• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Problem connecting to ftp sites DUAL WAN using static routing

Scheduled Pinned Locked Moved Routing and Multi WAN
18 Posts 4 Posters 8.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • R
    rtuin
    last edited by Oct 25, 2006, 9:48 AM

    Hello,

    I have checked the FAQ section as well as a forum search but am unable to find the answer to what is happening in my case.

    I have a static routed Dual WAN configuration that works fine. (see my previous post for setup details if needed..)

    All LAN trafic if routed by default over OP1(WAN2) this works fine. I have also noted that ftp does not work over OPT1, so I have a Firewall -> Rules -> LAN where I have :

    Proto    Source    port Destination Port Gateway
    tcp      LAN net    *        *          21    *
    the default gateway is WAN so that should be ok. After this I have the following firewall rule for LAN:

    Proto    Source    port Destination Port Gateway
    tcp      LAN net    *        *        110    *
    I have this because I want pop routed over the default GW, it work fine.

    Finally I have all other traffic routed over Opt1 (WAN2) , it works fine too.

    Proto    Source    port Destination Port Gateway
    tcp      LAN net    *        *          *  192.168.1.1
    That is my Opt1 (WAN2) gateway.

    But I seem to be missing something in ftp.. it almost works:

    Connected to ftp.test.nl.
    220–-------- Welcome to Pure-FTPd [TLS] –--------
    220-You are user number 3 of 50 allowed.
    220-Local time is now 11:45. Server port: 21.
    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    User (ftp.test.nl:(none)): user
    331 User rtuin OK. Password required
    Password:
    230-User rtuin has group access to:  rtuin
    230 OK. Current restricted directory is /
    ftp> ls
    500 I won't open a connection to 192.168.2.4 (only to 82.215.27.218)
    425 No data connection

    Why is this not NATted?
    In Interfaces -> WAN I have tried both with Userland FTP-procy switched on and off..

    Any help will be apriciated…

    1 Reply Last reply Reply Quote 0
    • H
      hoba
      last edited by Oct 25, 2006, 12:26 PM

      Your  ftp-server doesn't know about it's public IP and is handing out it's private IP to the client. The ftp rpxy usually should fix that if configured properly. Make your ftp-server aware of it's public IP (most ftp servers have a setting for this hiding somewhere). You will need to forward another portrange that the ftp user uses additional to the port 21 to support passive connections.

      1 Reply Last reply Reply Quote 0
      • R
        rtuin
        last edited by Oct 25, 2006, 1:59 PM

        Hi Hoba,

        I think you mis understood. I am trying to ftp to a remote site from LAN, so the FTP target server is internet hosted. Just dosbox -> ftp -> open ftp.bla.bla..

        It connects I can login.. but as soon as I do ls.. I get this message back from that remote server…
        Other ftp clients are also unable to get listings from remote servers..

        :'( just makes updating a website compluicated now...

        1 Reply Last reply Reply Quote 0
        • H
          hoba
          last edited by Oct 25, 2006, 2:06 PM

          Ah, ok. I misunderstood something here. I think you are bitten by this bug: http://cvstrac.pfsense.com/tktview?tn=1138,6

          The workaround is in the report. turn the ftphelper on at the internal subnets and place the loopbackrule at every internal interface that needs it. Also try with passivemode if this still doesn't work.

          1 Reply Last reply Reply Quote 0
          • R
            rtuin
            last edited by Oct 25, 2006, 2:40 PM

            Hi,

            As indicated I have enabled; removed checkbox at Interfaces-> LAN -> Disable the userland FTP-Proxy application

            Added the following rule, as indicated in the work around, for LAN and DMZ:

            Proto      Source Port Destination          Port        Gateway Description 
              TCP/UDP    *        *  127.0.0.1      1 - 65535          *        FTP fix

            Please note that I am NOT load balancing, just static routing.

            The issue remains the same, I do not know if the following info is of any use.. but just in case.. Total connander ftp client log output. Dos command line ftp message remains the same also.

            331 User rtuin OK. Password required
            PASS ***********
            230-User rtuin has group access to:  rtuin 
            230 OK. Current restricted directory is /
            SYST
            215 UNIX Type: L8
            FEAT
            211-Extensions supported:
            EPRT
            IDLE
            MDTM
            SIZE
            REST STREAM
            MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
            MLSD
            ESTP
            PASV
            EPSV
            SPSV
            ESTA
            AUTH TLS
            PBSZ
            PROT
            211 End.
            Connect ok!
            PWD
            257 "/" is your current location
            Get directory
            TYPE A
            200 TYPE is now ASCII
            PORT 192,168,2,4,15,195
            500 I won't open a connection to 192.168.2.4 (only to my.ext.ip.nr)

            regards,

            rowdy

            1 Reply Last reply Reply Quote 0
            • H
              hoba
              last edited by Oct 25, 2006, 3:20 PM

              Try passive mode.

              1 Reply Last reply Reply Quote 0
              • R
                rtuin
                last edited by Oct 25, 2006, 3:38 PM

                Hi,
                In passive mode it simply will not LIST.. one can wait for minutes..

                Connect ok!
                PWD
                257 "/" is your current location
                Get directory
                TYPE A
                200 TYPE is now ASCII
                PASV
                227 Entering Passive Mode (85,17,3,142,215,115)
                LIST
                Cancel pressed!

                In dos the following:
                ftp> ls
                –-> PORT 192,168,2,4,15
                500 I won't open a conne
                ---> NLST
                425 No data connection

                So any suggestiosn are still welcome.. I am just stuck at this one?
                If some one is able to ftp tp websites etc from LAN to any internet hosted ftp server using staic Dual WAN please let me know what your settings are..

                1 Reply Last reply Reply Quote 0
                • H
                  hoba
                  last edited by Oct 25, 2006, 5:40 PM

                  I do, even with loadbalancing in active and passive mode when using this workaround rule  ;)

                  1 Reply Last reply Reply Quote 0
                  • R
                    rtuin
                    last edited by Oct 25, 2006, 7:58 PM

                    hahaha could have guessed…  I hope I will too soon.. :-)

                    1 Reply Last reply Reply Quote 0
                    • H
                      hoba
                      last edited by Oct 25, 2006, 8:18 PM

                      Oh, btw, you have to reset states after you added the loopbackrule. If you still have old states in your statetable and you try to get tot he same server again you will still see the problem. (diagnostics>states, reset states)

                      1 Reply Last reply Reply Quote 0
                      • R
                        rtuin
                        last edited by Oct 25, 2006, 8:37 PM

                        :-( did that .. even before posting ..  even after the workaround..

                        I did a reboot and that solves it.. as it seems resetting states isn't working.. I have that with rule changes also..

                        Anyway the workaround has solved the main issue..

                        Thanks Hoba ..

                        1 Reply Last reply Reply Quote 0
                        • H
                          hoba
                          last edited by Oct 25, 2006, 8:58 PM

                          Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).

                          1 Reply Last reply Reply Quote 0
                          • B
                            billm
                            last edited by Oct 25, 2006, 9:31 PM

                            @hoba:

                            Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).

                            Arg…that bug SUCKS :-/  Why oh why was this not caught in the RC's sigh.  One wonders if nobody used them.

                            --Bill

                            pfSense core developer
                            blog - http://www.ucsecurity.com/
                            twitter - billmarquette

                            1 Reply Last reply Reply Quote 0
                            • P
                              peterclo
                              last edited by Oct 27, 2006, 4:12 PM

                              I think I have the same problem and even slightly worse  :-\

                              I couldn't connect to any FTP server on the Internet so I added the workaround rule above my Allow All on LAN and redirected it to the default gateway (WAN, I'm loadbalancing on WAN and OPT1). Now I can connect to FTP servers (including passively) but sometimes it can't LIST, and just hang there, regardless of the FTP client. I did a state reset and even a reboot, to no avail :(

                              1 Reply Last reply Reply Quote 0
                              • H
                                hoba
                                last edited by Oct 27, 2006, 11:52 PM

                                Make sure you use "default" (should show up as an asterisk in the rules view) instead of the WAN-IP as gateway.

                                1 Reply Last reply Reply Quote 0
                                • P
                                  peterclo
                                  last edited by Oct 30, 2006, 10:59 AM

                                  Yep, that's what I was using. I updated to 1.0.1 and after the reboot it seems to be working now :)

                                  Anyway, if my WAN comes down I'll have to edit the workaround rule to use OPT1 as the gateway, right?

                                  1 Reply Last reply Reply Quote 0
                                  • H
                                    hoba
                                    last edited by Oct 30, 2006, 3:09 PM

                                    The ftp helper can only be used at the original WAN as it is a userland application that can't make use of the loadbalancer. This is a limitation. Btw, we fixed something behind the scenes, so you should try if you now can do without the workaround rule. Just disable it and try again.

                                    1 Reply Last reply Reply Quote 0
                                    • P
                                      peterclo
                                      last edited by Oct 30, 2006, 4:15 PM

                                      No luck without the workaround :(

                                      1 Reply Last reply Reply Quote 0
                                      1 out of 18
                                      • First post
                                        1/18
                                        Last post
                                      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                                        This community forum collects and processes your personal information.
                                        consent.not_received