Need help with ftp problem.

Richb

I setup load balancing and failover with 1.2-BETA-1-TESTING-SNAPSHOT-05-09-2007
built on Fri May 11 16:38:55 EDT 2007.  When i try to connect to a ftp site using passive mode or active mode it logs in fine but hangs on the directory list.  I've searched the forum for solutions and tried several.  Don't know it this helps.

Firewall: Rules
  LAN        WAN        IPSEC        PPTP VPN        SHAW   
    Proto Source Port Destination Port Gateway Schedule Description   
  *  LAN net  *  64.59.128.220  *  24.66.224.1    Mail out through Shaw   
  *  LAN net  *  127.0.0.1  *  *
  TCP  LAN net  *  *  HTTPsAll  ShawFailoverWan
  *  LAN net  *  *  *  WanBalanceShaw    Load Balance Telus & Shaw   
  *  LAN net  *  *  *  WanFailoverShaw    Telus Failover to Shaw   
  *  LAN net  *  *  *  ShawFailoverWan    Shaw Failover to Telus   
  *  LAN net  *  *  *  *    Default LAN -> any

Everything else seems to work fine including all 10 vpn connections.  I think I've gone brain dead.
Any help would be appriciated.

Thanks
Richard

sullrich

FAQ. Load balancing is not compatible with FTP currently.  Search the forum for more information.

dotdash

I'm using the workaround for outbound ftp on dual-wan. My LAN rule for 127.0.0.1 is TCP, don't know if it makes a difference. Also, did you make sure ftp helper is enabled on LAN and disabled on WANs?

Richb

Thank you dotdash

That last tip seems to of done it.  I was screwed up on the ftp helper.  I had the lan side disabled.
And thanks for the quick response from both of you.

Richard

krull

Greetings,

Just to add to this note, The doc.pfsense.org Wiki Entry for Load Balancing clearly states that the FTP Helper SHOULD be checked, but obviously this is incorrect. It should be amended since it's misleading.

Sticking with the wiki examples (LAN+WAN+WAN2) the FTP Helper setting is as follows:

LAN: ENABLED
WAN: DISABLED
WAN2: DISABLED

This works as stated by dotdash. Cheers!

Pootle

I'm re-doing the multiWAN wiki at the moment to tidy it up, get the rules better sorted out, I'll get the FTP changes in there as well.

It's here http://doc.pfsense.org/index.php/MultiWanVersion1.2  if you want to check for any other changes I should make…....  (its also linked from the main load balance page)

I'm planning to base the rules on this info from Hoba  ;D

• destination 127.0.0.1 default gateway (workaround ftphelper and such)
• destinations ipsecsubnets default gateway (otherwise traffic will be routed around the tunnelentrypoint, not covered yet in the tutorial)
• destination ports https and such failoverpool wan->opt1 (protocols that have problems when hopping between IPs)
• destination any loadbalancer pool wan-opt1 (catch al other traffic)

Presumably the https fix thing won't be needed if sticky is used - is sticky likely to make it into 1.2?

krull

Hi Pootle,

Just skimmed through your revision, and it looks promising! Great job so far!

I just finalized my DualWan setup here. I think it's ill advised to go with the Alias route like the original wiki did unless it is explained a little further in-depth as alot of people here really screwed things up due to that.

I also noticed in your revision that you stuck with the original wiki's 'router mode' versus the 'bridge mode' in the Setting up your modem section. May I suggest you add a remark and/or additional information for those who use Static IPs in 'bridge mode' as well. This way the wiki's thorough and would not confuse first timers such as myself who happened to have two different ISPs with bridge-static-IP-modems to tinker with. (I had to think OTB whilst reading the original wiki based on my setup…)

Also concerning the DNS Forwarder setup and those who host servers in-house (like myself...). I noticed the original wiki did not take this into account and for some reason my internally hosted webserver would not resolve to its TLD domain-name if accessed from LAN. I had to explicitly state in the DNS Forwarder the TLD domain-name of my webserver for it to resolve correctly.

I think these are the only footnotes I got from the top of my head. Hope this helps... Cheers!

Pootle

@krull:

I think it's ill advised to go with the Alias route like the original wiki did unless it is explained a little further in-depth as alot of people here really screwed things up due to that.

Thanks for the feedback Krull, take your point, how about just 1 aliase for https etc. ports that tend to get upset by load balancing - the others are of les value, but without this one, several rules would be required?

I'll see what I can do about the other bits - DNS definitely, I do it that way myself, but bridge mode I have limited knowledge of  ::)