Problem connecting to ftp sites DUAL WAN using static routing

hoba · Oct 25, 2006, 2:06 PM

Ah, ok. I misunderstood something here. I think you are bitten by this bug: http://cvstrac.pfsense.com/tktview?tn=1138,6

The workaround is in the report. turn the ftphelper on at the internal subnets and place the loopbackrule at every internal interface that needs it. Also try with passivemode if this still doesn't work.

rtuin · Oct 25, 2006, 2:40 PM

Hi,

As indicated I have enabled; removed checkbox at Interfaces-> LAN -> Disable the userland FTP-Proxy application

Added the following rule, as indicated in the work around, for LAN and DMZ:

Proto Source Port Destination Port Gateway Description
TCP/UDP * * 127.0.0.1 1 - 65535 * FTP fix

Please note that I am NOT load balancing, just static routing.

The issue remains the same, I do not know if the following info is of any use.. but just in case.. Total connander ftp client log output. Dos command line ftp message remains the same also.

331 User rtuin OK. Password required
PASS ***********
230-User rtuin has group access to: rtuin
230 OK. Current restricted directory is /
SYST
215 UNIX Type: L8
FEAT
211-Extensions supported:
EPRT
IDLE
MDTM
SIZE
REST STREAM
MLST type*;size*;sizd*;modify*;UNIX.mode*;UNIX.uid*;UNIX.gid*;unique*;
MLSD
ESTP
PASV
EPSV
SPSV
ESTA
AUTH TLS
PBSZ
PROT
211 End.
Connect ok!
PWD
257 "/" is your current location
Get directory
TYPE A
200 TYPE is now ASCII
PORT 192,168,2,4,15,195
500 I won't open a connection to 192.168.2.4 (only to my.ext.ip.nr)

regards,

rowdy

hoba · Oct 25, 2006, 3:20 PM

Try passive mode.

rtuin · Oct 25, 2006, 3:38 PM

Hi,
In passive mode it simply will not LIST.. one can wait for minutes..

Connect ok!
PWD
257 "/" is your current location
Get directory
TYPE A
200 TYPE is now ASCII
PASV
227 Entering Passive Mode (85,17,3,142,215,115)
LIST
Cancel pressed!

In dos the following:
ftp> ls
–-> PORT 192,168,2,4,15
500 I won't open a conne
---> NLST
425 No data connection

So any suggestiosn are still welcome.. I am just stuck at this one?
If some one is able to ftp tp websites etc from LAN to any internet hosted ftp server using staic Dual WAN please let me know what your settings are..

hoba · Oct 25, 2006, 5:40 PM

I do, even with loadbalancing in active and passive mode when using this workaround rule ;)

rtuin · Oct 25, 2006, 7:58 PM

hahaha could have guessed… I hope I will too soon.. :-)

hoba · Oct 25, 2006, 8:18 PM

Oh, btw, you have to reset states after you added the loopbackrule. If you still have old states in your statetable and you try to get tot he same server again you will still see the problem. (diagnostics>states, reset states)

rtuin · Oct 25, 2006, 8:37 PM

:-( did that .. even before posting .. even after the workaround..

I did a reboot and that solves it.. as it seems resetting states isn't working.. I have that with rule changes also..

Anyway the workaround has solved the main issue..

Thanks Hoba ..

hoba · Oct 25, 2006, 8:58 PM

Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).

billm · Oct 25, 2006, 9:31 PM

@hoba:

Oh, then you see the filter_reload bug as well. This has been fixed and will be available as download soon (1.0.1 is in the pipe).

Arg…that bug SUCKS :-/ Why oh why was this not caught in the RC's sigh. One wonders if nobody used them.

--Bill

peterclo · Oct 27, 2006, 4:12 PM

I think I have the same problem and even slightly worse :-\

I couldn't connect to any FTP server on the Internet so I added the workaround rule above my Allow All on LAN and redirected it to the default gateway (WAN, I'm loadbalancing on WAN and OPT1). Now I can connect to FTP servers (including passively) but sometimes it can't LIST, and just hang there, regardless of the FTP client. I did a state reset and even a reboot, to no avail :(

hoba · Oct 27, 2006, 11:52 PM

Make sure you use "default" (should show up as an asterisk in the rules view) instead of the WAN-IP as gateway.

peterclo · Oct 30, 2006, 10:59 AM

Yep, that's what I was using. I updated to 1.0.1 and after the reboot it seems to be working now :)

Anyway, if my WAN comes down I'll have to edit the workaround rule to use OPT1 as the gateway, right?

hoba · Oct 30, 2006, 3:09 PM

The ftp helper can only be used at the original WAN as it is a userland application that can't make use of the loadbalancer. This is a limitation. Btw, we fixed something behind the scenes, so you should try if you now can do without the workaround rule. Just disable it and try again.

peterclo · Oct 30, 2006, 4:15 PM

No luck without the workaround :(