MultiWan Failover breaks FTP clients



  • I just finished setting up a Dual Wan PFsense box.  No load balancing, just failover.

    I have a DSL line running PPPoE on the Wan, and on my opt2, I have a Cable modem connecting via DHCP.

    I created the failover rules.  One DSL > Cable, the other Cable > DSL.

    I have 2 more network interfaces.  One is the LAN with all the computers.  The other interface is for the IP phones.  The VoIP subnet has all traffic directed to the DSL > Cable failover, and the computer LAN subnet has all traffic directed over the Cable > DSL failover.

    Load Balancer:

    Lan Rules:

    VoIP Rules:

    Everything works fine, failover fails over correctly.  All VoIP traffic is routed over the DSL line, all LAN traffic is routed over the Cable line.

    Only problem is FTP clients.  They cannot connect when routed over the secondary WAN.  They work fine if I force them over the primary WAN.  I guess if push comes to shove, I can route all port 21 traffic over the primary WAN…but would rather keep it pure voip on the WAN.

    Any Ideas?

    THanks!

    -M@



  • What is the status of FTP Helper on each of your interfaces?



  • @http://devwiki.pfsense.org/FTPTroubleShooting:

    Outgoing FTP (LAN -> Internet)
    1. Ensure that the FTP helper is not disabled on Interfaces, LAN
    2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.



  • The box was unchecked on my WAN, but checked on my OPT2.  I have since unchecked the OPT2, and called the company and asked them to give FTP a shot again.  Haven't heard back yet (this was about 5 hours ago) so I assume its working?  LoL…next time I'm there, I'll test it myself.  Thanks for the tipz  :)

    -M@



  • Update

    Everything working AOK, thanks again!  :)

    -M@



  • Another update, ftp still works fine, but there's this little Java app someone is using to upload photos to an online photo printing company, http://ephotopros.com/ …..which doesn't work.  Its ftp based, I've sniffed the traffic, its TCP port 21....and don't see anything in the firewall logs to suggest anything obvious, but how can regular FTP work, and this little program not?



  • Try the rule that Perry referred to. It's generally needed to make FTP work smoothly under Dual-WAN. I usually just allow TCP any from LAN to loopback with the default gateway as the top lan rule.



  • @Perry:

    @http://devwiki.pfsense.org/FTPTroubleShooting:

    Outgoing FTP (LAN -> Internet)
    1. Ensure that the FTP helper is not disabled on Interfaces, LAN
    2. If you have a restrictive ruleset or are utilizing policy based routing for multiple-wans then ensure that you have permitted traffic to 127.0.0.1 / ports 8000-8030. IE: allow LAN subnet to 127.0.0.1 8000-8030. This rule should be on top of all other LAN rules that utilize policy based routing.

    Can someone explain to me why this works and the rationale behind the rule?  I was having the same problem.  And this rule sorted it out.

    Cheers,



  • Because when you direct traffic to a failover pool, it bypasses the normal routing table. Thus the traffic destined for the FTP helper will get shot out to the balancer pool and won't reach loopback.


Log in to reply