Loadbalancing and Outgoing NAT

  • Hi to all!
    (hope this is the correct sub-forum for this question)

    I have a problem with my pfsense:

    i configured my pfsense with a second wan-interface and activated load-balancing. all is working fine, except FTP connections.

    Version: 1.2-RC2

    my cfgs:
    WAN: 81.223.XXX.254/28 GW 81.223.XXX.241 - disable ftp-proxy - block private networks
    DMZ (OPT1):
    DMZ2 (OPT2):
    WAN2 (OPT4): 81.223.XXX.222/28 GW 81.223.XXX.209 - disable ftp-proxy

    WAN - (my lan-range) - *
    WAN2 - - *
    WAN - - *
    WAN2 - - *
    WAN - - * (the DMZ should only use the WAN interface)

    LAN: * GW Loadbalancer
    WAN: only auto-generated rules from nat (port 25, 80, …)
    DMZ: * DMZ net * !LAN net * GW *
    DMZ2: * DMZ2 net * GW Loadbalancer

    if i use the default-gateway in lan or dmz2, ftp work's fine. but if i use the loadbalancer as gateway, i don't get any connection. (netstat shows only syn_sent, seems that the route back doesnt work)
    FTP from DMZ net works find (on this interface the gatway is the default one)
    i tried at outbound nat for WAN/WAN2 settings without source-net (*). then i got an ftp-connection, but the udp-connection seems to fail, i get no directory listing (only via pasv mode).

    another curious thing: if i set the gateway from default to "81.223.XXX.241" (my default gateway), i doesnt work either... only the default-gatway works for ftp... why???

    anyone an idea that could help me?


  • 2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to / ports 8000-8030. IE: allow LAN subnet to 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.


  • oh my god… that did it!!!

    this simple thing took me several hours, very much coffee and much more cigarettes... ;)

    thank you very much!!!!!!

    regards, sebastianus

Log in to reply