"route: bad address: out" and ftp problem
-
Hi!
This is my first installation so sorry for stupid questions.
I installed pfsense with 5 lan cards (2 wan, 1 lan,1 dmz,1 carp).During pfSense start I can see message:
Checking firewall: "route: bad address: Out" (this information shows few times).I'm not sure where I can check it, I don't know which tools check routes and firewall rules? Or which logs I can check for it?
Another problem is from LAN I can connect everywhere except FTP.
I found on forum that I need unchecked "Ftp Helper" for interfaces which I use for ftp and create firewall rule to set ftp connections through one WAN.
I unchecked "Ftp Helper" for LAN and WAN.
And created rule for LAN firewall:
Proto Source Port Destination Port Gateway Description
TCP/UDP LAN net * 200.200.200.112/28 20 – 21 200.200.200.113 FTP WORKAROUNDBut still I cannot connect to any ftp server .
Thanks for help
Regards,
HansWAN: 200.200.200.114/28
WAN-GW: 200.200.200.113WAN2:201.201.201.172/29
WAN-GW: 201.201.201.174LAN: 192.168.1.0/24
My outbound nat settings:
Interface Source Source Port Destination Destination Port NAT Address NAT Port Static Port DescriptionWAN 192.168.1.0/24 * 200.200.200.112/28 * * * NO LAN > WAN
WANTISNET 192.168.1.0/24 * 201.201.201.168/29 * * * NO LAN > WANTISNET
WAN 192.168.2.0/24 * 200.200.200.112/28 * * * NO DMZ > WAN
WANTISNET 192.168.2.0/24 * 201.201.201.168/29 * * * NO DMZ > WANTISNET
WAN 192.168.1.0/24 * ! 200.200.200.112/28 * * * NO WAN > LAN
WAN 192.168.2.0/24 * ! 200.200.200.112/28 * * * NO WAN > DMZ
WANTISNET 192.168.1.0/24 * ! 201.201.201.168/29 * * * NO WANTISNET > LAN
WANTISNET 192.168.2.0/24 * ! 201.201.201.168/29 * * * NO WANTISNET > DMZ
WAN 192.168.1.0/24 * * * * * NO Autocreated rule for lan
WANTISNET 192.168.2.0/24 * * * * * NO DMZ > WANTISNET
My LAN firewall:
Proto Source Port Destination Port Gateway Description
TCP/UDP LAN net * 200.200.200.112/28 20 – 21 200.200.200.113 FTP WORKAROUND
-
LAN net * 200.200.200.112/28 * Out Balancer LAN>WAN
-
! LAN net * ! 200.200.200.112/28 * Out Balancer WAN>LAN
* LAN net * 201.201.201.168/29 * Out Balancer LAN>WANTISNET
* ! LAN net * ! 201.201.201.168/29 * Out Balancer WANTISNET>LAN
- LAN net * * * Out Balancer Default LAN -> any
My WAN 1 firewall:
Proto Source Port Destination Port Gateway Description
* RFC 1918 networks * * * * Block private networks
* reserved/not assigned by IANA * * * * Block private networks
* LAN net * 200.200.200.112/28 * 200.200.200.113 LAN>WAN
* DMZ net * 200.200.200.112/28 * 200.200.200.113 DMZ > WAN
* ! LAN net * ! 200.200.200.112/28 * 200.200.200.113 WAN > LAN
- ! DMZ net * ! 200.200.200.112/28 * 200.200.200.113 WAN > DMZ
MY WAN2 firewall:
Proto Source Port Destination Port Gateway Description
-
LAN net * 201.201.201.168/29 * 201.201.201.174 LAN > WANTISNET
-
DMZ net * 201.201.201.168/29 * 201.201.201.174 DMZ > WANTISNET
-
! LAN net * ! 201.201.201.168/29 * 201.201.201.174 WANTISNET > LAN
-
! DMZ net * ! 201.201.201.168/29 * 201.201.201.174 WANTISNET > DMZ
-
-
Only use special gateways or loadbalancing pools at internal interfaces. Don't use them at one of your outgoing interfaces like WAN1 and WAN2. Use default there. You seriously broke routing the way you set it up ;)
Rules are always applied incoming at an interface so assigning a gateway to a firewallrule at WAN interface somehow reflects back the traffic.
-
Thanks for answer.
I did as you told me . It means I change rules for firewall wan and wan2. I set up for them default gateway.
But I still see information about "route: bad address: out" and cannot connect to any ftp.
Can you tell me which script (program) check firewall rules and gives information about bad address out?Regards,
HansPS. I used as a manual http://doc.pfsense.org/contrib/PFSENSE-LoadBalance-FailOver-V3.pdf
My WAN 1 firewall:
Proto Source Port Destination Port Gateway Description
* RFC 1918 networks * * * * Block private networks
* reserved/not assigned by IANA * * * * Block private networks
* LAN net * 200.200.200.112/28 * * LAN>WAN
* DMZ net * 200.200.200.112/28 * * DMZ > WAN
* ! LAN net * ! 200.200.200.112/28 * * WAN > LAN
* ! DMZ net * ! 200.200.200.112/28 * * WAN > DMZ
MY WAN2 firewall:
Proto Source Port Destination Port Gateway Description
* LAN net * 201.201.201.168/29 * * LAN > WANTISNET
* DMZ net * 201.201.201.168/29 * * DMZ > WANTISNET
* ! LAN net * ! 201.201.201.168/29 * * WANTISNET > LAN
* ! DMZ net * ! 201.201.201.168/29 * * WANTISNET > DMZ
-
In some part I solve problem with ftp.
The problem was that I unchecked FTP Helper for LAN.
But now I have other problems. :(
When I use passive connection I can connect to ftp, and can download small files but I cannot upload any, and cannot go inside any directory.
When I use active I got error 500 Illegal port command.
And of course still I can see route bad address out.I did small change for my LAN firewall:
TCP/UDP LAN net * ! 201.201.201.168/29 20 - 21 200.200.200.113 FTP WORKAROUND
TCP/UDP LAN net * 201.201.201.168/29 20 - 21 201.201.201.174 FTP WORKAROUND -
I unlinked that tutorial some time ago as it is quite confusing and was done with a pretty old version. It's not that complicated anymore. Please start over following these directions: http://wiki.pfsense.com/wikka.php?wakka=OutgoingLoadBalancing
Basically it comes down to just setup the gatewaypool and use it in a firewall rule at LAN.
-
I did as you said.
I removed all rules for outbound NAT
Also removed almost all rules for NAT, except (ftp 20-21 -> 200.200.200.113 ,ftp 10000-65000 -> 200.200.200.113 , NAT default -> Out Balancer), removed all rules for WAN and WAN2.After I put 20,21,10000-65000 ports in firewall, I can use passive ftp connection from LAN-> outside.
But still after I reboot I can see message route: bad address: outside. Now only 4 times repeat.
Should I worry about this message?
Regards,
hans -
Not sure, but if it works now I guess you can ignore it.
-
The link which I got manual is from official documentation. http://doc.pfsense.org/index.php/Multi-Wan/Load-Balancing
Maybe it should be removed.
Regards,
Hans -
Thanks for the hint. Didn't know it's linked there too.