Problem connecting to ftp sites DUAL WAN using static routing

rtuin · Oct 25, 2006, 9:48 AM

Hello,

I have checked the FAQ section as well as a forum search but am unable to find the answer to what is happening in my case.

I have a static routed Dual WAN configuration that works fine. (see my previous post for setup details if needed..)

All LAN trafic if routed by default over OP1(WAN2) this works fine. I have also noted that ftp does not work over OPT1, so I have a Firewall -> Rules -> LAN where I have :

Proto Source port Destination Port Gateway
tcp LAN net * * 21 *
the default gateway is WAN so that should be ok. After this I have the following firewall rule for LAN:

Proto Source port Destination Port Gateway
tcp LAN net * * 110 *
I have this because I want pop routed over the default GW, it work fine.

Finally I have all other traffic routed over Opt1 (WAN2) , it works fine too.

Proto Source port Destination Port Gateway
tcp LAN net * * * 192.168.1.1
That is my Opt1 (WAN2) gateway.

But I seem to be missing something in ftp.. it almost works:

Connected to ftp.test.nl.
220–-------- Welcome to Pure-FTPd [TLS] –--------
220-You are user number 3 of 50 allowed.
220-Local time is now 11:45. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (ftp.test.nl:(none)): user
331 User rtuin OK. Password required
Password:
230-User rtuin has group access to: rtuin
230 OK. Current restricted directory is /
ftp> ls
500 I won't open a connection to 192.168.2.4 (only to 82.215.27.218)
425 No data connection

Why is this not NATted?
In Interfaces -> WAN I have tried both with Userland FTP-procy switched on and off..

Any help will be apriciated…

hoba · Oct 25, 2006, 12:26 PM

Your ftp-server doesn't know about it's public IP and is handing out it's private IP to the client. The ftp rpxy usually should fix that if configured properly. Make your ftp-server aware of it's public IP (most ftp servers have a setting for this hiding somewhere). You will need to forward another portrange that the ftp user uses additional to the port 21 to support passive connections.

rtuin · Oct 25, 2006, 1:59 PM

Hi Hoba,

I think you mis understood. I am trying to ftp to a remote site from LAN, so the FTP target server is internet hosted. Just dosbox -> ftp -> open ftp.bla.bla..

It connects I can login.. but as soon as I do ls.. I get this message back from that remote server…
Other ftp clients are also unable to get listings from remote servers..

:'( just makes updating a website compluicated now...

hoba · Oct 25, 2006, 2:06 PM

Ah, ok. I misunderstood something here. I think you are bitten by this bug: http://cvstrac.pfsense.com/tktview?tn=1138,6

The workaround is in the report. turn the ftphelper on at the internal subnets and place the loopbackrule at every internal interface that needs it. Also try with passivemode if this still doesn't work.

rtuin · Oct 25, 2006, 2:40 PM

Hi,

As indicated I have enabled; removed checkbox at Interfaces-> LAN -> Disable the userland FTP-Proxy application

Added the following rule, as indicated in the work around, for LAN and DMZ:

Proto Source Port Destination Port Gateway Description
TCP/UDP * * 127.0.0.1 1 - 65535 * FTP fix

Please note that I am NOT load balancing, just static routing.

The issue remains the same, I do not know if the following info is of any use.. but just in case.. Total connander ftp client log output. Dos command line ftp message remains the same also.

331 User rtuin OK. Password required
PASS ***********
230-User rtuin has group access to: rtuin
230 OK. Current restricted directory is /
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
EPRT
IDLE
MDTM
SIZE
REST STREAM
MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
MLSD
ESTP
PASV
EPSV
SPSV
ESTA
AUTH TLS
PBSZ
PROT
211 End.
Connect ok!
PWD
257 "/" is your current location
Get directory
TYPE A
200 TYPE is now ASCII
PORT 192,168,2,4,15,195
500 I won't open a connection to 192.168.2.4 (only to my.ext.ip.nr)

regards,

rowdy

hoba · Oct 25, 2006, 3:20 PM

Try passive mode.

rtuin · Oct 25, 2006, 3:38 PM

Hi,
In passive mode it simply will not LIST.. one can wait for minutes..

Connect ok!
PWD
257 "/" is your current location
Get directory
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (85,17,3,142,215,115)
LIST
Cancel pressed!

In dos the following:
ftp> ls
–-> PORT 192,168,2,4,15
500 I won't open a conne
---> NLST
425 No data connection

So any suggestiosn are still welcome.. I am just stuck at this one?
If some one is able to ftp tp websites etc from LAN to any internet hosted ftp server using staic Dual WAN please let me know what your settings are..

hoba · Oct 25, 2006, 5:40 PM

I do, even with loadbalancing in active and passive mode when using this workaround rule ;)

rtuin · Oct 25, 2006, 7:58 PM

hahaha could have guessed… I hope I will too soon.. :-)

hoba · Oct 25, 2006, 8:18 PM

Oh, btw, you have to reset states after you added the loopbackrule. If you still have old states in your statetable and you try to get tot he same server again you will still see the problem. (diagnostics>states, reset states)

rtuin · Oct 25, 2006, 8:37 PM

:-( did that .. even before posting .. even after the workaround..

I did a reboot and that solves it.. as it seems resetting states isn't working.. I have that with rule changes also..

Anyway the workaround has solved the main issue..

Thanks Hoba ..

hoba · Oct 25, 2006, 8:58 PM

Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).

billm · Oct 25, 2006, 9:31 PM

@hoba:

Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).

Arg…that bug SUCKS :-/ Why oh why was this not caught in the RC's sigh. One wonders if nobody used them.

--Bill

peterclo · Oct 27, 2006, 4:12 PM

I think I have the same problem and even slightly worse :-\

I couldn't connect to any FTP server on the Internet so I added the workaround rule above my Allow All on LAN and redirected it to the default gateway (WAN, I'm loadbalancing on WAN and OPT1). Now I can connect to FTP servers (including passively) but sometimes it can't LIST, and just hang there, regardless of the FTP client. I did a state reset and even a reboot, to no avail :(

hoba · Oct 27, 2006, 11:52 PM

Make sure you use "default" (should show up as an asterisk in the rules view) instead of the WAN-IP as gateway.

peterclo · Oct 30, 2006, 10:59 AM

Yep, that's what I was using. I updated to 1.0.1 and after the reboot it seems to be working now :)

Anyway, if my WAN comes down I'll have to edit the workaround rule to use OPT1 as the gateway, right?

hoba · Oct 30, 2006, 3:09 PM

The ftp helper can only be used at the original WAN as it is a userland application that can't make use of the loadbalancer. This is a limitation. Btw, we fixed something behind the scenes, so you should try if you now can do without the workaround rule. Just disable it and try again.

peterclo · Oct 30, 2006, 4:15 PM

No luck without the workaround :(