Problem connecting to ftp sites DUAL WAN using static routing



  • Hello,

    I have checked the FAQ section as well as a forum search but am unable to find the answer to what is happening in my case.

    I have a static routed Dual WAN configuration that works fine. (see my previous post for setup details if needed..)

    All LAN trafic if routed by default over OP1(WAN2) this works fine. I have also noted that ftp does not work over OPT1, so I have a Firewall -> Rules -> LAN where I have :

    Proto    Source    port Destination Port Gateway
    tcp      LAN net    *        *          21    *
    the default gateway is WAN so that should be ok. After this I have the following firewall rule for LAN:

    Proto    Source    port Destination Port Gateway
    tcp      LAN net    *        *        110    *
    I have this because I want pop routed over the default GW, it work fine.

    Finally I have all other traffic routed over Opt1 (WAN2) , it works fine too.

    Proto    Source    port Destination Port Gateway
    tcp      LAN net    *        *          *  192.168.1.1
    That is my Opt1 (WAN2) gateway.

    But I seem to be missing something in ftp.. it almost works:

    Connected to ftp.test.nl.
    220–-------- Welcome to Pure-FTPd [TLS] –--------
    220-You are user number 3 of 50 allowed.
    220-Local time is now 11:45. Server port: 21.
    220-This is a private system - No anonymous login
    220-IPv6 connections are also welcome on this server.
    220 You will be disconnected after 15 minutes of inactivity.
    User (ftp.test.nl:(none)): user
    331 User rtuin OK. Password required
    Password:
    230-User rtuin has group access to:  rtuin
    230 OK. Current restricted directory is /
    ftp> ls
    500 I won't open a connection to 192.168.2.4 (only to 82.215.27.218)
    425 No data connection

    Why is this not NATted?
    In Interfaces -> WAN I have tried both with Userland FTP-procy switched on and off..

    Any help will be apriciated…



  • Your  ftp-server doesn't know about it's public IP and is handing out it's private IP to the client. The ftp rpxy usually should fix that if configured properly. Make your ftp-server aware of it's public IP (most ftp servers have a setting for this hiding somewhere). You will need to forward another portrange that the ftp user uses additional to the port 21 to support passive connections.



  • Hi Hoba,

    I think you mis understood. I am trying to ftp to a remote site from LAN, so the FTP target server is internet hosted. Just dosbox -> ftp -> open ftp.bla.bla..

    It connects I can login.. but as soon as I do ls.. I get this message back from that remote server…
    Other ftp clients are also unable to get listings from remote servers..

    :'( just makes updating a website compluicated now...



  • Ah, ok. I misunderstood something here. I think you are bitten by this bug: http://cvstrac.pfsense.com/tktview?tn=1138,6

    The workaround is in the report. turn the ftphelper on at the internal subnets and place the loopbackrule at every internal interface that needs it. Also try with passivemode if this still doesn't work.



  • Hi,

    As indicated I have enabled; removed checkbox at Interfaces-> LAN -> Disable the userland FTP-Proxy application

    Added the following rule, as indicated in the work around, for LAN and DMZ:

    Proto      Source Port Destination          Port        Gateway Description 
      TCP/UDP    *        *  127.0.0.1      1 - 65535          *        FTP fix

    Please note that I am NOT load balancing, just static routing.

    The issue remains the same, I do not know if the following info is of any use.. but just in case.. Total connander ftp client log output. Dos command line ftp message remains the same also.

    331 User rtuin OK. Password required
    PASS ***********
    230-User rtuin has group access to:  rtuin 
    230 OK. Current restricted directory is /
    SYST
    215 UNIX Type: L8
    FEAT
    211-Extensions supported:
    EPRT
    IDLE
    MDTM
    SIZE
    REST STREAM
    MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
    MLSD
    ESTP
    PASV
    EPSV
    SPSV
    ESTA
    AUTH TLS
    PBSZ
    PROT
    211 End.
    Connect ok!
    PWD
    257 "/" is your current location
    Get directory
    TYPE A
    200 TYPE is now ASCII
    PORT 192,168,2,4,15,195
    500 I won't open a connection to 192.168.2.4 (only to my.ext.ip.nr)

    regards,

    rowdy



  • Try passive mode.



  • Hi,
    In passive mode it simply will not LIST.. one can wait for minutes..

    Connect ok!
    PWD
    257 "/" is your current location
    Get directory
    TYPE A
    200 TYPE is now ASCII
    PASV
    227 Entering Passive Mode (85,17,3,142,215,115)
    LIST
    Cancel pressed!

    In dos the following:
    ftp> ls
    –-> PORT 192,168,2,4,15
    500 I won't open a conne
    ---> NLST
    425 No data connection

    So any suggestiosn are still welcome.. I am just stuck at this one?
    If some one is able to ftp tp websites etc from LAN to any internet hosted ftp server using staic Dual WAN please let me know what your settings are..



  • I do, even with loadbalancing in active and passive mode when using this workaround rule  ;)



  • hahaha could have guessed…  I hope I will too soon.. :-)



  • Oh, btw, you have to reset states after you added the loopbackrule. If you still have old states in your statetable and you try to get tot he same server again you will still see the problem. (diagnostics>states, reset states)



  • :-( did that .. even before posting ..  even after the workaround..

    I did a reboot and that solves it.. as it seems resetting states isn't working.. I have that with rule changes also..

    Anyway the workaround has solved the main issue..

    Thanks Hoba ..



  • Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).



  • @hoba:

    Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).

    Arg…that bug SUCKS :-/  Why oh why was this not caught in the RC's sigh.  One wonders if nobody used them.

    --Bill



  • I think I have the same problem and even slightly worse  :-\

    I couldn't connect to any FTP server on the Internet so I added the workaround rule above my Allow All on LAN and redirected it to the default gateway (WAN, I'm loadbalancing on WAN and OPT1). Now I can connect to FTP servers (including passively) but sometimes it can't LIST, and just hang there, regardless of the FTP client. I did a state reset and even a reboot, to no avail :(



  • Make sure you use "default" (should show up as an asterisk in the rules view) instead of the WAN-IP as gateway.



  • Yep, that's what I was using. I updated to 1.0.1 and after the reboot it seems to be working now :)

    Anyway, if my WAN comes down I'll have to edit the workaround rule to use OPT1 as the gateway, right?



  • The ftp helper can only be used at the original WAN as it is a userland application that can't make use of the loadbalancer. This is a limitation. Btw, we fixed something behind the scenes, so you should try if you now can do without the workaround rule. Just disable it and try again.



  • No luck without the workaround :(


Log in to reply