Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Problems with FTP clients in passive mode behind pfsense after upgrade to 2.2.1

    Routing and Multi WAN
    5
    8
    2643
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • R
      rigius last edited by

      Hi,

      Our setup is composed of a LAN network connected to the Internet through two WANs doing load balancing.

      The firewall is configured to do fail-over for outgoing connections to port 21 instead of load balancing.

      FTP clients inside the LAN have worked without problem in passive mode from v1.2.3 to v2.1.5. The FTP proxy was enabled.

      This week we have upgraded from 2.1.5 to 2.2.1 and problems have started.

      The internal FTP clients (lftp, fireftp, perl net::ftp, etc.) establish the control connection to the external FTP servers normally, but when a data connection is established,  pfsense establishes it indistinctly through WAN1 or WAN2 (something that apparently didn't happen with prior versions).

      We have worked around the problem for our two or three most frequently used FTP servers adding a rule to the firewall to send all outgoing connections through the same fail-over interface as those sent to the external port 21 For the other FTP servers, the clients have to do timeouts/retries and after some attempts, they usually end getting both control and data connections on the same interface. Here is a screen capture of the states with an ongoing file transfer:

      https://drive.google.com/file/d/0Byyi5q9AR1iAbi1QY3NxeXdKQlk/view?usp=sharing

      Does anybody have an idea for not having to add every single external FTP server IP to the LAN firewall rules to keep all the connections for the same passive FTP session on the same interface?

      We have tried sticky connections, but they haven't solved the problem.

      Regards,

      1 Reply Last reply Reply Quote 0
      • R
        rba last edited by

        I can confirm the problem using 2.2.2.

        2x WAN load balancing. Sticky did not solve the problem.

        Is there a way to configure a certain LAN IP to always use the same WAN interface in a load balancing dual wan setup?

        Cheers,
        Roman

        1 Reply Last reply Reply Quote 0
        • D
          doktornotor Banned last edited by

          Create a rule setting the GW for the traffic?

          1 Reply Last reply Reply Quote 0
          • R
            rba last edited by

            Would it solve the problem if I create a role on the LAN interface to send all traffic with TCP/21 to the first WAN interface?

            Will pfsense do the magic to map the ftp data port to the same interface then automatically?

            1 Reply Last reply Reply Quote 0
            • D
              doktornotor Banned last edited by

              Maybe. Test and let us know.

              1 Reply Last reply Reply Quote 0
              • luckman212
                luckman212 LAYER 8 last edited by

                have you tried jimp's new FTP Client Proxy package for 2.2.x ? worked wonders for me.

                1 Reply Last reply Reply Quote 0
                • R
                  rba last edited by

                  I first recognised the ftp client problem at an event installation.
                  As soon as I have a configuration with two WAN connections again I will try the FTP Client Proxy package.

                  luckman212: Thanks for the hint.

                  1 Reply Last reply Reply Quote 0
                  • M
                    Musli18 last edited by

                    @rba:

                    I first recognised the ftp client problem at an event installation.
                    As soon as I have a configuration with two WAN connections again I will try the FTP Client Proxy package.

                    luckman212: Thanks for the hint.

                    and ?

                    1 Reply Last reply Reply Quote 0
                    • First post
                      Last post