2 Issues with pfSense 1.2 RC3



  • It seems that there are two major issues with pfSense 1.2 RC3 that I have encountered and have read on here to be verifiable.

    #1 - NAT reflection - whatever the feature is called or its function, having access to internal resources (out to the Internet and back in) - this should work period, all other firewalls do so not sure why not in pfSense.

    #2 - FTP - FTP helper or not - why can't such a major piece of firewall like pfSense have to have difficult time in handling this?  Again, other firewalls have this, but not pfSense.

    Now, the developers can say go to another firewall or whatever but to me, you have a very nice product to NOT take care of these things.  I prefer to use your product so I guess my question is, are these issues going to be addresses in the near term - as in when?

    BTW, are these issues present in m0n0wall?

    Also, this is just a friendly feedback!  Thanks and still great product… :D



  • …. you dont say what your problem is only that you have issues.

    Since these features work for almost everyone i assume you did something wrong.



  • First, let me address FTP…look across these boards, FTP is an ISSUE.  You are a so called "hero" member but you deny this (maybe not deny, but its a user error mentality)?  Look at the FTP workarounds in the docs, it says if it still does not work, change the firewall...HELLO I think that summarizes the fact that it does NOT work 100%.  I've used SonicWall, IPCOP before, etc - they all worked.  The GUI maybe different, but the principles on how they work is still the same.  Maybe you can use the search above and look up FTP issues - and you will see.  again read the docs on FTP issues and workarounds by pfSense team.  Just for grins, I opened up all ports - source and destination, did a scan on all of my ports being verified as open - enable and disabled FTP helper on LAN and WAN and it STILL did not work - I plugged in a sonicwall 2040 and then an IPCOP - and THEY worked .  Also, I have 80/443 open on the same server and THOSE work just fine too - - and I was using pfSense in this instance!  So I obviously know how to NAT and create rules just fine there.  USed this too - http://wiki.pfsense.com/wikka.php?wakka=IncomingFTPHowTo&show_comments=1 and http://devwiki.pfsense.org/FTPTroubleShooting What else do you think I overlooked here?

    Second NAT reflection.  I am trying to access our own web site internally thats accessible from the outside.  On these boards, it was suggested to uncheck the NAT reflection feature so internally I can access them - that did not work.  Also, per the board, there is an "ugly" hack pertaining to how this feature works.  Another suggestion was to setup a split DNS to handle internal request - although of course that will work - why only this firewall that you have to do this in?  To use a product means simplicity and ease of use - not use of "workarounds" - this even works on low end devices Linksys/Dlink etc.  routers.

    Look, I like the product, but what I've found are ON THESE boards to be verified by other users.  simply stating I do not know what I'm doing is not the answer.  I went the boards and read all docs - so I defintely am not the isolated issue.

    My only real question was, does m0n0wall have the same issue (I guess I'll have to find out), and when are the issues going to be fixed?  Yes it is broken - if this was commercial software, the postings on these boards indicate a problem - do your own reading on NAT reflection and FTP helper - look at the issues on those terms alone.

    As far as the issues I have had, I posted them and the responses or suggestions did not work.  I am a user who actually reads these boards and try out the many other suggestions - not just my postings.  As you can see from my first paragraph how I concluded the FTP as an issue was from my own test using other firewalls and other services still works - obvious logical test procedures.



  • @pinoyboy:

    (maybe not deny, but its a user error mentality)

    Of course i have an user error mentality ;)
    90% of all error here on this board are because someone missconfigured or followed a guide but didnt understand it and did something wrong.

    Now let's try to find out why your FTP isnt working.
    What exactly do you mean you opend all ports? Did you forward all ports? Only firewall rules arent enough.
    Also take into account that after creating the rules (depending on hardware) it can take up to a minute until the rules are in effect.

    In what order did you create the NAT-rules/ enabled the FTP helper?

    Please note that you have to add the NAT mapping AFTER having enabled the FTP-helper. Because an additional rule will be created for it to work.

    Which FTP server are you using? Which portrange for data do you use?

    Btw: do you have "static port" under Advanced outbound NAT active?

    To NAT-reflection: You cannot reflect portranges >500.
    So if you have a transfer portrange for FTP bigger than 500 the reflect rule will not be installed.
    also i think i read somewhere that there are a maximum of 1000 reflects tht can be active.

    I read through the posts you already have on the board and i think you want NAT-reflection to work with 1:1 NAT on VIP's.
    I'm not sure if this is possible.



  • @pinoyboy:

    #1 - NAT reflection - whatever the feature is called or its function, having access to internal resources (out to the Internet and back in) - this should work period, all other firewalls do so not sure why not in pfSense.

    Really?  You should tell that to Cisco and Microsoft, both sell $$$ firewall products that do not do NAT reflection. Ours works fine for < 500 ports. It may work for other circumstances in the future, but it's a nasty ugly hack no matter how it's implemented

    @pinoyboy:

    #2 - FTP - FTP helper or not

    FTP works fine. The only known limitation is not being able to use anything but the primary WAN if you have a multi-WAN setup. That'll be fixed in a future version.

    @pinoyboy:

    BTW, are these issues present in m0n0wall?

    yes, in the case of NAT reflection m0n0wall doesn't have it at all. FTP works fine on both, but some people with both love to gripe about how it doesn't work when they've misconfigured something.

    @GruensFroeschli:

    Of course i have an user error mentality ;)
    90% of all error here on this board are because someone missconfigured

    Bingo!

    But just 90%?  C'mon, GruensFroeschli you've been around long enough to know it's more like 99% of all posts.  ;D



  • I am currently having FTP failure as well. And I'd be happy to have it due to 'user-error' as that means there is an easy fix. I have found the documentation around this confusing…

    FTP outbound was working under SmoothWall. FTP stopped working when we cut-over to pfsense. PFSense was a little touchy on set-up, but everything else is working great now that we figured it out. The multiple WAN and High-availability features are what brought us to the software. Both are working as promised! Very exciting!

    SETUP: 2 x PFsense 1.0.1 Mutiple WAN setup (WAN / OPT1) on both with Virtual IPs / CARP failover for HA over dedicated OPT2. Outbound rule uses "Default" as gateway (which I understand to be WAN). Outbound WAN NATs to appropriate Virtual IP and port is *, Static Port = NO. Only open inbound ports are 80/443, which work great. We are not trying to host an FTP server, simply run our FTP scripts from inside LAN on clients. Would expect this to be simple enough.

    BEHAVIOR: We get a successful log in from remote FTP servers over WAN, but directory browsing or file download hang and eventually timeout.

    What is the world is "userland FTP-Proxy application"? In any case, I unchecked "Disable" (didn't work either way).

    Any suggestions?



  • Upgrade to 1.2-RC3, re-enable FTP helper.



  • Appreciate the comment… But...

    1. I don't see in the documentation where the FTP from LAN issue was addressed in 1.2 RC3, was it in an earlier release note that I missed?

    2. Why would I want to go from a full release to a RC?  Especially if the answer to #1 is not definite?

    Thx



  • @purdue512:

    What is the world is "userland FTP-Proxy application"? In any case, I unchecked "Disable" (didn't work either way).

    Here is a good treatment on what the ftp helper does and why it is needed:
    http://home.nuug.no/~peter/pf/en/ftpproblem.html
    AFAIK, pfSense is using pftpx, which is similar to the current OpenBSD ftp proxy.
    Aside from a few weird configurations, I've always had success with simply enabling the helper on the LAN, diabling on the WAN, and in the case of multi-WAN, adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules.
    Oh, and it's been posted many times elsewhere that the newer 1.2 RC releases are more stable and bug-free than the 1.0.1 release.



  • and also, if you enabled the ftp helper on the lan interface, take a look at the firewall logs, so you will see what happened



  • Because 1.2-RC3 has no known bugs.  1.0.1 has many known bugs.



  • Okay.. Thanks. I'll give this a try.

    In a HA / CARP situation, can I run the upgrade on the BACKUP box and then test, switch to MASTER and repeat? Or will that mess something up because the two will be on different versions for a short while?

    In other words, is down-time required for this upgrade?

    Thx



  • Upgrade the secondary and verify that it looks okay and then upgrade the primary.



  • @sullrich:

    Upgrade the secondary and verify that it looks okay and then upgrade the primary.

    This went very smooth. Upgraded the secondary.. Pushed it into service for a while, all was good. Upgraded the primary.

    @dotdash:

    Here is a good treatment on what the ftp helper does and why it is needed:
    http://home.nuug.no/~peter/pf/en/ftpproblem.html
    AFAIK, pfSense is using pftpx, which is similar to the current OpenBSD ftp proxy.
    Aside from a few weird configurations, I've always had success with simply enabling the helper on the LAN, diabling on the WAN, and in the case of multi-WAN, adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules.
    Oh, and it's been posted many times elsewhere that the newer 1.2 RC releases are more stable and bug-free than the 1.0.1 release.

    1. Tried this… FTP HELPER is ONLY enabled (by UN-checking DISABLE) on the LAN.. It is checked (disabled) on WAN, OPT1, OPT2...  Still nothing.

    2. "adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules"

    More detail please. I have a rule on the LAN that allows * * * * through... So, it's wide open from the LAN interface. Is something else meant here?

    1. Finally, I looked in the logs, don't see anything here about this.

    My FTP behavior has not changed. It still allows me to log in successfully. But when I try a GET or a DIR, it hangs and then I get "disconnected by host" after a timeout...  What am I missing here??? I'm just trying to FTP from LAN...



  • Using proxyarp ips by chance?  Have you seen http://devwiki.pfsense.org/FTPTroubleShooting ??



  • @sullrich:

    Using proxyarp ips by chance?  Have you seen http://devwiki.pfsense.org/FTPTroubleShooting ??

    1. Nope. All Virtual IPs are CARP.

    2. I thought I had seen that post, but it's a different one. I will check it out. Thanks.



  • Outgoing FTP (LAN -> Internet) UPDATED PORTS, please check!

    1. Ensure that the FTP helper is not disabled on Interfaces, LAN
    2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.
    3. If you are running windows try turning off the windows firewall

    Okay - I've done all this… SAME FTP BEHAVIOR...  Logs in, but then drops session. This is from two independent FTP servers that both work when tested from another network. Both worked before the PFSense install.

    Can someone elaborate on the "LOOPBACK" in #2 above...  I have a rule on LAN for * * * *  PASS, that should cover it... Just for fun, I added 127.0.0.1 * 8000 - 8030 PASS also, no difference...

    Oh no, the above doesn't help. What can I do?

    1. Use SCP/SFTP which only needs 1 port to traverse the firewall since its wrapped in SSH (yes a safe AND simple way of traversing a firewall!)
    2. Don't use FTP
    3. Turn off the FTP helper option in Interfaces -> LAN and Interfaces ->WAN or any optional interfaces in use.
    4. Switch to an alternative firewalling system

    Are you serious with #2 and #4?  I am trying really hard to make this problem "my fault." Believe me, I'd like for nothing more than to see how I've messed this up so I can flip a switch and have FTP working. But so far, nothing helps. Please see the chain above, I'm open to being wrong and would love suggestions.

    That being said, FTP is a used by MANY MANY major corporations in America. We use it for data communication (encrypted files, of course) with GE, Nissan, AT&T, Coca Cola, to name a few. If you want to be taken seriously, this needs attention (or at least documentation). You can't just tell these guys "sorry, we can't do FTP." This software seems TOTALLY AWESOME with the exception of the FTP feature. I'd hate to see something so small holding this back from making the big time…



  • @purdue512:

    1. "adding the 'allow tcp from LAN net to loopback' rule at the top of the LAN rules"

    More detail please. I have a rule on the LAN that allows * * * * through… So, it's wide open from the LAN interface. Is something else meant here?

    With dual-WAN setups, I add a new rule as the first rule on the LAN:
    TCP  LAN-net  * 127.0.0.1/31 * *



  • @dotdash:

    With dual-WAN setups, I add a new rule as the first rule on the LAN:
    TCP  LAN-net  * 127.0.0.1/31 * *

    Thanks. I have that.. No love.

    Can you tell me if you need anything special in NAT: PORT FORWARD? I am assuming NO because my FTP session originates from LAN. But I'm out of ideas.



  • WOW, thanks Purdue for picking up where I started with this whole FTP issue!  Anyhow, I will be able to test my side of things by weekend (being production).  You obviously have found exact frustration I have with this - different systems work except pfSense - and other ports work too - like HTTP/HTTPS/RDP/etc.  In the beginning though I have not tried to ENABLE/DISABLE FTP Helper on the LAN/WAN interface BEFORE creating my NAT rules, so I will try that for my next step.  But hopefully you get it resolve as I feel we may be working with very similar problem - you are right in that #2 and #4 suggestions by pfSense group are quite absurd.  I agree it is a great software/potential, but the lack of documentation and basic working feature (major corps use) is essential.

    If it makes any difference - I use G6 FTP Server - very robust and well known FTP server - http://www.g6ftpserver.com/

    Thanks.



  • No problem pinoyboy. I just hope one of us finds the secret answer to the riddle here.

    I'm really glad you posted because it jogged a memory for me. When I did my original install I did notice that the ORDER of how you built things was really important. I'm in the same boat as you, fiddling with the FTP settings AFTER the nat / virtual IPs are set up. Perhaps this is a no-go?

    Please let me know what you find and I'll continue to share as well…  Other than this FTP issue, I'd give this software an A+ for high-volume production deployment.



  • dotdash or anyone, in the beginning you mentioned you have this FTP working - I assume the FTP inbound (from outside to your internal server - not port forwarding but 1:1).  IF you don't mind, could you post a screenshot in order the steps you took to get this working? For example if you setup VIP,Proxy ARP, NAT policies, and Firewall rules, etc - to post the screenshots in those order of your successful setup.  Of course changing IP's  ::) - maybe this will ensure we are working identically to a known working configuration.  IF you can't do screenshot, please clarify for us YOUR STEP by STEP to get this setup and discussing everything from whether it is PRoxy ARP or CARP, etc.  Kindly appreciated! ;D

    BTW, the NAT reflection I have is VIP/Proxy ARP and NOT CARP and the only ports I am trying to enable here is 80/443 and yes 20/21.  Can I just access my own resources internally also please?!!!  (Comment to self).



  • I need this as well for FTP…  Thx



  • Ok, not the best example, but here are some screen shots. Usually just using outbound ftp here, but I recently setup a temp ftp site for someone to transfer some files. I have tested outbound and inbound using command line ftp from XP/server 2003 and the Windows version of FileZilla.
    While i'm thinking about it, try this from a shell:
    ps -xa |grep pftpx
    You should see an instance for every interface you are running the helper on.




  • Thanks for this… Can I assume that FTP outbound from LAN was working before you put in the temporary FTP server?



  • Yeah, outbound was working before adding the NAT for the temporary ftp.



  • thank you sir!  couple of questions/comments…

    (1)  based on the FTP Helper screenshots you have, it is the default settings from pfSense - "out of the box"

    (2)  virtual ip's (aka VIP) for this is CARP not Proxy Arp; I suppose this is the only way to get it to work?  based on my previous posting I had to set up by VIP with Proxp ARP to get my 1:1 to go across for various services (HTTP, HTTPS, RDP, PPTP, SMTP, etc) with various servers - I have maybe 8 servers that require the same exact ports open and translated using 1:1 Proxy ARP per previous suggestion.  I guess my question here is since I have static mappings going 1:1 in a range, should I remove my Proxy ARP and change to a RANGE as you have there using CARP, then manually taking care of the actual mappings of each port at the firewall rules level?

    NOTE:  with pfSense, I was told in previous post that if I wanted 1:1 to work and all my servers had same services, I had to use Proxy Arp with VIP - looks like you are saying I can use a range of say 216.x.x.x/28 with CARP instead, then follow up with individual firewall rules for each server and service?

    (3)  the magic I see here is perhaps having the port forwarding you have for port 21 (not a 1:1) ;how would this work if I had two or more FTP servers?  Would I just port forward 21 using different source IP (part of VIP range) natted to proper internal ip?

    (4)  lastly, could you briefly expand on that ftp hack piece?

    thank you again!



  • @pinoyboy:

    (2)  virtual ip's (aka VIP) for this is CARP not Proxy Arp; I suppose this is the only way to get it to work?  based on my previous posting I had to set up by VIP with Proxp ARP to get my 1:1 to go across for various services (HTTP, HTTPS, RDP, PPTP, SMTP, etc) with various servers - I have maybe 8 servers that require the same exact ports open and translated using 1:1 Proxy ARP per previous suggestion.  I guess my question here is since I have static mappings going 1:1 in a range, should I remove my Proxy ARP and change to a RANGE as you have there using CARP, then manually taking care of the actual mappings of each port at the firewall rules level?

    Here are my Caveats:

    1. I haven't had the need to setup more than one ftp server behind a single pfSense.
    2. I generally use port-forward instead of 1-1 NAT, as I like to create duplicate port-forwards for each WAN and AFAIK, you can't do that with 1-1's.
    3. I'm more concerned with outbound ftp than inbound- if someone wants data from a network I manage, I'm in a better position to insist they use something other than ftp. I view outbound ftp as a necessary evil.

    So far, the only outbound issues I've had have been with dual-wan (which is fixed by adding the rule which allows traffic to the ftp proxy process listening on loopback) and a few times where I've seen the pftpx process die. That's why I asked about the pftpx process in ps. I've only seen it a few times, and they were pre-1.2 builds, but I fixed it by disabling the ftp helper on the LAN, saving, then re-enabling.

    CARP addresses are added singly, but require the correct subnet mask. I thought the issue with proxy-arp's was that you couldn't run the ftp-helper on them, but I'm not sure. My thought is that a 1-1 NAT would be better suited for running an FTP server than port-forwards, but can't confirm that from experience.

    'FTP Hack' is just what I named the rule that makes sure traffic reaches the ftp proxy running on loopback.
    (TCP  LAN-net  * 127.0.0.1/31 * *)



  • again, thx for the time in explaining your configs and your ideas; however, in my configuration it seems this will not work.  I see how you got it to work with port forwards but since I truly use 1:1 instead of port forwards (which is for single server/port solution).  I'm really back to my original post…I will have to further test additional ideas over the weekend.  MY config is dramatically different in that I have port 80/443/25/3389/20/21 for almost all my servers hence I use 1:1 proxy arps.  for those that do not know - 1:1 = I have 10 useable public ip's and I have them mapped to 10 internal servers - all different servers but same services (http,https, smtp, etc); hence port forward not suitable as it can not handle more than one server/port.



  • Guys,

    I am in EXACTLY the same boat, but with a different config…  My issue is even simpler (I believe) as I'm not trying to host FTP, simply USE ftp from LAN...  I am Dual WAN, HA / CARP VIPs... 80 / 443 / 3389 perform perfectly and failover perfectly, even with 5,000 active sessions. The outbound NAT works great to keep my source IP the same regardless of which box is MASTER... I simply can't FTP out - I get a login and then the session dies.....

    I tried to strip down my VIPs, NAT FORWARD and NAT OUTBOUND and RULES, push FTP helper off and on (on LAN) and rebuild the entire thing under the assumption that it is somehow an "ordering" issue since FTP HELPER was disabled on LAN by default... All that did was completely hose up my boxes to the point where they would not function in or out for any port... I had to restore from backup configs and am back on-line, but still no FTP...

    Why in the world is this so hard???  Very frustrating. Why is the order so important when building...

    Can you please confirm that the loopback rule (TCP  LAN-net  * 127.0.0.1/31 * *) suggested above is for the LAN interface?



  • Is is possible that doing an upgrade from 1.0.1 rather than a clean install of 1.2 RC3 is causing my FTP hell?



  • That's why I asked about the pftpx process in ps.

    I followed that pointer, thanks. I ran the command in the shell and got some feedback that I couldn't interpret. But there was one line and you said to expect one per Helper-Enabled Interface, so that seemed right to me.



  • See also:

    http://forum.pfsense.org/index.php/topic,6107.0.html

    Which I'm having a hard time understanding…





  • FTP (outbound) works fine here.  Granted we only have one WAN, one LAN(vlan), and one OPT(vlan).  The FTP helper etc. is DISBALED on all interfaces.  No special port forwards/firewall rules on 21 or anything like that.  We just had to tinker with the ftp proxy option on different interfaces but we got there.  Lucky for us we were one of the 99% user error category.



  • Thanks mhab12.

    Could you provide some detail on the "tinker with the FTP proxy options" for me?



  • Tinker with the FTP proxy options  = Toggle the FTP proxy option on and off in various combinations across all your interfaces.



  • Okay… In the newest version I think it's called "FTP Helper", so I'm assuming we're talking about the same thing.

    Thanks for your help.



  • FTP Helper is a FTP Proxy.  It is called "FTP Helper" in the GUI but it's basically a proxy.



  • Thanks. At this point, I've come to the conclusion there are some very serious bugs in the FTP HELPER (proxy) in PFSense 1.2 RC3. I know many people have posted that they have it working, but I've now put over 40 hours into this single issue (yes, it's crazy) and I simply can't get it to work with my config. I'm thinking it has to do with being Multi-WAN and CARP…

    I am, sadly, going to back-out my PFSense HA implementation and go back to SmoothWall until I can get FTP working on the bench. I had neglected to test FTP before putting this into production (my bad), and had also assumed this would not be a big deal. From the volume of posts around, it certainly IS a big deal. My personal belief is that it will hold this software back until addressed. I know what the sentiment is for FTP, and I don't disagree on technical grounds, but it's simply used too much by big corporate players today to be overlooked...

    When I get back on SmoothWall, I will start removing pieces of my PFSense config to see if I can isolate exactly where FTP dies on the bench. I'm going to try a single-WAN / CARP config next... See if that works. If it doesn't I will try single-WAN single PFSense, see if that works.  Sure hope the larger community decides FTP needs attention before RC3 becomes a real release....

    All the input and time responding to my questions is deeply appreciated.


Log in to reply