>
<mtu><media><mediaopt><bandwidth>100</bandwidth>
<bandwidthtype>Mb</bandwidthtype>
<spoofmac><ipaddr>dhcp</ipaddr>
<dhcphostname></dhcphostname></spoofmac></mediaopt></media></mtu></wan></interfaces>
<staticroutes><pppoe><pptp><bigpond><dyndns><type>dyndns</type>
<username><password></password></username></dyndns>
<dhcpd><lan><enable><range><from>192.168.1.100</from>
<to>192.168.1.199</to></range></enable></lan></dhcpd>
<pptpd><mode><redir><localip></localip></redir></mode></pptpd>
<ovpn><dnsmasq><enable></enable></dnsmasq>
<snmpd><syslocation><syscontact><rocommunity>public</rocommunity></syscontact></syslocation></snmpd>
<diag><ipv6nat></ipv6nat></diag>
<bridge><syslog><nat><ipsecpassthru><enable></enable></ipsecpassthru>
<rule><protocol>tcp</protocol>
<external-port>21</external-port>
<target>192.168.1.69</target>
<local-port>21</local-port>
<interface>wan</interface>
<descr>FTP</descr></rule></nat>
<filter><rule><type>pass</type>
<descr>Default LAN -> any</descr>
<interface>lan</interface>
<source>
<network>lan</network><destination><any></any></destination></rule>
<rule><interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><address>192.168.1.69</address><port>21</port></destination>
<descr>NAT FTP</descr></any></rule>
<rule><interface>wan</interface>
<protocol>tcp</protocol>
<source>
<any><destination><network>wanip</network>
<port>21</port></destination>
<descr>NAT FTP</descr></any></rule></filter>
<ipsec><preferredoldsa></preferredoldsa></ipsec>
<aliases><proxyarp><wol><installedpackages><revision><description>/interfaces_wan.php made unknown change</description>
<time>1157493006</time></revision></installedpackages></wol></proxyarp></aliases></syslog></bridge></ovpn></bigpond></pptp></pppoe></staticroutes></lastchange></pfsense> -
Ok good, here is the problem. After comparing configs, which we should have done a long time ago. Would have saved us both lots of testing hours.
<disablenatreflection>yes</disablenatreflection> which maps to System > Advanced > Disable NAT Reflection > checked.
I had this unchecked, so I could access our websites running on the dmz from the lan using their public dns names. With this unchecked this causes the problem with the ftp. With it checked works fine.
So my next question is how can I get these to work together so I can access the websites from the lan?
-
Interesting. I suppose we will want to ignore reflection entries for port 21. I will check into it.
-
Ok let me know what you find out.
-
Please replace /etc/inc/filter.inc with http://www.pfsense.com/~sullrich/filter.inc using diagnostics -> edit file.
Then run /etc/rc.filter_configure from diagnostics -> command prompt
Hopefully the reflection entries for port 21 will be gone now.
-
That seemed to fix it.
-
Yay!
I'll commit. Thanks for testing.
-
Thanks for fixing this!! I also had problems with FTP previously and had disable nat reflection unchecked. After replacing filter.inc ftp works. timb0311 good catch about the nat reflection.
When you say you committed it, I am assuming this will be included in the next release after RC2i.
-
It already is included in the latest snapshots: http://pfsense.com/~sullrich/1.0-SNAPSHOT-09-07-06/