"route: bad address: out" and ftp problem



  • Hi!

    This is my first installation so sorry for stupid questions.
    I installed pfsense with 5 lan cards (2 wan, 1 lan,1 dmz,1 carp).

    During pfSense start I can see message:
    Checking firewall: "route: bad address: Out" (this information shows few times).

    I'm not sure where I can check it, I don't know which tools check routes and firewall rules? Or which logs I can check for it?

    Another problem is from LAN I can connect everywhere except FTP.
    I found on forum that I need unchecked "Ftp Helper" for interfaces which I use for ftp and create firewall rule to set ftp connections through one WAN.
    I unchecked "Ftp Helper" for LAN and WAN.
    And created rule for LAN firewall:
    Proto      Source          Port    Destination      Port      Gateway          Description
    TCP/UDP LAN net * 200.200.200.112/28 20 – 21      200.200.200.113 FTP WORKAROUND

    But still I cannot connect to any ftp server .

    Thanks for help

    Regards,
    Hans

    WAN: 200.200.200.114/28
    WAN-GW: 200.200.200.113

    WAN2:201.201.201.172/29
    WAN-GW: 201.201.201.174

    LAN: 192.168.1.0/24

    My outbound nat settings:
    Interface  Source  Source Port  Destination  Destination Port  NAT Address  NAT Port  Static Port  Description

    WAN  192.168.1.0/24 * 200.200.200.112/28 * * * NO LAN > WAN

    WANTISNET  192.168.1.0/24 * 201.201.201.168/29 * * * NO LAN > WANTISNET

    WAN  192.168.2.0/24 * 200.200.200.112/28 * * * NO DMZ > WAN

    WANTISNET  192.168.2.0/24 * 201.201.201.168/29 * * * NO DMZ > WANTISNET

    WAN  192.168.1.0/24 * ! 200.200.200.112/28 * * * NO WAN > LAN

    WAN  192.168.2.0/24 * ! 200.200.200.112/28 * * * NO WAN > DMZ

    WANTISNET  192.168.1.0/24 * ! 201.201.201.168/29 * * * NO WANTISNET > LAN

    WANTISNET  192.168.2.0/24 * ! 201.201.201.168/29 * * * NO WANTISNET > DMZ

    WAN  192.168.1.0/24 * * * * * NO Autocreated rule for lan

    WANTISNET  192.168.2.0/24 * * * * * NO DMZ > WANTISNET

    My LAN firewall:

    Proto  Source  Port  Destination  Port  Gateway  Description

    TCP/UDP LAN net * 200.200.200.112/28 20 – 21    200.200.200.113 FTP WORKAROUND

    • LAN net * 200.200.200.112/28 * Out Balancer LAN>WAN

    • ! LAN net * ! 200.200.200.112/28 * Out Balancer WAN>LAN

    * LAN net * 201.201.201.168/29 * Out Balancer LAN>WANTISNET

    * ! LAN net * ! 201.201.201.168/29 * Out Balancer WANTISNET>LAN

    • LAN net * * * Out Balancer Default LAN -> any

    My WAN 1 firewall:

    Proto  Source  Port  Destination  Port  Gateway  Description

    * RFC 1918 networks * * * * Block private networks

    * reserved/not assigned by IANA * * * * Block private networks

    * LAN net * 200.200.200.112/28 * 200.200.200.113 LAN>WAN

    * DMZ net * 200.200.200.112/28 * 200.200.200.113 DMZ > WAN

    * ! LAN net * ! 200.200.200.112/28 * 200.200.200.113 WAN > LAN

    • ! DMZ net * ! 200.200.200.112/28 * 200.200.200.113 WAN > DMZ

    MY WAN2 firewall:

    Proto  Source  Port  Destination  Port  Gateway  Description

    • LAN net * 201.201.201.168/29 * 201.201.201.174 LAN > WANTISNET

    • DMZ net * 201.201.201.168/29 * 201.201.201.174 DMZ > WANTISNET

    • ! LAN net * ! 201.201.201.168/29 * 201.201.201.174 WANTISNET > LAN

    • ! DMZ net * ! 201.201.201.168/29 * 201.201.201.174 WANTISNET > DMZ



  • Only use special gateways or loadbalancing pools at internal interfaces. Don't use them at one of your outgoing interfaces like WAN1 and WAN2. Use default there. You seriously broke routing the way you set it up  ;)

    Rules are always applied incoming at an interface so assigning a gateway to a firewallrule at WAN interface somehow reflects back the traffic.



  • Thanks for answer.
    I did as you told me . It means I change rules for firewall wan and wan2. I set up for them default gateway.
    But I still see information about "route: bad address: out" and cannot connect to any ftp.
    Can you tell me which script (program) check firewall rules and gives information about bad address out?

    Regards,
    Hans

    PS. I used as a manual http://doc.pfsense.org/contrib/PFSENSE-LoadBalance-FailOver-V3.pdf

    My WAN 1 firewall:

    Proto    Source    Port    Destination    Port    Gateway    Description

    *    RFC 1918 networks    *    *    *              *        Block private networks

    *    reserved/not assigned by IANA    *    *    *    * Block private networks

    *    LAN net    *    200.200.200.112/28    *      *  LAN>WAN

    *    DMZ net    *    200.200.200.112/28    *      *  DMZ > WAN

    *    ! LAN net    *    ! 200.200.200.112/28    *    *  WAN > LAN

    *    ! DMZ net    *    ! 200.200.200.112/28    *        *  WAN > DMZ

    MY WAN2 firewall:

    Proto    Source    Port    Destination    Port    Gateway    Description

    *    LAN net    *    201.201.201.168/29    *        *  LAN > WANTISNET

    *    DMZ net    *    201.201.201.168/29    *        *  DMZ > WANTISNET

    *    ! LAN net    *    ! 201.201.201.168/29    *      *  WANTISNET > LAN

    *    ! DMZ net    *    ! 201.201.201.168/29    *      *  WANTISNET > DMZ



  • In some part I solve problem with ftp.
    The problem was that I unchecked FTP Helper for LAN.
    But now I have other problems. :(
    When I use passive connection I can connect to ftp, and can download small files but I cannot upload any, and cannot go inside any directory.
    When I use active I got error 500 Illegal port command.
    And of course still I can see route bad address out.

    I did small change for my LAN firewall:
    TCP/UDP  LAN net  *  ! 201.201.201.168/29  20 - 21  200.200.200.113 FTP WORKAROUND 
    TCP/UDP LAN net * 201.201.201.168/29  20 - 21 201.201.201.174 FTP WORKAROUND



  • I unlinked that tutorial some time ago as it is quite confusing and was done with a pretty old version. It's not that complicated anymore. Please start over following these directions: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing

    Basically it comes down to just setup the gatewaypool and use it in a firewall rule at LAN.



  • I did as you said.
    I removed all rules for outbound NAT
    Also removed almost all rules for NAT, except (ftp 20-21 -> 200.200.200.113 ,ftp 10000-65000 -> 200.200.200.113 , NAT default -> Out Balancer), removed all rules for WAN and WAN2.

    After I put 20,21,10000-65000 ports in firewall, I can use passive ftp connection from LAN-> outside.

    But still after I reboot I can see message route: bad address: outside. Now only 4 times repeat.

    Should I worry about this message?

    Regards,
    hans



  • Not sure, but if it works now I guess you can ignore it.



  • The link which I got manual is from official documentation. http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing

    Maybe it should be removed.

    Regards,
    Hans



  • Thanks for the hint. Didn't know it's linked there too.


Log in to reply