Problems with FTP clients in passive mode behind pfsense after upgrade to 2.2.1

rigius

Hi,

Our setup is composed of a LAN network connected to the Internet through two WANs doing load balancing.

The firewall is configured to do fail-over for outgoing connections to port 21 instead of load balancing.

FTP clients inside the LAN have worked without problem in passive mode from v1.2.3 to v2.1.5. The FTP proxy was enabled.

This week we have upgraded from 2.1.5 to 2.2.1 and problems have started.

The internal FTP clients (lftp, fireftp, perl net::ftp, etc.) establish the control connection to the external FTP servers normally, but when a data connection is established,  pfsense establishes it indistinctly through WAN1 or WAN2 (something that apparently didn't happen with prior versions).

We have worked around the problem for our two or three most frequently used FTP servers adding a rule to the firewall to send all outgoing connections through the same fail-over interface as those sent to the external port 21 For the other FTP servers, the clients have to do timeouts/retries and after some attempts, they usually end getting both control and data connections on the same interface. Here is a screen capture of the states with an ongoing file transfer:

https://drive.google.com/file/d/0Byyi5q9AR1iAbi1QY3NxeXdKQlk/view?usp=sharing

Does anybody have an idea for not having to add every single external FTP server IP to the LAN firewall rules to keep all the connections for the same passive FTP session on the same interface?

We have tried sticky connections, but they haven't solved the problem.

Regards,

rba

I can confirm the problem using 2.2.2.

2x WAN load balancing. Sticky did not solve the problem.

Is there a way to configure a certain LAN IP to always use the same WAN interface in a load balancing dual wan setup?

Cheers,
Roman

doktornotor

Create a rule setting the GW for the traffic?

rba

Would it solve the problem if I create a role on the LAN interface to send all traffic with TCP/21 to the first WAN interface?

Will pfsense do the magic to map the ftp data port to the same interface then automatically?

doktornotor

Maybe. Test and let us know.

luckman212

have you tried jimp's new FTP Client Proxy package for 2.2.x ? worked wonders for me.

rba

I first recognised the ftp client problem at an event installation.
As soon as I have a configuration with two WAN connections again I will try the FTP Client Proxy package.

luckman212: Thanks for the hint.

Musli18

@rba:

I first recognised the ftp client problem at an event installation.
As soon as I have a configuration with two WAN connections again I will try the FTP Client Proxy package.

luckman212: Thanks for the hint.

and ?