FTP Server behind Pfsense 2.0.1 release amd64 and Dual Wan



  • Hi Everybody,
    I'm setting up an FTP server behind PFsense 2.0.1 Release amd64 in a dual wan environment.
    My setup is:

    WAN1: Static Public IP used for default internet traffic out form LAN but not the default gateway interface. I have a Limiter and Queues on this interface to manage priorities and limit the outgoing traffic of clients to leave some bandwidth free for VoIP and other critical services.
    WAN2: Static Public IP used for IPsec VPN and PPTP VPN and this is the default gateway interface because the IPSec and PPTP only work if the interface is the default gateway.
    LAN: usual LAN address 192.168.0.0/24

    I use linux command line ftp client with Extended Passive mode to make the tests from the outside.
    If i setup a Port Forwarding from WAN1 to the ftp server internal IP it works well but only if the transfer take less tha 2 minutes (more or less) to be completed.
    If the transfer take more than 2 minutes the transfer hang (the client say Stalled) and i see on the Firewall logs of PFsense box that the data packets and Ack packets from the server to the FTP client start to exit from the WAN2 interface (and are blocked from the firewall because there is not a started TCP connection opened on the interface since the session started on the WAN1 interface) and no more from the WAN1 interface.

    It seems to be a problem of tracking the NAT session (probabily the one started on port 21 from the client) that reach some sort of timeout and expire… After this session expire the Pfsense have no more record that the outgoing packet of the session should go out from WAN1 and start to put it out from the default gateway interface.

    To be sure of this i tried to set up the same rule on WAN2 and the proble doesn't occur.

    Another thing is that i read a lot aroud about an FTP Helper to be enabled/disabled on the interfaces but i don't found anything on PFSense 2.0.1 about it. May be it have been removed or somethink like this. Can you give me any help about the issue?

    Thank you
    Regards,
    Hunters



  • I'd say set up you FTP server to go out only on one WAN (outbound rule), that should fix the problem.

    @hunters:

    Another thing is that i read a lot aroud about an FTP Helper to be enabled/disabled on the interfaces but i don't found anything on PFSense 2.0.1 about it. May be it have been removed or somethink like this. Can you give me any help about the issue?

    I think this is now here:
    System: Advanced: System Tunables : debug.pfftpproxy


Log in to reply